Achieve HITRUST CSF Certification With LastPass

Quick: what does HITRUST CSF have to do with 10 billion leaked passwords? 

If you’re drawing a blank, read on.  

In early July 2024, a wannabe cybercriminal posted a file called rockyou2024.txt to a popular hacker forum. However, digital forensics experts soon discovered that the large file contained little of actual value to attackers. 

In fact, more than 50% of the “passwords” consisted of double-digit character strings of Russian text, pure gibberish, and bcrypt hashes. The value of this database for large-scale credentialtuffing or brute-force attacks is doubtful.  

However, the potential can’t be entirely dismissed. Depending on your organization’s compliance needs and risk factors, you may be at great risk. 

This i where HITRUST CSF comes in.  

What Is HITRUST CSF Certification? 

Overview of HITRUST CSF Certification 

HITRUST CSF is a comprehensive privacy framework that maps to top global standards for information security management. 

Developed by the HITRUST (Health Information Trust) Alliance, the HITRUST CSF (Common Security Framework) helps organizations comply with important regulations like GDPR, NIST 800-53 revision 5, COBIT, HIPAA, PCI DSS, and ISO/IEC 27001. 

The framework simplifies compliance by allowing organizations to earn a single certification to demonstrate their commitment to data security across geographic and corporate boundaries. 

In 2023, the top industries that earned HITRUST certifications were information technology, healthcare, business services, finance, and retail. 

Benefits of HITRUST CSF Certification 

Enhanced data security and protection 

HITRUST integrates best practices from major security standards to address security gaps and promote a stronger security posture.  

The goal is a proactive, rather than reactive approach to safeguarding corporate assets and addressing evolving threats. 

With HITRUST, your organization stays prepared through continuous monitoring, access controls, and vulnerability management. According to the 2024 HITRUST report, most organizations achieve a 92% remediation of security control deficiencies within a year of HITRUST certification. 

Improved risk management and regulatory compliance 

With the HITRUST framework covering 97% of all threat indicators in the MITRE ATT&CK knowledge base, your organization will maintain a proactive stance on risk management.  

HITRUST compliance also allows your organization to reduce the likelihood of non-compliance penalties. This is especially critical, considering recent increases in OSHA, EPA, and other federal penalties in 2024. 

Increased customer trust and confidence 

Achieving HITRUST CSF certification signals a commitment to high standards of privacy and security. 

This certification assures consumers that your organization has undergone rigorous assessments and implemented extensive controls to protect their sensitive data. As a result, they are more likely to trust their data is in safe hands, which in turn fosters greater CX and brand loyalty. 

With a recent CivicScience study reporting that 89% of consumers fear the prospect of their data being stolen, HITRUST certification can be a game changer for your organization. 

And consumers are willing to pay for the assurance of safety: a whopping 60% will spend premium dollars for products or services from companies with stronger data protection policies. 

Competitive advantage in the cybersecurity industry 

Organizations that achieve HITRUST certification gain a competitive edge through a robust cybersecurity posture. This certification will differentiate you from competitors who haven’t achieved the same level of assurance. 

In a market where data security is paramount, HITRUST certification helps you establish credibility through a threat-adaptive posture and continuous security improvements. 

Cost savings through streamlined security processes 

Because the HITRUST CSF integrates multiple regulatory frameworks, it allows your organization to allocate resources more efficiently while still achieving high levels of security and regulatory compliance.  

Who Needs HITRUST CSF Certification? 

Healthcare organizations and providers 

Healthcare organizations and providers are primary candidates for HITRUST CSF certification. The framework was initially created to help these organizations comply with the HIPAA Security Rule and HITECH Act.  

With HITRUST, hospitals and clinics can assure patients and regulators that they adhere to the most stringent data privacy standards. 

In 2022, Sandata Technologies, a leading provider of data-powered homecare solutions, supported their business and security objectives with HITRUST certification.  

Previously unknown, Sandata achieved industry acclaim when it created the Electronic Visit Verification (EVV) software, which tracks and confirms the delivery of homecare services. This tool continues to reduce rampant fraud in the homecare industry.  

To continue demonstrating its commitment to patient data security, Sandata decided to achieve compliance with several privacy laws. The company settled on HITRUST certification after realizing it could meet multiple compliance standards simultaneously, such as HIPAA, NIST 800-53, and ISO 27001. 

