When first released in 2009, the HITRUST1 Risk Management Framework (RMF)2 was essentially limited to the HITRUST CSF3 and the HITRUST Assurance Program.4 The HITRUST CSF helped organizations understand the control requirements they should implement to provide an appropriate level of due diligence and due care for the protection of sensitive information,5,6 and the HITRUST Assurance Program provided a common approach to assurance for both internal and external stakeholders around the state of an organization’s information risk management and compliance program. All the other elements of the current HITRUST RMF have been developed or otherwise refined over the past decade or more to help address the needs of HITRUST Organizations and Assessors (the ‘HITRUST Community’) for a more robust approach to cybersecurity and risk management.
Discussion of the HITRUST RMF has been subsequently scattered amongst dozens of various whitepapers, presentations, and other documents that were developed as specific elements of the RMF were developed. And, as various concepts have matured over the years, some of the older documents such as HITRUST’s original risk analysis guidance7 have become dated and no longer reflect HITRUST’s current state of thinking. This document addresses these issues by providing a centralized discussion of the underlying methodologies that make up the HITRUST RMF and which support the various tools, products, and services that collectively make up the HITRUST Approach.8
We begin by presenting relevant risk concepts and then introduce a generic 4-step, process-based RMF model, which we present through the lens of the National Institute of Standards and Technology9 (NIST) RMF. This then sets the stage for introducing core concepts in each of the four steps of the model. Additional concepts that are foundational to related products, services, and tools are provided in a separate appendix.
This document is not meant to be a comprehensive repository of all information related to the HITRUST RMF. Instead, it introduces fundamental concepts and methodologies and then, where appropriate, refers the reader to external documents that provide a more complete discussion of a specific topic.10 The intent is to ensure the Risk Management Handbook remains relevant over time without the need to update content when the RMF is expanded or otherwise modified to meet the evolving needs of the HITRUST Community.
1 HITRUST (2022a). About HITRUST.
2 Cline, B. (2019). Risk Management Frameworks: How HITRUST provides an efficient and effective approach to the selection, implementation, assessment and reporting of information security and privacy controls to manage risk in a healthcare environment. Frisco, TX: HITRUST.
3 HITRUST (2022b). HITRUST CSF.
4 HITRUST (2022c). HITRUST Assurance Program.
5 Information is defined here as any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.” Not to be confused with the term ‘data,’ which we define here as information in a specific representation, usually as a sequence of symbols that have meaning or pieces of information from which ‘understandable information’ is derived.
6 Sensitive information is defined here as information where the loss, misuse, or unauthorized access or modification could adversely affect the [organization] or the conduct of [organizational] programs [or services], or the privacy to which individuals are entitled [by law].
7 Cline, B. (2019, Sep). Risk Analysis Guide for HITRUST Organizations and Assessors: A guide for self and third-party assessors on the application of HITRUST’s approach to risk analysis. Frisco, TX: HITRUST.
8 HITRUST (2022d). HITRUST Approach.
9 NIST (2022a). About NIST.
10 As a result, various parts of this document may contain material from other HITRUST documents relevant to the topic being discussed.