A COMPLETE APPROACH TO REGULATORY REQUIREMENTS AND COMPLIANCE

Cybersecurity Compliance involves meeting various controls (usually enacted by a regulatory authority, law, or industry group) to protect data confidentiality, integrity, and availability.

​

HITRUST CSF

A validation process is used to determine whether an organization meets the requirements for a certified security management system (SMS) in accordance with ISO27001 and PCIDSS. The validation process requires a moderate to high level of effort and rigorous testing procedures. A validation process is completed by an external CSF Assessor, and if the organization fails to receive a '3' or higher for any control, a certified assessment is issued.

 

There are three levels of assurance available for ISO27001 and PCIDSS certification. The lowest level of assurance is a self-assessment report that is issued by HITRUST. The next level of assurance is a validated assessment, which is performed by a third-party assessor firm. This option provides the highest level of assurance for an organization's security management system.

 

NIST CSF

While HIPAA is the standard in the healthcare industry for security measures, compliance with HIPAA isn't always sufficient. To enhance healthcare security, HITRUST CSF was created and adopted by organizations worldwide. HITRUST incorporates the elements of other security frameworks, such as ISO27001 and NIST CSF, while also incorporating risk analysis and risk management. This framework was created to complement HIPAA and is adopted by organizations in virtually every industry. The Control Objectives for Information and Related Technology (COBIT) were developed by the Information Systems Audit and Control Association (ISACA) in the mid-'s to address technical risk.

​

The NIST SP 800-171 controls are related to the NIST SP 800-53 controls, but they are less detailed and more general. Despite the similarity of the two frameworks, NIST SP 800-171 is not a good fit for private-sector organizations. Although the controls are generally equivalent, they are not legally required or specific to the industry. As a result, organizations that implement the entire framework will likely fall short of meeting their compliance obligations.

 

ISO 27001

HITRUST certification is an important part of a healthcare organization's information security program. It provides an integrated and prescriptive framework for cybersecurity standards, while still ensuring that systems adhere to HIPAA and other regulatory requirements. Companies can tailor their controls to their particular risk factors, and this is a critical part of achieving HITRUST certification. Companies can also tailor their implementation requirements based on the scope of their business, such as the type of data they process, and the types of services they provide.

​

To implement HITRUST, companies must implement HITRUST's HITRUST common security framework (HITRUST CSF). This standard consists of 156 specific HITRUST controls and seventy-five control objectives. The framework is divided into three levels, with Level 1 containing the least stringent requirements. Each level builds on the previous one and is governed by risk assessments. A company must measure its risk before applying a higher level of implementation.

 

PCI DSS

PCI DSS and ISO27001 are two compliance standards with similar objectives. They both apply to a number of different factors, including internal processes and security controls. The differences lie in their methods and extent. Here's a comparison of the two. Both require a QSA to be on staff at a company that is registered with the PCI SSC. While both standards have overlapping objectives, they do differ in their methods and documentation.

​

PCI DSS was created for financial services, which is why it is also referred to as Payment Card Industry Data Security Standard (PCI DSS). It aims to protect the data of all entities that handle branded credit cards. Companies handling payment card data need to have ISO 27001 and PCI DSS certifications. While both standards require different levels of protection, they complement each other. When implemented properly, they provide an efficient security framework and can be an excellent starting point for any company.