We’re often asked, “What is the difference between HITRUST CSF and ISO 27001?” 

While both are comprehensive standards for information security management, HITRUST is primarily geared towards the U.S. healthcare industry. Meanwhile, ISO 27001 is an international standard, with a framework that can be applied to any industry across geographic regions. 

HITRUST is especially beneficial for organizations that want to form strategic collaborations or partnerships with healthcare organizations in the United States. 

Ultimately, achieving HITRUST certification allowed Sandata to demonstrate a top-tier security posture, which enhanced its credibility and competitiveness in both the public and private sectors. 

Business associates and service providers 

Business associates and service providers that work with healthcare organizations also benefit from HITRUST CSF certification. These entities often handle sensitive health information on behalf of healthcare providers and must comply with HIPAA regulations. 

With HITRUST certification, they demonstrate their ability to protect and maintain data security. Microsoft Azure and Office 365, for example, were the first hyperscale cloud service providers to demonstrate their commitment to healthcare data security through HITRUST certification. 

Third-party vendors and suppliers 

Third-party vendors and suppliers that interact with sensitive information across a range of industries value HITRUST certification. This certification helps them provide an assurance of their strict compliance with data privacy standards. 

For example, UPMC (a $19 billion-dollar world-renowned healthcare provider and insurer in Pittsburgh) requires their vendors to be HITRUST certified to streamline data protection across cloud-based workflows. 

With HITRUST, UPMC knows that patient data is being safely stored by third-party or cloud provider platforms. 

What Is the Difference Between HITRUST and HIPAA? 

HITRUST 

HITRUST is a private organization that developed the HITRUST CSF (Common Security Framework). This framework incorporates more than 50 privacy and security regulations. 

To date, more than 30,000 organizations have adopted the HITRUST CSF across industries, including healthcare, tech, and finance.  

In 2007, the HITRUST Alliance -- consisting of several high-profile organizations in the healthcare, tech, and information security industries -- developed the framework in response to threats targeting healthcare data. 

The HITRUST CSF has had several updates, with the latest version 11.3.0 released on April 16, 2024. This new version integrates authoritative regulatory sources like FedRAMP and StateRAMP, which are critical for organizations working with federal, state, and local governments. 

The new framework also incorporates mitigations from the MITRE Adversarial Threat Landscape for Artificial-Intelligence Systems (MITRE Atlas) to secure AI systems against emerging threats. Finally, it maps to important frameworks like NIST Special Publication 800-172 and supports organizations preparing for CMMC Level 3 requirements. 

CMMC (Cybersecurity Maturity Model Certification) Level 3 is part of the Department of Defense’s (DoD) cybersecurity framework for handling Controlled Unclassified Information (CUI) within the defense supply chain. 

HIPAA 

HIPAA (Health Insurance Portability and Accountability Act) is a U.S. federal law that imposes standards for protecting patient health information (PHI). 

HIPAA is mandatory for healthcare organizations, clinics, health plans, healthcare clearinghouses, and business associates of covered entities. 

HIPAA has also undergone various updates since its inception in 1996. 

On February 8, 2024, the Department of Health & Human Services (HHS) announced a final rule for 42 CFR Part 2, governing the confidentiality of substance user disorder (SUD) patient records.  

For SUD patients, this final rule introduces new rights, such as the provision to request restrictions on certain disclosures to healthcare providers. This change is intended to improve patient outcomes while safeguarding patient privacy. 

In addition, HIPAA published a final version of Special Publication (SP) 800-66r2, which offers guidance to HIPAA-covered entities and business associates on managing electronic Protected Health Information (ePHI).  

Considering the above, how is HITRUST different from HIPAA and which should your business adopt?  

First, HIPAA is a law requiring all individually identifiable health information that’s stored or transmitted by covered entities to be protected. This means all business associates and service providers that work with healthcare organizations must be HIPAA-compliant. 

But -- unlike HIPAA -- HITRUST isn’t a law. Instead, it’s a certifiable framework that allows organizations across various industries to demonstrate compliance with multiple industry standards with a single audit. 

