HITRUST expands to deliver ‘One framework, one assessment approach’ globally

HITRUST unveiled that it is expanding its engagement in Europe and Asia to aid organizations in addressing their global information risk management and compliance priorities, including General Data Protection Regulation (GDPR) and the Singapore Personal Data Protection Act (PDPA) requirements by providing a ‘one framework, one assessment’ approach globally.

Standards and regulations around the world are constantly being created and updated to protect data, particularly personal data with multiple domestic and cross-border requirements and reporting options.

Since 2007, HITRUST has been at the forefront of helping organizations protect data and manage information risk by providing the HITRUST CSF, a framework that provides organizations with a flexible and efficient approach to regulatory compliance and information risk management.

Coupled with the HITRUST CSF Assurance Program, which provides a risk management oversight and assessment methodology designed for the regulatory and information risk needs of organizations in various industries and countries, HITRUST enables organizations around the globe to meet their risk management and due care requirements for information protection.

The company has added the GDPR and PDPA to the HITRUST CSF (Version 9.2) as it expands internationally and extends its ability to provide large corporations and small organizations with a ‘one framework, one assessment’ approach.

In addition, HITRUST through its Irish subsidiaries, has filed a formal application with the European Union’s Data Protection Board and the Irish Data Protection Commission to have the HITRUST CSF recognized as a standard for GDPR certification as well as working with Irish authorities regarding an application to be an accredited certification body for GDPR.

Once HITRUST and the HITRUST CSF are recognized, organizations leveraging the HITRUST CSF and HITRUST CSF Assurance Program will have independent evidence of compliance with GDPR; this is a key means of differentiating a business to potential customers, business partners, and data protection authorities. HITRUST is also evaluating the process to be an Accountability Agent under the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules and Procedures for Processing programs.

“As countries around the world continue to adopt and advance data protection laws, the challenge of doing business on a global scale grows increasingly complex,” says Anne Kimbol, Chief Privacy Officer, HITRUST.

“Many countries have their own unique regulatory requirements, creating costs and challenges for organizations to determine if they are compliant to conduct business globally. The HITRUST CSF and CSF Assurance Programs address this problem through a single integrated approach for these requirements and provides documentation of compliance that can be shared with multiple stakeholders, including customers and data protection authorities.”

HITRUST’s integrated programs and services offers global companies a path to meet the requirements of multiple standards from the European Union’s GDPR and the Fair Information Practice Principles (FIPPs) to the NIST Framework for Improving Critical Infrastructure Cybersecurity in the U.S. as well as requirements like HIPAA and the Federal Financial Institutions Examination Council.

These latest developments will allow organizations operating in Europe and Asia to use HITRUST’s programs and services to address their data protection requirements and manage their third-party risk with one assessment. To support its growth in Europe, HITRUST will be conducting educational sessions through its Community Extension Program to provide organizations with key information and resources necessary to facilitate better risk management practices.

“HITRUST will continue to enhance its programs to better help companies globally manage their information risk management and meet their compliance requirements,” says Dr. Bryan Cline, Vice President, Standards and Analysis, HITRUST. “Businesses leveraging the HITRUST Approach will be able to leverage a single HITRUST CSF Assessment to report their security, privacy and compliance posture to various audiences globally.”

The HITRUST Approach

Risk management and compliance programs and services

HITRUST understands the challenges of assembling and maintaining the many and varied programs needed to manage information risk and compliance, which is why its integrated approach ensures the components are aligned, maintained and comprehensive to support an organization’s information risk management and compliance program.

The HITRUST Approach is designed to provide organizations an information risk management and compliance program that integrates the following components:

• HITRUST CSF – a privacy and security controls framework.
• HITRUST CSF Assurance Program – a scalable means to provide assurances to internal and external stakeholders.
• HITRUST Threat Catalogue – a list of anticipated threats mapped to HITRUST CSF controls.
• HITRUST Shared Responsibility Program – a matrix of HITRUST CSF requirements identifying service providers and customer responsibilities.
• HITRUST MyCSF – an assessment and action plan management platform.
• HITRUST Assessment XChange – An automated means of sharing assurances between organizations.
• HITRUST Third Party Assurance Program – a third party risk management process.