HITRUST: the Path to Cyber Resilience

Much has been made of cyber resilience in recent years. And with good reason: failing to bounce back quickly from a security event can have dramatic financial consequences. In early 2023, Royal Mail took several days to recover from a Lockbit cyberattack, losing upwards of £10 million in the process. However, for all the talk about resilience, the industry seems to be overlooking one of its fundamental tenets: risk management. 

It is, perhaps, understandable that we overlook risk management. Striking the right balance can be difficult, with risk managers often either needing to be more optimistic about their organization's risk profile or drifting into wild flights of fancy, dreaming up fantastic, improbable hypothetical scenarios. 

However, risk management is crucial to achieving cyber resilience and must be addressed. But how can you walk the line between over-optimism and over-precaution? By using a solid assurance framework. HITRUST offers one such framework.

What is HITRUST?

While officially titled the Health Information Trust Alliance, HITRUST's assurance approach is not specific to healthcare or limited to it. It is an industry-agnostic approach that all industries can employ to address compliance and risk management. But HITRUST is one of many risk management frameworks, so why choose it? 

HITRUST engages an organization's risk profile uniquely. Building upon the Capability Maturity Model (CMM) and NIST's PRISMA, the HITRUST approach leverages best-in-class components for a comprehensive information risk management and compliance program that integrates and aligns the following:

• HITRUST CSF is a robust privacy and security controls framework that harmonizes dozens of authoritative sources, such as HIPAA, ISO 27001, and NIST 800-171.
• HITRUST Assurance Program is a scalable and transparent means to provide reliable assurances to internal and external stakeholders.
• HITRUST MyCSF is a HITRUST CSF compliance operations and audit management platform used by organizations adopting the HITRUST CSF, their external assessors, and HITRUST.
• HITRUST Shared Responsibility Program is a suite of matrices and inheritance workflows clarifying service provider and customer responsibilities and enabling the sharing of assessment results between service providers and their customers.
• HITRUST Assessment XChange is a third-party risk management solution.
• HITRUST Third Party Assurance Program is a third-party risk management process.

HITRUST and Continuous Monitoring

In recent years, many compliance gap assessments have employed a "point-in-time" evaluation to determine whether an organization has achieved a particular benchmark of control implementation and operation. The assessor then periodically reviewed and re-performed assessment activities (e.g., annually). However, this method forced assessors and certification bodies to make predictions based on current-state assessment results. These predictions weren't always accurate. 

However, HITRUST has worked to incorporate concepts of Information Security Continuous Monitoring (ISCM) into their assurance program's methodology and offerings. This has primarily made the "point-in-time" nature of traditional security assessments a thing of the past. HITRUST now employs a continuous, prospective monitoring model, providing assessed entities, HITRUST assessors, and HITRUST itself a real-time view into an organization's control status, helping to make ongoing, risk-based decisions. The result? A significantly improved security posture. 

The only thing worse than discovering gaps in a security program is finding controls that have gone neglected to the point that an old gap is re-opened. An ISCM approach prevents this by creating less degradation over time than the traditional periodic review. Other tangible benefits include:

• Longer periods between comprehensive control gap assessments.
• Reduced time and effort needed to maintain certification.
• Reduced lifecycle costs for maintaining certification.
• Higher assurance and trust with and amongst external stakeholders such as regulators, business partners, and customers.

Certification is essential, as it objectively verifies that a security program operates within the parameters of its intended design; this has implications beyond the comfort of a successful audit cycle. Through ISCM, the HITRUST CSF Assurance Program will allow the findings in the CSF Assessment Report to be truly prospective.

Many security initiatives are viewed as "cost centers," not adding value to an organization. From a monetary perspective, a HITRUST certification adds value by not only helping a company meet cybersecurity insurability standards but also lowering those insurance premiums; this is because the HITRUST standard holds high confidence in the industry. This is also recognized by entities such as the US Government Accountability Office (GAO), which is tasked with saving taxpayer money.

Achieving HITRUST Compliance

Now that we better understand what HITRUST is and why it's essential, we can look at how to achieve compliance. Here's a step-by-step guide:

• Assess and define scope – Evaluate your current security measures, risk management process, and data protection practices, then determine which of your systems, processes, and personnel you will include in your compliance efforts.
• Understand the requirements – Read and understand the HITRUST CSF and the specific security requirements and controls relevant to your organization.
• Complete a readiness assessment - Use a questionnaire to detail your organization's size, risk exposure, and other relevant factors. This data will help you identify the necessary controls, requirements, and the levels you need to implement them.
• Develop policies and procedures - Create and document policies and procedures based on HITRUST requirements and tailored to your organization. You must define how to address risk management, control requirements, data protection, and other critical aspects of a security program.
• Employ security controls—Ensure the security controls outlined in the HITRUST CSF are set up in your environment and integrated with your daily operations. 
• Implement data protection measures – Deploy data protection measures aligned with HITRUST standards. These measures include encryption, access controls, and secure transmission protocols. 
• Validate and assess - Employ a third-party auditor licensed by the HITRUST Alliance to ensure you comply. Auditors will scrutinize the data from your self-assessment and thoroughly examine your security processes and controls. Once assessed, you will present the results to HITRUST to be examined.
• Achieve certification – If you have met the requirements, HITRUST will issue the certification; if not, HITRUST will issue a letter explaining why you don't comply and how to correct your mistakes.
• Stay informed and train your staff - Ensure staff understand HITRUST and their roles in maintaining compliance. Stay in the loop about updates to the HITRUST framework and make changes when necessary.
• Deploy continuous monitoring—Implement a continuous monitoring mechanism for your security controls and regularly assess and review your security posture to ensure compliance with HITRUST.

To sum up, it's important to remember that achieving HITRUST compliance is not a set-it-and-forget-it task. HITRUST is one of the highest data protection standards in the world, and compliance is no mean feat. Compliance can offer you a competitive advantage, greatly reduce the risk of a security incident, and significantly bolster cyber resilience—but you must work for it.