Does Data Masking Meet HITRUST CSF recommendations?
6/29/2020
Consider this your quick guide to the HITRUST CSF and how it applies to data masking.
These days, data is considered a commodity, and because of that, private data is becoming more and more accessible to third-parties. Many consumers react with surprise when presented with marketing offers that are too accurate for comfort, or asked about details of their life they didn’t know their cellular phone company representative was privy to.
In the healthcare industry, however, certain regulations apply to how confidential data can be used. This applies as much to hospitals as it does to health insurance providers, billing services, community care providers, and pharmacists.
These regulations, such as HIPAA and HITECH, contain strict rules about data storage, the transmission of electronic data, and data protection. Non-compliance carries heavy penalties, but also leaves your organization open to the risk of data breaches, reputational damage, and loss of lucrative contracts with healthcare partners.
Due to the high level of due diligence involved in maintaining regulatory compliance, many security and compliance officers have adopted the HITRUST common security framework (CSF) that covers the requirements of not only HIPAA, but also HITECH, ISO/IEC, PCI, and others. According to HITRUST itself, 81% of hospitals and 80% of health plans have adopted the framework.
If your organization falls within the healthcare industry, any data protection solution you employ should fall in line with CSF recommendations to ensure comprehensive compliance across the board – and that includes data masking.
What is HITRUST?
In a nutshell, HITRUST is an independent non-profit organization established to help the healthcare industry manage risk. HITRUST created a set of rules, known as its common security framework (CSF), that it updates annually to keep up with current breach data and cyber threats. This self-regulatory framework is an excellent way to complete due diligence for HIPAA and other regulations. It allows organizations to meet their compliance requirements and implement data security processes in a simple and orderly way, which is why it has become so popular among compliance officers.
The CSF is constructed of 14 control categories, 46 control objectives, 149 controls, up to 3 implementation levels, and 845 requirement statements that are scalable to the size of each business, so in most cases not all 845 rules will apply.
The CSF framework is also a certification, so once you’ve completed the due diligence, you receive the HITRUST certification which can be used for auditing purposes.
What is the difference between HITRUST and HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a set of regulations that apply to the use and safeguarding of private and identifiable health information. HIPAA is a law enacted by the United States Congress. HITRUST is an independent framework to help the healthcare industry meet the regulations of HIPAA and manage risk.
Hush-Hush Data Masking is CSF compliant
One of the proven methods of protecting sensitive patient data is data masking, which involves replacing sensitive information with substitute “realistic” values. Data masking, also known as de-identification, is generally accepted by HITRUST as a method of protecting healthcare-related data.
HIPAA has specifically set out standards for de-identification and lists the elements that must be de-identified under its Safe Harbor standard. The extensive list includes 18 elements including fax numbers, vehicle registration numbers, URLs, and IP addresses. Removing this information could affect the normal functioning of databases and programs. Masking, however, replaces the sensitive data with replica information, ensuring the structural integrity of databases and the usefulness of files.
Hush-Hush data masking meets the requirements of the HITRUST CSF framework in spades. Our data masking components mask personal identifiers that could be used to identify patients, including those set out by Safe Harbor. These components can be used statically or on-the-fly as needed. HushHush understands the science of anonymity and offers flexibility in identifying sensitive data models and defining algorithms, which is why our products meet HIPAA’s second standard of de-identification, namely the Expert Determination method. Using our patented algorithms, your organization will meet k-anonymity metrics values, which makes it close to impossible to identify an individual from the attributes contained in a dataset.
Using data masking, organizations can reliably limit the sensitive data visible to in-house developers, contractors, and third-parties, and mitigate the risks associated with data breaches.
With data being so valuable, the pressure to safeguard it is high. Adopting a security framework like the CSF and using Hush-Hush Data Masking Components allows an organization to manage risk adequately and sustainably. Not only does data masking fall in line with HITRUST recommendations, but it also gives you full control over the flow of data in your business.
For more information about HITRUST data de-identification methodology, click here.