So, a financial firm working with a healthcare organization would adopt HITRUST to comply with multiple regulations like HIPAA, NIST, and ISO.  

That said, HITRUST isn’t a panacea for becoming 100% HIPAA-compliant if you’re looking to collaborate with a healthcare entity: 

• HITRUST doesn’t cover OSHA and CMS requirements, despite the overlap of all three in safeguarding patient safety and privacy. 

• HITRUST also doesn’t cover all the specifications of the HIPAA Security Rule, especially if it pertains to a Transaction Rule infraction or a Privacy & Breach Notification failure. It does, however, provide third-party assurance that you’re on the right path to full HIPAA compliance.  

In other words, you can leverage HITRUST for a comprehensive risk profile assessment BUT you must still implement additional controls to address industry-specific security requirements not covered by HITRUST. 

Why HITRUST CSF Certification Matters 

Understanding the importance of HITRUST CSF certification 

First, we’ll answer an important question, “What is HITRUST CSF certified?” 

In a nutshell, the HITRUST certification process involves two types of assessments:   

• Self or readiness assessment (performed either by your own personnel or an independent third party) 

• Validated assessment (performed by a HITRUST Authorized External Assessor) 

While the readiness assessment workflow has nine (9) phases, the validated assessment workflow is comprised of 16 phases. 

It isn’t necessary to complete both, however. A self or readiness assessment is often used as a preparatory step to a validated assessment. 

It’s the validated assessment that’s mandatory for HITRUST certification. 

That said, your organization may want to complete a self or readiness assessment to identify any current security gaps and implement corrective actions before proceeding with the vigorous validated assessment. 

A validated assessment involves on-site testing by a HITRUST External Assessor. Both self and validated assessments utilize the MyCSF tool. 

In completing an assessment, the External Assessor may rely on the results of another validated HITRUST CSF assessment, audits performed by a third-party, or testing by the assessed entity’s internal assessors. 

The internal assessor, however, must be an Authorized Internal Assessor, possess a HITRUST Readiness License, and hold an active CCSFP (Certified CSF Practitioner) credential. 

Meanwhile, Certified HITRUST Quality Professionals (CHQP) are skilled workers who perform independent quality assurance (QA) reviews of validated assessment results. 

By now, you may be wondering, “What are the benefits of becoming HITRUST CSF certified?” 

To answer, here are our top six (6) reasons for why HITRUST CSF certification matters to your business: 

• Provides reliable assurances about data security to consumers, clients, shareholders, vendors, and regulators  

• Demonstrates your business is committed to managing and continually improving its privacy and security posture 

• Expands your market for new business partnerships and revenue 

• Simplifies cyber insurance procurement and reduces your premiums  

• Streamlines the underwriting process in obtaining cyber insurance, resulting in more consistent coverage for your organization’s needs 

• Reveals the maturity of your security management programs – and how well-positioned your organization is to maintain business continuity during security incidents 

With newly shortened reporting deadlines for cyber incidents, your organization must be able to maintain business continuity while meeting its compliance obligations. 

NYCRR Part 500, for example, requires the NY superintendent of financial services and pertinent regulatory agencies to be notified within 72 hours of a breach.  

HITRUST certification helps identify vulnerabilities to mitigate so business operations aren’t disrupted during a breach. And if your organization must maintain HIPAA compliance, the HITRUST Compliance and Reporting Pack also streamlines reporting to keep your cyber insurance claim valid in the aftermath of the breach. 

Industry-leading cybersecurity assurance 

HITRUST CSF is built on a risk-based approach, which means it’s continually updated to address evolving threats. This ensures your organization has the proper controls in place to protect personally identifiable information (PII). This proactive approach is the key reason HITRUST is considered the global leader in information protection assurance.  

By leveraging the HITRUST CSF certification, your business can demonstrate its commitment to high standards of data security and privacy, thus earning the trust of your customers, vendors, partners, and regulators.  

How HITRUST CSF certification enhances credibility 

Identity-related cybersecurity attacks are occurring with frightening regularity: Currently, 93% of organizations worldwide have already experienced two or more breaches due to these attacks. 

