What are HITRUST Controls List & Requirements?

Meeba Gracy

Meeba Gracy

Oct 14, 2024
HITRUST Controls

HITRUST is widely recognized as a go-to framework by experts. It’s known to be one of the most comprehensive frameworks in structure, comprising 14 Control Categories, 19 Domains, 49 Control Objectives, 156 Control References, and 3 Implementation Levels.

With such complexity, achieving compliance with HITRUST is no small feat. In this article, we’ll explore the HITRUST controls and requirements and help you prepare for compliance across various HITRUST security rulesets simultaneously.

Let’s dive in…

What is the HITRUST Common Security Framework (CSF)?

It’s a cybersecurity framework designed to bring together the rules from various regulatory and industry frameworks like HIPAA, GDPR, PCI-DSS, and others.

Established in 2007, the HITRUST Alliance created the “HITRUST approach” to assist organizations, especially those in healthcare, in managing data, information risk, and compliance more effectively.

In short, the HITRUST CSF was made to simplify open system data sharing and boost information security. It’s a handy framework for healthcare and other industries dealing with sensitive data. All because of its comprehensive and adaptable mapping key.

Get a wingman for your HITRUST audit

What are HITRUST controls?

There are over 150 individual HITRUST controls within the HITRUST CSF. The number of controls varies based on how your company defines “control.” Essentially, HITRUST includes 14 “Control Categories,” labeled from 0.0 to 0.13. These categories are divided into “Objectives,” totaling 49. And then, the Objective breaks down to 156 “References.”

The HITRUST Framework, also known as HITRUST CSF, draws upon a wide array of more than 50 security and privacy regulations, standards, frameworks, and authoritative sources. It brings together this wealth of information into a single, unified platform. This consolidation results in creating the most thorough, consistent, and easily understandable set of controls accessible for achieving compliance.

We’ll dive deep into those requirements in the next section.

HITRUST controls list 

HITRUST CSF offers a structured set of controls and requirements to address the challenges. Here is a list of those controls:

HITRUST CSF ControlsNameHITRUST Control Objective
00.aInformation Security Management ProgramImplementing and managing an Information Security Management Program
01.aAccess Control PolicyControlling access to information, information assets, and business processes according to business and security needs
01.bUser RegistrationTo make sure registered user accounts are tracked and periodically validated to prevent unauthorized access to information systems
01.cPrivilege ManagementTo guarantee that authorized user accounts are properly tracked, registered, and regularly validated to prevent unauthorized access to information systems
0.1dUser Password ManagementTo confirm that authorized user accounts are registered, monitored, and regularly checked to stop unauthorized access to information systems
01.eReview of User Access RightsTo guarantee that authorized user accounts are properly tracked, registered, and regularly validated to prevent unauthorized access to information systems
01.fPassword UseTo mitigate unauthorized users from accessing and compromising or stealing information and assets
01.gUnattended User EquipmentTo mitigate unauthorized access by users and the compromise or theft of information and assets.
01.hClear Desk and Clear Screen PolicyTo mitigate unauthorized access by users and the compromise or theft of information and assets.
01.iPolicy on the Use of Network ServicesTo mitigate unauthorized access to networked services
01.jUser Authentication for External ConnectionsTo mitigate unauthorized access to networked services
01.kEquipment Identification inNetworksTo mitigate unauthorized access to networked services
01.lRemote Diagnostic andConfiguration Port ProtectionTo mitigate unauthorized access to networked services
01.mSegregation in NetworksTo mitigate unauthorized access to networked services
01.nNetwork Connection ControlTo mitigate unauthorized access to networked services
01.oNetwork Routing ControlTo mitigate unauthorized access to networked services
01.pSecure Log-on ProceduresTo mitigate unauthorized access to operating systems
01.qUser Identification andAuthenticationTo mitigate unauthorized access to operating systems
01.rPassword Management SystemTo mitigate unauthorized access to operating systems
01.sUse of System UtilitiesTo mitigate unauthorized access to operating systems
01.tSession Time-outPassword management systems must be interactive and ensure the use of high-quality passwords
01.uInformation Access RestrictionTo thwart unauthorized access to information stored in application systems
01.wSensitive System IsolationTo thwart unauthorized access to information stored in application systems
01.xMobile Computing andCommunicationsTo guarantee information security when utilizing mobile computing devices and teleworking facilities
01.yTeleworkingTo guarantee information security when utilizing mobile computing devices and teleworking facilities
02.aRoles and ResponsibilitiesTo ensure that employees, contractors, and third-party users are appropriate for their intended roles, reducing the risk of fraud, theft, or facility misuse
02.bScreeningTo ensure that employees, contractors, and third-party users are appropriate for their intended roles, reducing the risk of fraud, theft, or facility misuse
02.cTerms and Conditions of EmploymentTo ensure that employees, contractors, and third-party users sign agreements outlining their security roles and responsibilities before accessing information assets upon employment or engagement
02.dManagement ResponsibilitiesTo ensure that employees, contractors, and third-party users are informed about information security threats and concerns, understand their responsibilities and liabilities, and are prepared to uphold organizational security policy in their regular work, thereby reducing the risk of human error
02.eInformation SecurityAwareness, Education, andTrainingTo ensure that employees, contractors, and third-party users are informed about information security threats and concerns

Now, adding and maintaining these controls manually is a herculean task. This is where you need to take the assistance of a compliance automation platform like Sprinto to automate 90% of your tasks.

