HITRUST Compliance
HITRUST通用安全框架(CSF)允许医疗保健实体证明符合许多不同的标准和法规,例如HIPAA, ISO, NIST, SOC 2, GDPR, PCI, CMS, MARS-E, and more. You can learn more about their background here: http://hitrustalliance.net/about-us/
One of a select group of HITRUST CSF assessors, 金沙乐娱app下载信息安全公司参与了将医疗保险和医疗补助服务中心(CMS)和NIST的安全标准集成到HITRUST联盟框架中的工作. In 2010, we became one of the first HITRUST CSF assessor organizations, 使金沙乐娱app下载非常有资格使用HITRUST CSF来确保您组织的信息安全可靠.
What is HITRUST?
HITRUST, in collaboration with leaders from the private sector, government, technology, and information privacy and security spaces, established the HITRUST CSF, a certifiable framework that can be used by any organization that creates, accesses, stores, or exchanges sensitive information.
Every organization can achieve the coveted HITRUST CSF Certification, but it will take a little patience, a lot of executive support, and, sometimes, a helping hand.
了解更多关于HITRUST、HITRUST CSF的信息,以及使用HITRUST评估的六大主要优势.
On-Demand Webinar Duration: 0:05:47
Speaker:
- Robyn Barton, HITRUST授权外部评估委员会股东,实践领导者 & Quality Subcommittee Member
Do your policies and procedures address the HITRUST criteria?
无论您是维护现有的HITRUST认证还是第一次寻求认证, 现在可能是审查HITRUST指南并确保您的政策和程序达到标准的好时机.
1. Policy and Procedure Applicability
策略和过程成熟度级别以及相关评分仅适用于r2评估. Keep in mind, however, that even though focus of the e1 and i1 assessments is on control implementation only, 一些需求陈述仍然需要审查政策和程序文件.
2. Policy and Procedure Incubation Period
补救或新实施的政策或程序必须到位的最少天数为60天. For organizations currently in the remediation phase, 政策和程序更新需要存在60天,以便在测试期间进行评估. Additionally, for organizations undergoing a validated assessment, policies and procedures that have been in place for 60 days can be utilized. 注意:实现、度量和管理成熟度级别的天数为90天.
3. Policy and Procedure Scoring
Policy and procedure maturity levels are scored in accordance with the HITRUST Control Maturity Scoring Rubric based on a calculation of the strength of the policy or procedure, as well as the percentage of evaluative elements being addressed by the documentation.
4. Policy and Procedure Format
HITRUST references the following definitions for policy and procedure.
| Document | Definition |
| Policy | Overall intention and direction as formally expressed by management, most often articulated in documents that record high-level principles or course of actions; the intended purpose is to influence and guide both present and future decision making to be in line with the philosophy, objectives and strategic plans established by the enterprise’s management teams. |
| Procedure | 执行符合适用标准的特定操作所需步骤的详细描述. Procedures are defined as part of processes. |
请注意,HITRUST并不要求策略语句只存在于策略文档中,或者过程只存在于过程文档中. 文档可以采用多种形式,包括标准、手册、指导方针、指令等.
Misconceptions About HITRUST
HITRUST®通过帮助解决众多安全问题,继续在市场上取得巨大的增长和成功, privacy and regulatory challenges facing organizations. As companies start their HITRUST journey we often hear common misconceptions.
1. Can you be certified to HIPAA?
Unfortunately, HIPAA安全规则的众多管理标准和实现规范, technical and physical safeguards, despite what the terms imply, 缺乏医疗保健组织实际实施所需的处方. The HITRUST CSF® is mapped to the HIPAA Security Rule, Breach Notification, 和隐私规则作为可选的监管因素,可以选择纳入r2评估. When selected, 这些将为您的组织满足规则的要求提供合理的保证. Additionally, HITRUST为HIPAA提供了MyCSF合规性和报告包,该包编译了来自r2评估的证据,并生成了一份报告,该报告将适用的HIPAA要求解析为组织的HITRUST评估. 该报告可以直接与审核员或调查员共享,以证明合规性.
2. If I am not a healthcare entity, can I still be HITRUST certified?
Absolutely! HITRUST, in collaboration with privacy, information security and risk management leaders from the public and private sectors, develops, 维护并提供对其广泛采用的风险和遵从性管理框架的广泛访问. 它现在包括46+地图权威来源,并在包括制造业在内的广泛行业中具有很强的采用率, banking, airline/entertainment, and telecommunications. Indeed, if you fall into any of these industries, 您可能听说过HITRUST是一种使用HITRUST CSF来沟通组织安全和隐私实践的方式.
3. 一个普遍的误解是,HITRUST是由于OCR HIPAA审计失败而产生的, is this true?
The OCR HIPAA audits did not begin until 2011. HITRUST was founded in 2007. 金沙乐娱app下载 has remained a steadfast supporter of the HITRUST CSF since February of 2010.
4. Can an organization certify to NIST CyberSecurity Framework?
NIST网络安全框架(CSF)是一套全球公认的标准,为组织提供了设计所需的基本要素, assess, and mature their cybersecurity program.