HITRUST CSF certification enhances your credibility by: 

• Reducing your organization’s risk of a data breach -- less than 1% of HITRUST-certified businesses reported a security breach between 2022 and 2023 

• Mapping to cutting-edge authoritative sources like NIST SP 800-172 and MITRE ATLAS to handle next-gen threats on the horizon 

• Including PCI DSS v4, 23 NYCRR 500 Second Amendment, and refreshed GDPR mapping so your business remains current with updated industry standards and regulations 

• Incorporating an AI Assurance Program so your business can reliably demonstrate compliance with AI risk management principles consistent with frameworks such as the NIST AI Risk Management Framework (RMF), ISO/IEC 23894, and ISO 31000 

Navigating the HITRUST Framework (HITRUST CSF) 

An overview of the HITRUST Common Security Framework (CSF) 

The HITRUST CSF framework rests on the HITRUST CSF Assurance Methodology, a streamlined process for reporting your organization’s compliance and information risk posture. It eliminates the need for multiple assessments, an approach HITRUST affectionally dubs “Assess once, report many.”  

To complete your assessments, you’ll need access to the MyCSF portal. 

The HITRUST MyCSF SaaS portal integrates with major GRC (governance, risk, & compliance) platforms, making it easy for your business to manage information risk and implement corrective action plans from one dashboard. 

The core of the CSF is based on ISO/IEC 27001 and 27002. 

In all, there are three types of HITRUST CSF certifications: 

• HITRUST e1 (Essential 1-Year): This certification provides “entry-level assurance” that an organization has security controls that map to CISA’s Cyber Essentials, the NIST SP 800-171, and HICP for small organizations. The e1 certification is valid for one year and suitable for organizations with limited resources or lower risk environments that still need to demonstrate compliance with data security regulations. 
• HITRUST i1 (Interim 1-Year): This certification is for organizations that don’t require the full rigor of the r2 certification. It’s valid for one year and provides more assurance than an e1 certification. The i1 certification aligns with the HIPAA Security Rule, NIST SP 800-171, and HICP for medium-sized organizations. 
• HITRUST r2 (Risk-Based 2-Year): This certification is the most comprehensive of the three and is suitable for organizations with higher risk profiles, such as healthcare and financial institutions. It demonstrates compliance with standards such as NIST SP 800-53, FedRAMP, and GDPR. 

This brings us to two questions we’re often asked: “How do I get HITRUST certified, and how long does it take?” 

How do I get HITRUST certified? 

• Begin by completing a self or readiness assessment. Ideally, you’ll want a HITRUST certified External Assessor to perform this task. After the assessment, you’ll get a readiness report, which starts at $3,465.
• The same External Assessor can also perform your validated assessment.
• Pay for access to the MyCSF portal to document your assessments. You can either pay for a report-only option with 90-day access or get an annual subscription. Choosing the first means you must complete all your assessments (both readiness and validated) within 90 days. Your costs for this will range between $3,500- $6,000. 

Meanwhile, the full-year portal subscription ($15,000 - $50,000) includes dedicated customer support services, inheritance privileges (explained below), access to all reports & analytics, ongoing risk management, and the ability to export assessment data to an external platform. 

 

Note: Depending on the complexity of your organization’s data security needs and its risk profile, your final costs may range from $70K to above $160K. This is because fees must be paid to both HITRUST (for use of the MyCSF portal) and your HITRUST External Assessor. 

However, you can greatly reduce your costs for HITRUST certification through the “inheritance” principle. This feature allows your organization to leverage previously completed compliance work to certify your own systems. 

You can either “inherit” assessment results from a previously completed HITRUST Validated Assessment, a previously completed self-assessment, or a self-assessment still in process. 

For example, you can “inherit” up to 85% of the assessment results from a cloud provider’s HITRUST Validated Assessment – and you can do this through the HITRUST Shared Responsibility and Inheritance Program.

If you have an annual MyCSF subscription, this program allows your organization to easily import assessment results from major cloud service providers like Salesforce, Microsoft, Google, and Amazon.  

Let’s say your cloud provider is Microsoft.  

The inheritance program’s Shared Responsibility Matrix allows you to inherit Microsoft’s security controls and import its validated assessment results into your own assessment process. 

Security controls are safeguards to protect information systems, while assessment results are the outcomes of evaluating the security controls. Ultimately, you can leverage Microsoft’s security controls and assessments to save you time and money during your organization’s HITRUST certification process. 