Moreover, 

Control NameControl ObjectivesControl Specifications
Information Security Management Program11
Access Control725
Human Resources Security49
Risk Management14
Security Policy12
Organization of Information Security211
Compliance310
Asset Management25
Physical and Environmental Security213
Communications and Operations Management1032
Information Systems Acquisition, Development, and Maintenance613
Information Security Incident Management25
Business Continuity Management15
Privacy Practices721

For example, to help Zeto with the Hitrust framework, Sprinto created a custom HITRUST framework in their account and added all the requirements. 

Automate HITRUST controls with Sprinto

What are the requirements of HITRUST?

The HITRUST requirements include a broad range of controls and measures that are designed to address various aspects of your information security and regulatory compliance

These requirements are then again categorized into different domains and control categories within the HITRUST CSF. 

Some of the key domains and control categories covered by HITRUST security requirements include:

  • Information Security Management
  • Access Control Security
  • Human Resources Security
  • Risk Management Policy
  • Information Security Policy
  • Information Security Organization
  • Regulatory Framework Compliance Program
  • Asset Management Security
  • Physical and Environmental Security
  • Communications and Operations Security
  • Information Systems Management
  • Security Incident Management
  • Business Continuity Management
  • Privacy Security Practices

What are the risk factors for implementing HITRUST Controls?

There are many risk factors associated with HITRUST controls while you go ahead to implement them.  To give you context, tisk factors serve as the parameters that shape the scope and depth of risk assessments. They include the attributes or characteristics within a context that influence the probability and potential impact of specific risks. Here are some of the risk factors you need to consider:

HITRUST Controls

1. Data Sensitivity

Healthcare data often includes personal details like medical history or social security numbers. If this data gets into the wrong hands, it can lead to identity theft or fraud.

2. Access Control

Only authorized people should access sensitive data to prevent unauthorized access or leaks. For example, if a nurse accesses patient records without permission, they could accidentally share confidential information, violating privacy laws.

3. Data Transmission

Risks can arise when transferring healthcare data between systems, making it vulnerable to interception or tampering. For example, sending patient data over an unsecured network could allow hackers to intercept and modify the information before it reaches its destination.

4. Physical Security

Protecting places where healthcare data is stored, like servers or data centers, to prevent theft or damage. For example, if a data center doesn’t have proper security measures, someone could physically break in and steal servers containing sensitive patient information.

5. Employee Training

Ensure staff know how to handle data securely to reduce errors that could lead to data breaches. Let’s say your receptionist, who isn’t trained in data security, might accidentally email patient records to the wrong person. That is a huge red flag in terms of security.

6. Third-party Risks

Checking that vendors or partners with healthcare data access meet HITRUST standards to ensure they handle data securely. For example, a cloud storage provider that doesn’t follow HITRUST controls could expose patient data if their systems are breached.

HITRUST with Sprinto

Implementing HITRUST’s range of controls can feel overwhelming, as it combines elements from various security control frameworks and privacy requirements. Sorting through these regulatory requirements manually can lead to confusion and errors, potentially slowing down your HITRUST CSF certification process.

That’s where Sprinto comes in. Our compliance automation solution automates compliance tasks and accelerates evidence collection, helping you achieve success with HITRUST controls implementation more efficiently than ever before.

Our platform simplifies the mapping of common security controls with other frameworks like HIPAA, saving you time and effort. Your compliance teams can stay well-prepared and ensure ongoing compliance without hassle.

Book a call with our experts to know more.

FAQs

What’s different between HITRUST CSF v11.2.0 and v11.1.0?

The difference between HITRUST CSF versions 11.2.0 and 11.1.0 lies primarily in the updates and additions made to the framework. In version 11.2.0, one of the significant enhancements is the inclusion of artificial intelligence (AI) risk management content. 

How many control categories are there in HITRUST?

There are 14 control categories in the CSF, which include 49 control objectives and 156 specific controls related to security and privacy.

How many domains are there in HITRUST?

There are 19 domains in HITRUST CSF, each focusing on different parts of risk management and following rules in healthcare. These domains deal with many things, like controlling access, keeping things private, setting security rules, making places secure, and keeping mobile devices safe.

What’s the difference between HIPAA and HITRUST?

HIPAA focuses on setting the rules to protect Patient Health Information (PHI). It’s all about ensuring the security of sensitive healthcare data. On the other hand, HITRUST offers a flexible framework that helps organizations meet HIPAA standards and get certified for compliance.

Meeba Gracy
Meeba Gracy
Meeba, an ISC2-certified cybersecurity specialist, passionately decodes and delivers impactful content on compliance and complex digital security matters. Adept at transforming intricate concepts into accessible insights, she’s committed to enlightening readers. Off the clock, she can be found with her nose in the latest thriller novel or exploring new haunts in the city.

How useful was this post?

3/5 - (1 votes)