What are HITRUST Controls List & Requirements?
Meeba Gracy
Oct 14, 2024HITRUST is widely recognized as a go-to framework by experts. It’s known to be one of the most comprehensive frameworks in structure, comprising 14 Control Categories, 19 Domains, 49 Control Objectives, 156 Control References, and 3 Implementation Levels.
With such complexity, achieving compliance with HITRUST is no small feat. In this article, we’ll explore the HITRUST controls and requirements and help you prepare for compliance across various HITRUST security rulesets simultaneously.
Let’s dive in…
What is the HITRUST Common Security Framework (CSF)?
It’s a cybersecurity framework designed to bring together the rules from various regulatory and industry frameworks like HIPAA, GDPR, PCI-DSS, and others.
Established in 2007, the HITRUST Alliance created the “HITRUST approach” to assist organizations, especially those in healthcare, in managing data, information risk, and compliance more effectively.
In short, the HITRUST CSF was made to simplify open system data sharing and boost information security. It’s a handy framework for healthcare and other industries dealing with sensitive data. All because of its comprehensive and adaptable mapping key.
Get a wingman for your HITRUST audit
What are HITRUST controls?
There are over 150 individual HITRUST controls within the HITRUST CSF. The number of controls varies based on how your company defines “control.” Essentially, HITRUST includes 14 “Control Categories,” labeled from 0.0 to 0.13. These categories are divided into “Objectives,” totaling 49. And then, the Objective breaks down to 156 “References.”
The HITRUST Framework, also known as HITRUST CSF, draws upon a wide array of more than 50 security and privacy regulations, standards, frameworks, and authoritative sources. It brings together this wealth of information into a single, unified platform. This consolidation results in creating the most thorough, consistent, and easily understandable set of controls accessible for achieving compliance.
We’ll dive deep into those requirements in the next section.
HITRUST controls list
HITRUST CSF offers a structured set of controls and requirements to address the challenges. Here is a list of those controls:
HITRUST CSF Controls | Name | HITRUST Control Objective |
00.a | Information Security Management Program | Implementing and managing an Information Security Management Program |
01.a | Access Control Policy | Controlling access to information, information assets, and business processes according to business and security needs |
01.b | User Registration | To make sure registered user accounts are tracked and periodically validated to prevent unauthorized access to information systems |
01.c | Privilege Management | To guarantee that authorized user accounts are properly tracked, registered, and regularly validated to prevent unauthorized access to information systems |
0.1d | User Password Management | To confirm that authorized user accounts are registered, monitored, and regularly checked to stop unauthorized access to information systems |
01.e | Review of User Access Rights | To guarantee that authorized user accounts are properly tracked, registered, and regularly validated to prevent unauthorized access to information systems |
01.f | Password Use | To mitigate unauthorized users from accessing and compromising or stealing information and assets |
01.g | Unattended User Equipment | To mitigate unauthorized access by users and the compromise or theft of information and assets. |
01.h | Clear Desk and Clear Screen Policy | To mitigate unauthorized access by users and the compromise or theft of information and assets. |
01.i | Policy on the Use of Network Services | To mitigate unauthorized access to networked services |
01.j | User Authentication for External Connections | To mitigate unauthorized access to networked services |
01.k | Equipment Identification inNetworks | To mitigate unauthorized access to networked services |
01.l | Remote Diagnostic andConfiguration Port Protection | To mitigate unauthorized access to networked services |
01.m | Segregation in Networks | To mitigate unauthorized access to networked services |
01.n | Network Connection Control | To mitigate unauthorized access to networked services |
01.o | Network Routing Control | To mitigate unauthorized access to networked services |
01.p | Secure Log-on Procedures | To mitigate unauthorized access to operating systems |
01.q | User Identification andAuthentication | To mitigate unauthorized access to operating systems |
01.r | Password Management System | To mitigate unauthorized access to operating systems |
01.s | Use of System Utilities | To mitigate unauthorized access to operating systems |
01.t | Session Time-out | Password management systems must be interactive and ensure the use of high-quality passwords |
01.u | Information Access Restriction | To thwart unauthorized access to information stored in application systems |
01.w | Sensitive System Isolation | To thwart unauthorized access to information stored in application systems |
01.x | Mobile Computing andCommunications | To guarantee information security when utilizing mobile computing devices and teleworking facilities |
01.y | Teleworking | To guarantee information security when utilizing mobile computing devices and teleworking facilities |
02.a | Roles and Responsibilities | To ensure that employees, contractors, and third-party users are appropriate for their intended roles, reducing the risk of fraud, theft, or facility misuse |
02.b | Screening | To ensure that employees, contractors, and third-party users are appropriate for their intended roles, reducing the risk of fraud, theft, or facility misuse |
02.c | Terms and Conditions of Employment | To ensure that employees, contractors, and third-party users sign agreements outlining their security roles and responsibilities before accessing information assets upon employment or engagement |
02.d | Management Responsibilities | To ensure that employees, contractors, and third-party users are informed about information security threats and concerns, understand their responsibilities and liabilities, and are prepared to uphold organizational security policy in their regular work, thereby reducing the risk of human error |
02.e | Information SecurityAwareness, Education, andTraining | To ensure that employees, contractors, and third-party users are informed about information security threats and concerns |
Now, adding and maintaining these controls manually is a herculean task. This is where you need to take the assistance of a compliance automation platform like Sprinto to automate 90% of your tasks.