How long does it take to get HITRUST certified? 

It may take your organization anywhere between seven (7) to 18 months to get HITRUST certified. 

Readiness assessment: up to two (2) months 

Remediation of security issues: six (6) months or more 

Validated assessment: up to three (3) months 

Quality assurance review: one (1) to two (2) months 

Using the HITRUST Assurance Intelligence Engine, each assessment undergoes over 150 automated quality checks.  

After the QA review, HITRUST will create a report, score the validated assessment, and issue your organization a Letter of Certification. 

Exploring the structure and organization of the HITRUST CSF 

The HITRUST CSF Version 11.3.0 framework is made up of 19 domains, which includes mobile device security, third-party assurance, endpoint protection, password management, wireless security, incident management, and business continuity & disaster recovery. 

Domains provide a high-level overview of the specific areas your organization must cover in risk and regulatory compliance. 

To help you achieve the objectives set out in the domains, the framework is organized into 14 control categories, each focusing on different aspects of information security.  

Each control category comes with objectives and specific guidance for their implementation. In all, there are 49 control objectives and 156 control specifications.  

The following is a high-level overview of the control categories in the HITRUST CSF:  

• Information Security Management: Establishes a formal program to manage information security, including monitoring, maintenance, and improvement 

• Access Control Security: Covers access policies and procedures for networks, OS systems, password management systems, mobile computing and communication devices 

• Human Resources Security: Focuses on security measures related to personnel, from onboarding to terminations 

• Risk Management Policy: Involves developing and implementing a risk management program that includes risk assessments, evaluations, and mitigations 

• Regulatory Compliance: Ensures adherence to legal, regulatory, and contractual obligations 

• Asset Management Security: Involves the inventory, ownership, and acceptable use of assets

• Organization of Information Security: involves the allocation of information security responsibilities, confidentiality agreements, and the authorization process for information assets 

• Information Systems Acquisition, Development, and Maintenance: Involves message integrity, cryptographic controls, and technical vulnerability management 

• Physical and Environmental Security: Protects physical assets against external and environmental threats like fires, floods, earthquakes, civil unrest, and other forms of natural or man-made disasters 

• Business Continuity Management: Involves programs for counteracting interruptions to business activities during major information system failures or disasters 

• Security Policy: Involves demonstrating support for information security policy in line with business objectives and compliance regulations 

• Communications and Operations: Covers the monitoring of operating procedures such as third-party service deliveries, information back-up, system use, online transactions, information exchange, and the handling of removable media 

• Security Incident Management: Deals with reporting and management of information security incidents 

• Privacy/Security Practices: Ensures privacy and data protection measures are in place, such as privacy requirements for contractors, transparency regarding the handling of PII, and data minimization 

Each control category also includes organizational, compliance, or system risk factors that increase an organization’s risk profile, thus requiring a higher level of compliance. 

How to approach and prepare for a HITRUST CSF assessment 

Preparing for a HITRUST SCF assessment generally involves these key steps: 

• Understand the framework: Print out the latest version of the framework (Version 11.3.0). Next, familiarize yourself with the HITRUST CSF structure, control categories, and the relevant compliance requirements for your organization. 
• Sign up for either the 90-day or yearly access to the MyCSF portal. 
• Perform a gap analysis: Perform a self or readiness assessment, which includes a gap analysis to identify areas where your current security practices don’t meet HITRUST CSF requirements. Work with a HITRUST External Assessor for this. 
• Implementation: Work with the same HITRUST External Assessor to develop and implement policies, procedures, and controls to address the identified gaps. 
• Documentation: Ensure all security measures and controls are well documented, as documentation is a crucial part of the assessment process. 
• Training and awareness: Provide internal training to help employees understand the role they play in information security. Ensure they are signed up for HITRUST’s virtual Orientation training program. 
• Engage with HITRUST: Work with your HITRUST External Assessor to schedule and prepare for the validated assessment. 

LastPass: Your Trusted HITRUST CSF Certification Partner 

Why choose LastPass for HITRUST CSF certification 

In the HITRUST CSF, user password management is an important part of access control. 

