What is HITRUST CSF Certification?
by Hoala Greevy Founder CEO of Paubox
HITRUST® is a standards development organization that was founded in 2007. It develops and maintains a healthcare compliance framework called the HITRUST CSF™.
According to HITRUST, the CSF is:
“A certifiable framework that provides organizations with a comprehensive, flexible and efficient approach to regulatory compliance and risk management.
Developed in collaboration with healthcare and information security professionals, the HITRUST CSF rationalizes healthcare-relevant regulations and standards into a single overarching security framework. Because the HITRUST CSF is both risk- and compliance-based, organizations can tailor the security control baselines based on a variety of factors including organization type, size, systems, and regulatory requirements.”
The HITRUST CSF is designed to unify security controls from federal law (HIPAA), state law, and non-governmental frameworks (PCI-DSS) into a single framework that’s tailored towards use in the healthcare industry.
To become HITRUST CSF certified, healthcare organizations typically follow a 4-step process:
- Leverage the HITRUST CSF assessment tool to identify applicable HITRUST Controls
- Complete HITRUST CSF assessment and engage a third-party HITRUST auditor to test controls
- Organization and auditor both submit their assessment to HITRUST for review via the MyCSF Portal
- Achieve HITRUST certification
Amazon Web Services (AWS) and HITRUST
If you are a cloud software company like Paubox, choosing the right cloud vendor for compliance and cybersecurity is vitally important. As such, Paubox has been a customer with Amazon Web Services (AWS) since day one.
To address security and compliance, AWS uses a Shared Responsibility Model.
Under this model, AWS manages security of the Cloud and its underlying infrastructure, while security in the Cloud is the responsibility of the customer.
AWS customers have a broad range of controls to implement to protect content, platform, applications, systems and networks.
In the context of compliance, AWS offers customers compliance-ready infrastructure and provides tools and services they can use to be compliant on the AWS Cloud.
To help customers with their HIPAA and/or HITRUST compliance, AWS provides access to a suite of both AWS-native tools and services designed for use by customers to secure their workloads and encrypt and obfuscate PHI.
AWS offers customers who need a Business Associate Agreement (BAA) for HIPAA compliance.