Article

How higher education and research institutions may benefit from using HITRUST to navigate research data security requirements

Dec. 6, 2022 · Authored by Mike Cullen, Emily Di Nardo

Research dollars and data now come with more terms and conditions than ever before. Many of these “newer” requirements are related to previous efforts to protect the current and future value of information or data, especially when funded by the federal government. Unfortunately, grants, contracts and cooperative agreements contain so many disparate research security requirements and terms that it can be difficult to determine what is most important for your institution to address.

To effectively address these requirements, stakeholders from across the institution must work together, as this is not simply an administrative, technology or cybersecurity problem. The latest developments regarding research security requirements, including National Security Presidential Memo 33 (NSPM-33), Controlled Unclassified Information (CUI), Export Controls, and Cybersecurity Maturity Model Certification (CMMC), all involve implementing a variety of people, process and technology controls.

As such, higher education and research institutions are looking for new and effective ways to navigate these research security requirements within their complex, distributed and diverse environments.

How can HITRUST help higher education and research institutions address regulated research data security requirements, such as NIST, that are different from HITRUST controls?

The HITRUST CSF provides coverage across multiple industry-specific standards and includes significant components from other well-respected information technology (IT) security standards bodies and governance sources, such as the National Institute of Standards and Technology (NIST) and International Organization for Standardization (ISO) 27001. HITRUST contains a minimum set of control requirements that organizations must implement. Institutions then obtain the complete, tailored set of control requirements (controls) necessary for certification based on certain categories of risk factors such as organizational, system, geographical and regulatory risks. This allows an institution to address different research data security requirements within one framework.

How can a HITRUST assessment help my institution if we do not need to be HITRUST certified?

HITRUST offers multiple assessment types that can be utilized to satisfy contractual requirements, internal control environment requirements and due diligence with regulatory authorities and other external stakeholders.

HITRUST is widely adopted in the healthcare industry, but with HITRUST’s continued expansion of authoritative sources included within the CSF and the release of new threat-adaptive assessment options, the door has opened to other industries. Now, higher education and research institutions that traditionally may not have considered HITRUST as an optional framework are making a shift to leverage HITRUST as threats to securing sensitive data (e.g., electronic protected health information (ePHI), intellectual data) continue to rise.