What is HITRUST?
HITRUST, the Health Information Trust Alliance, is a comprehensive cybersecurity framework created for the purpose of consolidating the guidelines from various regulatory and industry frameworks, including but not limited to HIPAA, GDPR, and PCI-DSS.
The HITRUST CSF (Common Security Framework) is unique in that it doesn’t enforce a proprietary security approach. Instead, it integrates multiple existing security frameworks into a single comprehensive document. This integration involves mapping rules from other frameworks onto corresponding rules within the HITRUST CSF, which forms the core of the creation and maintenance of the HITRUST CSF.
Why is it needed?
The goal of HITRUST is to streamline the process of compliance with multiple cybersecurity regulations and standards.
It’s important to note that while implementing the HITRUST CSF is a significant step, it doesn’t automatically ensure compliance with other regulations like HIPAA, HITECH, or the NIST Cybersecurity Framework. However, since the HITRUST CSF captures the requirements of these and other bodies within its own regulations, organizations that achieve HITRUST certification have essentially completed most of the groundwork necessary for compliance with the underlying frameworks.
A significant benefit of the certification process is that it generates much of the documentation required for relevant regulations.
What are the HITRUST controls?
The HITRUST rules are organized into 19 overarching areas, known as control domains, listed here:
- Information Protection Program
- Endpoint Protection
- Portable Media Security
- Mobile Device Security
- Wireless Security
- Configuration Management
- Vulnerability Management
- Network Protection
- Transmission Protection
- Password Management
- Access Control
- Audit Logging & Monitoring
- Education, Training & Awareness
- Incident Management
- Business Continuity & Disaster Recovery
- Risk Management
- Physical & Environmental Security
- Data Protection & Privacy
- Third Party Assurance
Each control domain is further divided into control objectives, which outline broad cybersecurity goals. These objectives are then broken down into controls, which specify particular tasks that information security personnel need to carry out.
The HITRUST CSF provides different requirement levels for each control, which is helpful with addressing the diversity in organizational size and risk exposure.
How Concentric helps companies meet HITRUST guidelines
Information Protection Program & Data Protection & Privacy: Concentric AI provides visibility into who has access to sensitive health data and how it’s being used. It identifies all sensitive data in the cloud, including intellectual property, health data, and regulated PII/PHI data. It also tracks data lineage as it moves across your environment. Our API-based solution provides agentless connectivity to a wide variety of data repositories so security teams can govern access to health data wherever it resides: structured or unstructured data, and in the cloud or on-premises.
Endpoint Protection, Portable Media Security, Mobile Device Security, Wireless Security, Network Protection, Transmission Protection: Concentric connects to unstructured data storage, structured databases, and messaging and email applications, whether they’re cloud-based or on-premises. This means it can discover, categorize, and monitor data wherever it’s stored, thereby enhancing security across various endpoints and networks.
Configuration Management & Vulnerability Management: Concentric AI uses deep learning to compare each data element with baseline security practices used by similar data to identify risk. It can remediate these access risks as they happen, such as fixing access control issues or permissions, inaccurate entitlements, risky sharing, or unauthorized access. Essentially, our solution can reduce the odds of data loss or governance violation.
Password Management & Access Control: Concentric can automatically remediate permissions and sharing issues, thereby enhancing access control and potentially reducing the risk of unauthorized access due to weak or compromised passwords.
Audit Logging & Monitoring: Concentric AI can help respond to data access audits and data subject access requests (DSAR). It also proactively detects and remediates risk from sharing and access violations to prevent data loss and ensure compliance with various privacy regulations. Plus, Concentric can alert SOC analysts and provide actionable insights that are useful for audit logging and monitoring purposes.
Education, Training & Awareness: While Concentric does not offer security awareness functionality, using it could potentially contribute to education, training, and awareness by providing insights into data usage patterns and risks.
Incident Management: Concentric AI can remediate security issues as they happen, which can be crucial for effective incident management.
Business Continuity & Disaster Recovery: By providing visibility into data usage and access, Concentric AI could potentially contribute to business continuity and disaster recovery planning.
Risk Management: Concentric’s Risk Distance™ analysis identifies and remediates inappropriate sharing and other risks, thereby contributing to overall risk management. Our solution autonomously identifies PII and health data, learns how it’s used, and determines whether it’s at risk. You’ll know where your PII and health data is across unstructured or structured data repositories, email/ messaging applications, cloud or on-premises – all with semantic context. Not only that, but you can also achieve this robust level of risk management without rules or regex.
Physical & Environmental Security: This domain is typically related to the physical and environmental controls of a company’s premises and data centers. While Concentric’s solution is primarily focused on data security, it could indirectly contribute to this domain by securing data that could be accessed from physical locations.
Third Party Assurance: Concentric AI can establish what data is being shared with whom, including internal users/groups or external third parties. This can be extremely useful for managing third-party risks.
Please note that the specifics of how Concentric can help manage these domains might vary depending on the specific needs and context of your organization.
Easy to deploy without using rules or regex
The best part for your organization is that Concentric AI can reduce risk and protect your sensitive data all without upfront policies, rules or regex. Deploying the solution won’t require large teams to operationalize.