What to look for in a HITRUST pentest

What is HITRUST?

We understand that it’s easy to get lost in the complex landscape of cybersecurity certifications, compliance rules, laws and frameworks. So, before diving into HITRUST, let’s first discuss a couple of useful definitions.

First and foremost, we should clearly understand the differences between the concept of a law, like HIPAA or GDPR, and a framework. Let’s take HIPAA for instance. HIPAA requires a series of rules to enforce the security and privacy of Protected Health Information, also known as PHI. These rules mandate organizations to conduct self-audits once a year, but it does not provide a way to meet its own criteria. That’s exactly where a framework enters, as it gives you a tested method to manage your cybersecurity in terms of procedures, policies and techniques.

Having said that, where does HITRUST fit? Well, according to CSO, HITRUST is an organization that created a cybersecurity framework that seeks to unify the rules for many other existing regulatory and industry frameworks, including HIPAA, GDPR, PCI-DSS, and more. The idea behind this is to create a standard across all of those frameworks that both simplifies the organizations' journey and sets a high benchmark for cybersecurity. HITRUST stands for “Health Information Trust Alliance,” and it began focusing on HIPAA and similar regulations. However, today, it has expanded to include other industries like financial services and defense contracting. Their framework, known as the HITRUST CSF, covers a series of rules and controls that, once being compliant with, makes it way easier for organizations to meet the rules required by laws like the ones mentioned above. 

Who should follow it?

Even if it is not mandatory, as we’ve seen, HITRUST CSF has become a de facto healthcare industry standard in many cases. So it’s quite common to find that organizations along the lines of vendors and business associates handling PHI are required to have a HITRUST certification in order to work with direct healthcare providers.

What is required to be HITRUST compliant?

Briefly speaking, according to CSO, HITRUST CSF rules can be broken down into 19 areas. These areas are known as control domains:

  • Information Protection Program
  • Endpoint Protection
  • Portable Media Security
  • Mobile Device Security
  • Wireless Security
  • Configuration Management
  • Vulnerability Management
  • Network Protection
  • Transmission Protection
  • Password Management
  • Access Control
  • Audit Logging & Monitoring
  • Education, Training and Awareness
  • Third Party Assurance
  • Incident Management
  • Business Continuity & Disaster Recovery
  • Risk Management
  • Physical & Environmental Security
  • Data Protection & Privacy

From this list, we’d like to focus only on vulnerability management. Being compliant with HITRUST CSF will imply having technical controls in place that validate the security of your systems. These technical controls can be translated into either a vulnerability scanning, a penetration test or a security configuration check. Presuming that you’re interested in performing a penetration test, what should you expect from the vendor in order to be HITRUST compliant? 

According to the CSF Methodology handbook (version 8.0), a technical test should, but is not limited to, verifying if some of the following areas have well implemented security controls:

  • Audit settings
  • Patch levels
  • Password settings
  • Account lockout
  • Anti-virus data file (DAT) levels
  • User listings

This means that the tester will try to assess things like the length of your implemented passwords, the periodicity of their rotation, if you have any outdated software that could be vulnerable and how much business impact it may cause, if your permission schema follows a Least Privilege principle, among others. 

So, in summary, the path to attain HITRUST is not easy as there are approximately 400 controls to take care of compared to SOC2’s 100, according to PacketLabs. Nevertheless, it certainly gives you a level of cybersecurity awareness that will make the work of malicious actors harder. 

Here at Red Sentry, we can help you check how secure your systems are by imitating techniques that black hat hackers are currently using to expose your business confidentiality, integrity and availability. 

Andres Pena
Security engineer, developer and economist