For years we were asked if we could provide a ‘seal of approval’ or a ‘certified by…’ graphic for our clients. We always ensured that our clients were adhering to their necessary standards, but a seal of approval, or a certification, or a one-size-fits-all framework just wasn’t available.
The approach used in the HITRUST CSF (Common Security Framework) greatly reduces the level of effort required for organizations’ assessment and reporting processes, and thus saves substantial time and money.
This is why we became an authorized HITRUST External Assessor. To help organizations reach what we see as the gold standard in security and privacy attestation.
Once we realized that HITRUST was more than just HIPAA/healthcare, we paid closer attention.
They revamped their HITRUST CSF by using the NIST Cybersecurity Framework as the baseline, and added HIPAA, GDPR, PCI, 23 NYCRR 500, and others as regulatory requirements.
This model made sense to us given the trend of increasing cybersecurity and privacy compliance across all industries and sectors.
Since we had already been working with these standards for years, we decided to make the investment – train our teammates, subject ourselves to the HITRUST assessor standards, and get approved as HITRUST External Assessors.
What really resonated with us is the HITRUST CSF’s flexibility and scalability. It can be customized to fit your organization’s type, size, compliance and regulatory requirements, and profile.
Here’s how it can really make a difference for your business:
Most companies have a motley of different regulations and compliance frameworks that they’re required to comply with. Some are industry focused (such as HIPAA, PCI) and others are more broad (think CCPA, GDPR).
It can be a challenge to know which ones apply to them. And the effort needed to adhere to and report on those regulations and frameworks can be heavy.
This is where the HITRUST CSF comes in.
Rather than performing individual assessments and audits for each standard and for each provider, supplier, or customer to verify compliance, you could instead undergo a single HITRUST CSF assessment that includes those requirements.
Then, after receiving the HITRUST certification, you can confidently demonstrate to your interested stakeholders in one fell swoop that you’re meeting their specific requirements.
This is what we call an ‘assess once, report many’ approach, and it can yield some serious dividends, especially as public and private industries across the globe are facing a continuously changing regulatory landscape.
We’re seeing government and third-party partners are requiring companies to protect data (and ultimately, protect consumers), primarily through the use of regulation and compliance standards, and we don’t envision a future-state where this will change.