HITRUST认识到许多组织更喜欢NIST网络安全框架中定义的报告结构. In conjunction with a r2 validated assessment, HITRUST发布NIST CSF报告记分卡,详细说明组织对HITRUST CSF框架中包含的NIST网络安全框架相关控制的遵守情况.
5. Is the HITRUST program a true Assess Once, Report Many™ audit program?
Yes. 经验丰富的审计公司已经开发了流程,使其员工能够结合多种审计需求的标准,并通过提高效率将这些节省应用到您的组织中, decreased audit fatigue, and higher quality, consistency and reliability of results. If an audit firm dissuades you from this approach, they may not have the staff skill or tools to execute properly.
6. Is the HITRUST CSF framework designed to allow me to become ISO 27001 certified?
HITRUST CSF框架和认证流程可用于协助ISO 27001认证工作. As with any assessment, 一定要对服务提供商的技能和知识做足功课,进行任何评估或准备考试. 当需要多个报告选项时,结合安全性和/或隐私评估测试可以获得许多好处. When combining assessments, 从项目的规划阶段开始,必须考虑认证的意图和具体要求.
A great example of this is described in a recent HITRUST white paper. http://hitrustalliance.net/casestudy/leveraging-hitrust-mycsf-to-maintain-iso-27001-certification/Here are a couple of points to consider from HITRUST’s FAQ on the subject, 如果您正在寻找一家能够支持您获得多个认证的公司:
- ISO 27001认证的重点是信息安全管理体系(ISMS)。, 其中包括对信息安全风险评估和处理过程的评估. However, “organizations can design controls as required, or identify them from any source” (ISO 27001, § 6.1.3.b, p. 4). Further, although ISO 27001 Annex A contains a list of control objectives and controls, 它们并非详尽无遗,可能需要额外的控制目标和控制”(同上)., § 6.1.3.c, p. 4). 尽管ISO审核员必须出具一份“适用性声明”,其中包含必要的控制措施(见6).1.3 b and c) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A” (Ibid., § 6.1.3.d, p. 4), it doesn’t extend beyond what’s required in Annex A. Subsequently, 组织在他们指定的控制方面有很大的自由度,以在适合他们风险偏好的水平上处理他们识别的风险. ISO认证评审员在如何评估控制的有效性方面也有一定的自由度, 除了帮助组织准备ISO认证的顾问不执行认证评估的一般要求外,没有对评估进行质量控制.
- The HITRUST CSF provides a baseline of comprehensive, prescriptive control requirements tailored to specific organizational, system and regulatory risk factors. 由这些基线需求规定的详细测试过程关注于使用特定的, 严格的评估方法和评分模型,以衡量组织中对ePHI的过度剩余风险的水平. Like ISO, the testing must be performed by an approved assessor, referred to by HITRUST as an Authorized External Assessor Organization. Quality assurance is provided by HITRUST.
More information on this subject can be found here.
Client Testimonial
HITRUST Services
HITRUST Readiness and Expertise
As a HITRUST assessor, 金沙乐娱app下载信息安全专家可以帮助确保您的组织在开始认证之旅并在任何行业中建立知名且普遍接受的安全框架时为HITRUST做好准备.
HITRUST Certification
HITRUST开发了一个保证程序,允许针对框架进行独立的HITRUST认证或验证. 这些验证或认证业务必须由组织(评估人员)执行,这些组织(评估人员)必须经过HITRUST的专门培训和审查,具有医疗保健信息安全方面的经验和专业知识.
HITRUST Interim Assessments
As required by HITRUST, 在认证的第一年之后,必须完成一项临时评估,作为后续行动. 金沙乐娱app下载信息安全公司可以根据HITRUST CSF提供评估,并利用收集到的任何证据向HITRUST提交年度审查函.
HITRUST Bridge Assessment
由于旅行限制,COVID-19大流行给开展HITRUST CSF评估的某些方面造成了困难, meetings, and access to company sites. 作为回应,HITRUST发布了要求延长认证期限的指南. 如果您正在寻找外部评估员来执行评估,金沙乐娱app下载随时准备为您提供帮助. With ten years of experience helping companies with their HITRUST needs, and the most experienced team in the industry, we aren’t going anywhere!
WEBINAR: HITRUST i1 Assessment
- What is the HITRUST i1 Implemented Verified Assessment and Certification?
- Why was this new option was created?
- Key differences between i1 vs r2.
- How to choose which option is right for you.
On-Demand Webinar Duration: 7:36
As the leader of the “10 year club” of assessors, 金沙乐娱app下载是业内服务时间最长的评估员,拥有业内最有经验的团队. Back in February 2010, 金沙乐娱app下载的领导人签名加入了这场运动,这场运动已经成为当今安全和隐私评估的黄金标准. 金沙乐娱app下载已经培养了一个由专家领导的评估团队,他们为这一成功做出了最长的贡献.
We have helped countless organizations reach their HITRUST CSF Certification goal. And, yes, we have learned many lessons along the way. 事实上,金沙乐娱app下载是评估委员会的成员,并协助教育和推广行业. We feel compelled, and are somewhat obligated, 为那些即将踏上这段旅程的人提供一些鼓励和建议. Please reach out any time with how we can assist you on your journey!
