The Importance of HITRUST CSF Certification to Protect Health-Critical Data

Updated on July 11, 2020
Doctor with stethoscope and tablet computer on black background, still life style, Technology digital to treat patients concept.
paul banco

By Paul Banco, CEO and co-founder of etherFAX   

The rapid deployment of telehealth services and mobile health (mHealth) appsamid the COVID-19 pandemic has increased cybersecurity risks for healthcare organizations around the globe. While standards set forth in the Health Insurance Portability and Accountability Act (HIPAA) are meant to safeguard electronic protected health information (PHI), reports have shown that 28 percent of healthcare organizations fail to comply with HIPAA regulations. 

A study from CynergisTek found that only 72 percent of health providers conform with HIPAA while an average of 47 percent of health providers and business associates conform with NIST Cybersecurity Framework (CSF) controls. Although many organizations have or use patient privacy monitoring solutions to manage user risk, many still lack the policies, procedures, or resources to optimize monitoring activities. 

As a data protection standards and development certification organization, HITRUST helps organizations safeguard sensitive data and manage IT risk across all industries and throughout the third-party supply chain. Since it was founded in 2007, the HITRUST CSF has become the gold standard for compliance framework in the healthcare industry as it addresses the requirements of existing standards and regulations including HIPAA, PCI, COBIT, NIST, ISO, FTC Red Flag, and state laws. 

HITRUST Certified for Data Protection

To become HITRUST certified, an organization must first complete a HITRUST CSF Readiness assessment to determine if the current alignment of its security and privacy controls relates to the requirements defined in the HITRUST CSF. The organization can then select a certified HITRUST CSF Assessor Firm that will perform several risk assessments, audits, and quality assurance procedures over the course of two to four months. The HITRUST CSF has 19 different domains including healthcare data protection and privacy, endpoint protection, mobile device security, incident management, and disaster recovery. An organization will be scored on these assessments and must meet a minimum compliance level to become HITRUST certified.  

Research has shown that 97 percent of organizations pursuing the HITRUST CSF certification rapidly improve their information security posture to meet certification and, most importantly, maintain their security posture. Furthermore, with a mature information protection program in place, organizations are less likely to suffer a breach and are more likely to be able to contain and minimize the impact of a breach, should one occur. 

Organizations that implement a robust information security continuous monitoring (ISCM) program such as HITRUST to continually assess the state of their information security controls not only achieve higher levels of maturity, but also make better and more timely decisions. Additional benefits include on-demand, real-time insight into organizational security and compliance risk posture, better prioritization of remediation activities, and a higher level of assurance. Forrester Consulting also found that organizations with identity and access management (IAM) practices generate 90% more productivity, save 40% in technology costs, and save an average of $5 million in breach costs. 

Securely Exchange Protected Health Information 

While the HITRUST CSF can be used by any organization that creates, accesses, stores, or exchanges sensitive and/or regulated data, it is ideal for healthcare because of its prescriptive framework for managing the security requirements associated with HIPAA compliance. HITRUST offers healthcare providers a trusted benchmark from which they can measure and manage their own compliance, while offering proven protection to their patients and partners. 

As cybersecurity threats and data breaches show no signs of slowing down, healthcare organizations must mitigate any potential vulnerabilities from the tools and technologies utilized within their practice. When choosing a fax service provider, it’s important for healthcare organizations to take HITRUST CSF certification into consideration to ensure that all regulatory compliance standards for data protection are met. The ideal fax service provider should also provide PCI DSS and SOC 2 compliance to protect the integrity of PHI as well as multiple defense-in-depth strategies, including two-factor authentication and end-to-end encryption, to guarantee that patient data and business-critical information remain secure while in transit and at rest. Ultimately, utilizing a HITRUST CSF certified fax provider will allow physicians to deliver more a personalized healthcare experience to patients as they will no longer be preoccupied with the remediation activities and regulatory inquiries that stem from data breaches and disrupt hospital services. 


As CEO and co-founder of etherFAX, Paul Banco is responsible for the strategic direction of the company and leads technology development, including the patented etherFAX and etherFAX SEN intellectual property. In 2009, he identified the need to leverage the cloud for secure document delivery and co-founded etherFAX with fellow telecom industry veterans. As a cloud-based and virtual solution, etherFAX enables healthcare organizations to securely send and receive information from a broad range of applications and endpoint devices. etherFAX is HITRUST CSF certified, PCI DSS Level 1 compliant, and SOC 2 compliant for guaranteed data protection. 

The Editorial Team at Healthcare Business Today is made up of skilled healthcare writers and experts, led by our managing editor, Daniel Casciato, who has over 25 years of experience in healthcare writing. Since 1998, we have produced compelling and informative content for numerous publications, establishing ourselves as a trusted resource for health and wellness information. We offer readers access to fresh health, medicine, science, and technology developments and the latest in patient news, emphasizing how these developments affect our lives.