Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Cyber Insurance

HITRUST Common Security Framework – Improving Cyber Resilience?

A few weeks ago, Anthem agreed to a record $16 million HIPPA settlement with federal regulators to close the chapter on a data breach that exposed data on nearly 79 million individuals in 2015. This payment is in addition to the $115 million Anthem shelled out as part of a class-action lawsuit over the same breach in 2017.

A few weeks ago, Anthem agreed to a record $16 million HIPPA settlement with federal regulators to close the chapter on a data breach that exposed data on nearly 79 million individuals in 2015. This payment is in addition to the $115 million Anthem shelled out as part of a class-action lawsuit over the same breach in 2017. This latest settlement revealed new details about the breach, including the fact that Anthem was audited and certified under the HITRUST Common Security Framework (CSF) just five months before hackers were able to infiltrate its computer systems. This raises questions regarding the effectiveness of compliance audits.

Regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and the HITRUST CSF as part of HIPPA assessments establish a much higher standard of scrutiny for privacy and disclosure requirements, compared to many other verticals. This is justified, since the industry maintains a vast amount of highly sensitive data on individuals, which is extremely coveted by cyber criminals. Healthcare records are a hot commodity on the Dark Web, fetching much higher selling prices than credit cards. 

HITRUST CSF has become the most widely-adopted security framework in the U.S. healthcare industry. Like the NIST Cybersecurity Framework, it integrates relevant regulations (e.g., HIPAA) and standards (NIST 800-53, ISO 27001, PCI DSS) into a single overarching security framework. So what benefits does HITRUST CSF offer healthcare organizations?

Security-minded, mature healthcare providers typically already have a solid security program in place that incorporates many of the standards, guidelines, and best practices referenced in the framework. While HITRUST CSF doesn’t necessarily improve cyber resilience for these types of organizations, it does provide a common nomenclature and methodology to help less advanced providers assess their level of security preparedness and benchmark their programs. 

Compliant Doesn’t Equal Security

The Anthem breach and thousands of others are proof that regulatory compliance – and its checkbox approach to security – doesn’t translate to greater security. While many experts agree that compliance with security frameworks has value when it comes to developing proper policies for certification, organizations need to be aware that it does not provide immunity from breaches. HITRUST CSF and other guidelines help reduce risk but cannot eliminate all cyber threats and often give organizations a false sense of security. 

Ultimately, the mindset of healthcare organizations needs to change if they want to prevent data breaches and ensure that protected health information (PHI) is properly protected. Attackers have learned to side step sophisticated security mechanisms using phishing attacks and social engineering techniques to compromise user credentials and walk in through the front door. Even adhering to HIPAA rules or HITRUST CSF cannot prevent hackers from gaining access to PHI under these conditions.

Advertisement. Scroll to continue reading.

The HITRUST CSF, for instance, requires that organizations implement several administrative safeguards, which include logging access to PHI and routinely checking these access logs. However, if hackers camouflage their attacks by leveraging compromised credentials, even a high-level review of these logs would not immediately reveal any abnormal behavior needed to stop the intrusion in its tracks.

As a result, healthcare organizations should consider moving towards a “never trust, always verify” security model. This ‘Zero Trust Privilege’ concept requires granting least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment. By implementing least privilege access, organizations can minimize their attack surface, improve audit and compliance visibility, and reduce risk – while lowering security complexity and costs.

Healthcare organizations must recognize that HIPAA and HITRUST CSF compliance does not guarantee their systems are adequately protected from threats. These guidelines represent a minimum barrier to entry for attackers. Security, as has been stated many times before, is a journey which requires continuous monitoring and robust controls that must be adapted to new threats, and not an annual checkbox exercise.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cyber Insurance

Cyberinsurance and protection firm Boxx Insurance raises $14.4 million in a Series B funding round led by Zurich Insurance.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Risk Management

In this virtual summit, SecurityWeek brings together expert defenders to share best practices around reducing attack surfaces in modern computing.