HITRUST Part 3 Certification Explained

2009-12-30 552 words 3 minutes

As a continuation of the HITRUST blog series, in this post I would like to explore the concept of certification, and what it means.

So, by now I hope you’ve followed my advice and have been browsing the framework up and down. Perhaps you generated a few reports that show you just how easy it is to identify controls for each regulatory requirements and standard. You are now a CSF Ninja and have mastered the framework engine, and now you are ready for bringing the idea of HITRUST certification to your organization. However, there is a very important concept that I must stress with regard to certification:

HITRUST certification does not mean you are compliant with ANY of the regulatory requirements or standards referenced within CSF.

Since this is somewhat counter-intuitive, please take a few minutes to absorb this information. So, what is the value of a HITRUST certification?

To answer this question, it’s important to go back and review my first blog post in this series, and understand that one of the missions of HITRUST is to be practical and realistic in its approach to security. Therefore, the current certification is based on a certain minimum standard that had been agreed upon by all participating organizations. Therefore, the certification is not to be used as a way of proving HIPAA or HITECH compliance, but rather as proof of meeting the most basic security requirements the healthcare industry has deemed as most important. To a healthcare industry outsider this may appear weak and indecisive, and perhaps there is at least some truth in that statement. However, those that deal with the daily challenge of responding to a seemingly unending stream of third-party audit checklists and audits, and those who have to manage controls for hundreds of applications and hundreds of different medical devices will view even such a humble beginning as a monumental effort.

The overall goal is for the HITRUST certification to be used as a way of showing that a particular organization is focused on security and has all the basics covered. As the industry gets better with managing security, I fully anticipate the certification threshold to go up and become even more difficult to obtain. However, while HITRUST seeks acceptance by medical practitioners and various service providers, I think it’s wise to keep the certification requirements more attainable, even if the certification does not equal regulatory compliance. After all, each organization may choose to implement more than the certification minimum and get to a level of compliance before this is required by HITRUST.

In my view, the real value of the HITRUST certification is in simplifying and streamlining conversations between healthcare providers and vendors about the security of PHI data. If a vendor has a single framework to comply with, it may choose to spend more resource on achieving that compliance, and not worry about various checklists and rule interpretations by different security consultants and auditors. Similarly, if a patient care provider can focus on adopting a single framework, and requiring that all vendors do the same, the CSF certification may be acceptable in place of any other third-party assessments.

Please, check back for the fourth and final installment of the HITRUST blog series, when I present some of the opportunities and challenges HITRUST will face in the future.