Moreover,
Control Name | Control Objectives | Control Specifications |
Information Security Management Program | 1 | 1 |
Access Control | 7 | 25 |
Human Resources Security | 4 | 9 |
Risk Management | 1 | 4 |
Security Policy | 1 | 2 |
Organization of Information Security | 2 | 11 |
Compliance | 3 | 10 |
Asset Management | 2 | 5 |
Physical and Environmental Security | 2 | 13 |
Communications and Operations Management | 10 | 32 |
Information Systems Acquisition, Development, and Maintenance | 6 | 13 |
Information Security Incident Management | 2 | 5 |
Business Continuity Management | 1 | 5 |
Privacy Practices | 7 | 21 |
For example, to help Zeto with the Hitrust framework, Sprinto created a custom HITRUST framework in their account and added all the requirements.
Automate HITRUST controls with Sprinto
What are the requirements of HITRUST?
The HITRUST requirements include a broad range of controls and measures that are designed to address various aspects of your information security and regulatory compliance.
These requirements are then again categorized into different domains and control categories within the HITRUST CSF.
Some of the key domains and control categories covered by HITRUST security requirements include:
- Information Security Management
- Access Control Security
- Human Resources Security
- Risk Management Policy
- Information Security Policy
- Information Security Organization
- Regulatory Framework Compliance Program
- Asset Management Security
- Physical and Environmental Security
- Communications and Operations Security
- Information Systems Management
- Security Incident Management
- Business Continuity Management
- Privacy Security Practices
What are the risk factors for implementing HITRUST Controls?
There are many risk factors associated with HITRUST controls while you go ahead to implement them. To give you context, tisk factors serve as the parameters that shape the scope and depth of risk assessments. They include the attributes or characteristics within a context that influence the probability and potential impact of specific risks. Here are some of the risk factors you need to consider:
1. Data Sensitivity
Healthcare data often includes personal details like medical history or social security numbers. If this data gets into the wrong hands, it can lead to identity theft or fraud.
2. Access Control
Only authorized people should access sensitive data to prevent unauthorized access or leaks. For example, if a nurse accesses patient records without permission, they could accidentally share confidential information, violating privacy laws.
3. Data Transmission
Risks can arise when transferring healthcare data between systems, making it vulnerable to interception or tampering. For example, sending patient data over an unsecured network could allow hackers to intercept and modify the information before it reaches its destination.
4. Physical Security
Protecting places where healthcare data is stored, like servers or data centers, to prevent theft or damage. For example, if a data center doesn’t have proper security measures, someone could physically break in and steal servers containing sensitive patient information.
5. Employee Training
Ensure staff know how to handle data securely to reduce errors that could lead to data breaches. Let’s say your receptionist, who isn’t trained in data security, might accidentally email patient records to the wrong person. That is a huge red flag in terms of security.
6. Third-party Risks
Checking that vendors or partners with healthcare data access meet HITRUST standards to ensure they handle data securely. For example, a cloud storage provider that doesn’t follow HITRUST controls could expose patient data if their systems are breached.
HITRUST with Sprinto
Implementing HITRUST’s range of controls can feel overwhelming, as it combines elements from various security control frameworks and privacy requirements. Sorting through these regulatory requirements manually can lead to confusion and errors, potentially slowing down your HITRUST CSF certification process.
That’s where Sprinto comes in. Our compliance automation solution automates compliance tasks and accelerates evidence collection, helping you achieve success with HITRUST controls implementation more efficiently than ever before.
Our platform simplifies the mapping of common security controls with other frameworks like HIPAA, saving you time and effort. Your compliance teams can stay well-prepared and ensure ongoing compliance without hassle.
Book a call with our experts to know more.
FAQs
What’s different between HITRUST CSF v11.2.0 and v11.1.0?
The difference between HITRUST CSF versions 11.2.0 and 11.1.0 lies primarily in the updates and additions made to the framework. In version 11.2.0, one of the significant enhancements is the inclusion of artificial intelligence (AI) risk management content.
How many control categories are there in HITRUST?
There are 14 control categories in the CSF, which include 49 control objectives and 156 specific controls related to security and privacy.
How many domains are there in HITRUST?
There are 19 domains in HITRUST CSF, each focusing on different parts of risk management and following rules in healthcare. These domains deal with many things, like controlling access, keeping things private, setting security rules, making places secure, and keeping mobile devices safe.
What’s the difference between HIPAA and HITRUST?
HIPAA focuses on setting the rules to protect Patient Health Information (PHI). It’s all about ensuring the security of sensitive healthcare data. On the other hand, HITRUST offers a flexible framework that helps organizations meet HIPAA standards and get certified for compliance.