HITRUST program seeks to boost maturity of data security practices

Register now

HITRUST has created a new program to incentivize information security teams in healthcare organizations to work on advancing their security control maturity.

Based on analysis of data that HITRUST has collected over a decade, the organization concludes that when a healthcare entity’s controls are operating at or above a HITRUST data security maturity level of 79, there is a 99 percent likelihood these controls will continue to operate going forward.

That means data security assessments that hit a level of 79 have fewer control failures and pose less risk to their customers, says HITRUST, a data protection standards development and certification organization.

HITRUST further is updating its Common Security Framework Assurance program (CFS) with guidance on what qualifies as mature information security control scores and is offering organizations that have obtained CSF control maturity an extended time period between additional security assessments, giving these organizations credit for implementing an effective continuous monitoring program.

In short, this lets other entities know that an organization with which they are considering to partner is serious about data security by following HITRUST programs and recommendations.

“HITRUST is pioneering a new approach to control maturity scoring,” says Kevin Charest, divisional vice president and chief information security officer at Healthcare Service Corp. These updates will continue to support organizations who are striving to enhance their information security programs by achieving higher levels of control maturity and making improved risk-based decisions that help enhance security frameworks and meet their stakeholders’ information risk management needs.”

The failure of security controls in high-profile data breaches highlights the importance and urgency of the problem, re-emphasizing why self-attestations, rudimentary third-party assessments and reputational risk evaluation scoring methods are limited, generally inaccurate and subjective, while not providing a way to evaluate or predict future control effectiveness, says Michael Parisi, vice president of assurance strategy and community development at HITRUST.

“We see the use of information security control maturity scores as a driver for internal discussions on risk tolerance and external discussions for requirements on third-party vendors, as well as with cyber insurance underwriters, as the basis for coverage and premiums,” he adds.

HITRUST is calling for mature organizations to participate in its new program, with information available here.

For reprint and licensing requests for this article, click here.