HITRUST’s background is firmly rooted in the US healthcare space, but companies in other sectors have indicated that they are gaining a competitive edge by achieving HITRUST CSF certification. Various service-based industries, ranging from financial services to language service companies are moving to HITRUST because its overarching framework and authoritative sources are increasingly industry agnostic. A common thread shared by these industries is that there is a growing importance on both the exchange and protection of sensitive data.
HITRUST CSF v.10, scheduled for release in 2021, will continue to be increasingly industry agnostic and provide for the needs of the travel, tourism, and financial services sectors to support its continued expansion outside of the healthcare industry.
Updating the HITRUST PRISMA Maturity Model
The HITRUST approach to evaluating controls differs from the Preferred Reporting Items for Systemic Review and MetaAnalyses (PRISMA). It isn’t binary, and doesn’t focus on operational effectiveness and design. HITRUST uses a five-point maturity model which we walkthrough below.
The HITRUST five-point maturity model, which PRISMA is evaluated against is as follows:
- Policy – Are company expectations clear in written policies? Are they approved by the appropriate personnel, and have they been clearly communicated?
- Procedure – Are operational aspects of the control defined, approved, and communicated?
- Implementation – Are the controls in place and performing as expected?
- Measured – Does the organization have the necessary visibility to understand whether the control isn’t working?
- Managed – Is the organization responding to risks and addressing them?
The updated PRISMA model that assessors now evaluate against has changed, giving the greatest weighting to implementation. All other aspects of the Maturity Model have little relevance unless everything is being implemented effectively.
So, what does this mean for organizations going for HITRUST CSF Certification?
The shift in the weighting of the maturity model’s various elements shows an increasing emphasis on cybersecurity. HITRUST’s message from these PRISMA weighting updates is unambiguous: having well-documented policies and procedures is not enough; effective implementation of internal controls is essential to HITRUST CSF certification.
Organizations need to focus on designing and implementing robust security procedures and policies. Though not the only basis for compliance, effective design and implementation are the best defense against real-world threats to your infrastructure.
Expansion into overseas markets is ongoing, with an exploratory push into Asian and Pacific markets. This is part of a global information protection goal for information risk management and compliance for businesses of any type, size, or location. The plan is to deliver services locally, nationally, and worldwide.
Chief Privacy Officer at HITRUST, Anne Kimbol, says, “As countries around the world continue to adopt and advance data protection laws, the challenge of doing business on a global scale grows increasingly complex. Many countries have unique regulatory requirements, creating costs and challenges for organizations to determine if they are compliant to conduct business globally.”
With this in mind, HITRUST has expanded its framework to include the General Data Protection Regulation (GDPR) and Singapore’s Personal Data Protection Act (PDPA). Additionally, HITRUST filed a formal application with the European Union’s Data Protection Board and the Irish Data Protection Commission to have HITRUST CSF officially recognized as a standard for GDPR certification.
This will build on the HITRUST Approach and their vision of One Framework, One Assessment, Globally.
To facilitate their goal of expanding internationally, they have begun several focus projects, including:
- Establishing an Asia advisory council and appealed for nominations from suitably qualified applicants. Extensive experience in risk management, privacy, and security will be prerequisites. An understanding of security and privacy laws relevant to Asian businesses will be essential. The Asia Advisory Council will ensure the HITRUST Approach remains relevant to the needs of Asia Pacific communities. The Asia Advisory Council’s key role will be to work with HITRUST to ensure the HITRUST Approach sets the bar for companies in the region to achieve comprehensive, tailored privacy and security risk management solutions.
- They have updated the HITRUST CSF framework with Asia-specific authoritative sources. These updates will be delivered over three phases. Phase 1 will include data privacy regulations for Hong Kong, Malaysia, and the Philippines, incorporating these countries’ Acts of Parliament into the authoritative sources. Phase 2 will address banking and financial services regulations, and Phase 3 will include cybersecurity and IT regulations.
- Support for data localization in HITRUST CSF, enabling subscribers to specify where the data is held. This will ensure they comply with data localization requirements.
- Application to be an Accountability Agent under the Asia Pacific Economic Cooperation (APEC) Cross Border Privacy Rules System (CBPRS) and Privacy Recognition for Processors System (PRPS).
HITRUST is determined that businesses of all sizes will have access to the most comprehensive, globally relevant information protection framework and services. The HITRUST CSF and CSF Assurance Program offer a single integrated approach to information risk management that can easily be shared with customers and authorities.
As a HITRUST CSF certified organization, ISI Language Solutions is an ideal language access and localization specialist to take your brand global, and to support your firm’s journey to open up new markets around the world.
Learn more About HITRUST with our free ebook: