On the flip side, I’ve long preached that compliance is not security. HITRUST CSF is a huge improvement over the previous state of healthcare IT, because HIPAA is not prescriptive
Yep, and yet I’ve been able to successfully implement it in a 1 year project in a prior org (as part of a team obviously). HITRUST isn’t that bad, and it’s better than the alternative, which is HIPAA directly. I would best describe HIPAA as Vague, Fruitless, Bureaucratic, and Arbitrary. HITRUST is a huge improvement even if it’s not perfect.
Wasnt HIPAA not intended for security or privacy when it was originally developed? Merely as a standardized approach so various vendors could integrate easier. I could be mis-remembering this though.
Yes, that’s accurate. It is not prescriptive at all, but it does contain broad data security requirements. These are really the only legally mandated security requirements in healthcare. That said, HIPAA is more about establishing a legal and contractual framework for sharing data between providers and insurers and different providers.
https://www.linkedin.com/pulse/open-letter-hitrust-alliance-...