HITRUST Incorporates GDPR into the CSF
The Health Information Trust Alliance (HITRUST) has incorporated the European Union’s General Data Protection Regulation (GDPR) into the HITRUST Cybersecurity Framework (HITRUST CSF).
HITRUST is a US-based organisation which, in collaboration with the healthcare, technology and information security sectors, has established a Common Security Framework (CSF). The CSF offers guidance to organisations across all industries that create, access, store or exchange sensitive and/or regulated data.
By including GDPR, HITRUST hopes to continue with their efforts to create a single framework and assessment covering all regulatory requirements.
GDPR became law in May 2018. Although a part of EU law, it applies to any organisation that handles data collected within the EU. Therefore, due to the global nature of modern business, GDPR applies to organisations based all around the world. The penalties for violations of these regulations can be considerable. GDPR violations can attract a fine up to 4% of global annual turnover, or €20 million, whichever is greater.
Meeting complex compliance requirements and assessing compliance efforts can be a major challenge, although HITRUST’s “one framework, one assessment” model makes the process as simple as possible.
“As countries around the world continue to adopt and advance data protection laws, the challenge of doing business on a global scale grows increasingly complex,” said HITRUST chief privacy officer, Anne Kimbol. “Many countries have their own unique regulatory requirements, creating costs and challenges for organisations to determine if they are compliant to conduct business globally.”
HITRUST has completed the formal application process to the Irish Data Protection Commission and the EU Data Protection Board to have the HITRUST CSF officially recognised as meeting GDPR certification standards and hopes to be confirmed as an accredited certification body for GDPR.
In addition to GDPR, HITRUST has incorporated the Singapore Personal Data Protection Act (PDPA) into the HITRUST CSF and is currently working toward becoming an Accountability Agent under Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules and Procedures for Processing programs.
“Businesses leveraging the HITRUST Approach will be able to leverage a single HITRUST CSF Assessment to report their security, privacy and compliance posture to various audiences globally,” explained HITRUST VP of standards and analysis, Bryan Cline.