If you’re considering HITRUST certification, LastPass can help your organization strengthen its password management practices in alignment with HITRUST requirements. 

At LastPass, we make password management EASY, so you can effortlessly enforce HITRUST password policies like: 

• Password length and complexity in line with TX-RAMP (Texas Risk & Authorization Management Program), which requires a minimum password length of 12 characters and at least one each of uppercase letters, lowercase letters, numbers, and special characters.  

• Password expiration in line with NIST SP 800-171, which prohibits password reuse for at least six (6) generations. This means a new password should not be identical to any of the previous six (6) passwords.  

• Secure password generation in line with NIST SP 800-172, which recommends automated password generation and rotation. 

• Account lockout mechanisms in line with The Centers for Medicare & Medicaid Services (CMS), which requires a lockout after three invalid login attempts during a 120-minute window. In addition, the lock out must be sustained until released by an administrator. 

• Password encryption in line with FISMA (Federal Information Security Modernization Act), which stipulates passwords must be transmitted in encrypted form and stored using an approved hash algorithm and salt. 

• Multi-factor authentication (MFA) in line with NIST SP 800-53, which requires MFA to access non-privileged accounts. 

Our Security Dashboard gives you a Security Score so you can immediately see how strong your passwords are. You’ll also get a list of all your weak or reused passwords. But never fear --- our password generator can create secure passwords to replace them. 

In short, we help you align with HITRUST controls related to access management, so you can focus on what you do best: running a business. 

Our proven track record in cybersecurity assurance 

At LastPass, our powerful Zero Knowledge, high-encryption architecture means your credentials are safe even from us.  

We secure your vault data with AES 256-bit encryption and 600,000 rounds of PBKDF2 SHA-256 hashing with salting – and only YOU can decrypt it. 

Meanwhile, our FIDO2 passwordless authentication methods protect employee access anywhere, while reducing your security risks. With passwordless login, your employees never have to remember another password again. 

In 2024, LastPass also became the first password manager to achieve ISO 27701 and FIDO2 server certification. 

This level of security is unprecedented, aligning with HITRUST’s emphasis on data security. 

How LastPass can simplify and streamline the certification process 

We offer centralized password management of credentials, so you can easily enforce strict security controls in line with HITRUST CSF requirements.  

At LastPass, we automate and enforce these controls for you, reducing your IT admin burdens and HITRUST assessment costs.  

During your HITRUST assessment, our detailed audit logs and reporting features also help you demonstrate that sensitive information is shared securely. 

Securing Your Organization with LastPass and HITRUST CSF Certification 

How LastPass aligns with the HITRUST CSF to protect your sensitive data 

As mentioned, we use powerful encryption standards to protect your organization’s most sensitive credentials. 

However, did you know that connecting your directory to LastPass allows your employees to leverage federated SSO (Single Sign On) to access multiple applications with just ONE set of credentials? 

Federated SSO minimizes the cyber-attack surface and reduces your organization’s risk of password-related security breaches, aligning with the HITRUST focus on data integrity and confidentiality. 

The role of LastPass in mitigating cybersecurity risks 

LastPass integrates with various tools to strengthen your organization’s overall security posture and support your quest for HITRUST certification: 

LastPass integration with IAM (identity access management) systems. Integrating with IAM tools ensures all password policies are enforced uniformly across all types of user accounts. 

LastPass integration with SIEM (Security Information Event Management) platforms. Integrating with SIEM tools allows you to monitor failed login attempts, aligning with HITRUST requirements for monitoring user access rights.  

LastPass integration with SOAR (Security Orchestration, Automation, & Response) systems. Integrating with SOAR tools allows your organization to automate incident response, aligning with HITRUST’s emphasis on timely detection and resolution of security incidents. 

Maximizing the effectiveness of LastPass in achieving and maintaining compliance 

Finally, LastPass integrates with major Identity Providers (IdP) like Microsoft Active Directory and Microsoft Azure AD to simplify onboarding and offboarding of employees. 

This ensures access rights are managed appropriately when employees leave, in accordance with HITRUST requirements.  

Achieving and maintaining HITRUST compliance has never been easier. 

Today, you can partner with LastPass to make your HITRUST certification journey more efficient and cost-effective by signing up for a free, no-obligation trial of LastPass Business.