BLOG

By Brandon Weidemann 

The HITRUST CSF offers organizations a certifiable framework for regulatory compliance and risk management. Leaning on internationally accepted standards like ISO, NIST, PCI, HIPAA, and GDPR, the CSF standardizes requirements, providing clarity and consistency while reducing the compliance burden. HITRUST's commitment ensures organizations are well-equipped to navigate new security and privacy regulations. 

Navigating the AI Landscape 

Artificial Intelligence (AI) systems, including natural language processing, machine learning applications, and continued emerging applications of AI, hold immense promise for the healthcare industry. However, the rapid evolution of these technologies introduces new risks, terminologies, and complexities. Trust in AI systems is paramount, ensuring they operate with the expected quality and integrity while meeting governance, ethical, and legal standards.  

In response to the evolving AI landscape, HITRUST introduces its AI Assurance Program, the first and only program with the ability to demonstrate compliance with AI assurance controls.  

Key Components of the HITRUST AI Assurance Program 

As organizations increasingly integrate AI into their operations, concerns surrounding the security and compliance of these systems have become more prominent. The HITRUST AI Assurance Program addresses these concerns by providing a comprehensive framework for evaluating and managing the risks associated with AI implementation. 

Key Features of the HITRUST AI Assurance Program: 

1. Comprehensive Risk Management: The program offers a robust risk management framework tailored specifically for AI systems. This includes assessing potential threats and vulnerabilities associated with AI algorithms, data handling, and model deployment. 
2. Regulatory Compliance: With a focus on aligning with global data protection regulations and industry standards, the HITRUST AI Assurance Program ensures that AI implementations adhere to the necessary compliance requirements. This is particularly crucial in the healthcare industry as it deals with sensitive information such as PHI and PII.  
3. Dynamic Framework for Evolving Threats: AI technologies are continually evolving, and so are the threats they face. The HITRUST program acknowledges this by providing a dynamic framework that can adapt to emerging risks, ensuring that organizations stay resilient against evolving cyber threats. 
4. Transparency and Explainability: One of the challenges with AI is its inherent lack of transparency. The program encourages organizations to implement AI systems that are explainable and transparent, facilitating better understanding and accountability for the decisions made by these systems. 
5. Collaboration and Knowledge Sharing: The HITRUST AI Assurance Program fosters collaboration among stakeholders by encouraging knowledge sharing and best practices. This collaborative approach ensures that the industry benefits from the insights and experiences of various organizations navigating the AI landscape. 

Summary of Controls in the Compliance Factor 

To formally roll out the HITRUST Assurance Program, HITRUST v11.2.0 incorporates the addition of mappings to NIST AI RMF v1.0, ISO/IEC 23894, and ISO 31000 through the selectable compliance factor – "Artificial Intelligence Risk Management." 

Controls in AI Risk Management 

HITRUST outlines a comprehensive set of controls for organizations involved in AI development or use. These controls cover both external and internal contexts, ensuring a thorough understanding and mitigation of risks.  

• External Context Controls, such as legal requirements, ethical guidelines, domain-specific guidelines, technology trends, societal and political implications, stakeholder perceptions, contractual obligations, network complexity, and system replacement, form the foundational considerations for managing risks associated with AI systems. 
• Internal Context Controls, including their effect on organization's culture, international standards, resource changes, AI knowledge, AI tools and platforms, intellectual property, data handling automation, quality constraints, internal stakeholder perceptions, complexity of interdependencies, and specialized training, play a crucial role in shaping and securing the internal landscape of organizations utilizing AI. 

Both external and internal contexts include the need to consider the following control areas: 

• Project-Level Alignment and Risk Criteria involve ensuring alignment with organization objectives and defining clear risk criteria specifications to guide AI projects effectively. 
• Risk Assessment and Analysis activities revolve around the documentation of external and internal context, the consideration of AI System impact, and stakeholder consideration to assess and manage risks effectively. 
• Organization-Level Policies and Commitments entail the formulation of a comprehensive risk assessment policy and the issuance of commitment statements to uphold AI risk management principles. 
• Resource Allocation and Framework Review involve critical considerations, including effective resource allocation and periodic framework reviews, to ensure the continuous effectiveness of AI risk management. 
• Stakeholder Communication and Reporting focus on establishing processes for stakeholder communication and implementing standards for reporting to facilitate transparency and accountability in AI risk management practices. 
• Risk Treatment and Mitigation encompass various aspects such as risk treatment integration, risk identification and analysis, formal risk assessment, and the development of a detailed risk treatment plan to address and mitigate AI-related risks. 
• Continuous Improvement strategies include continuous evaluation, considerations related to human behavior and culture, monitoring and adaptation, and strategic resource allocation for effective risk management in the dynamic AI landscape. 
• System Life Cycle Alignment involves aligning risk assessment activities with the system life cycle, identifying risk consequences and sources, ensuring a holistic approach to AI risk management. 
• Trustworthiness and Societal Impact Analysis require the assessment of trustworthiness, societal impact, and individual impact annually to uphold ethical and responsible AI practices. 
• Key Control Identification is a dedicated process focusing on identifying key controls relevant to AI development and use, ensuring effective risk mitigation. 
• Overall Risk Management encompasses the systematic approach of risk identification and treatment, risk prioritization, and continuous risk management to ensure the reliability and security of AI systems. 

HITRUST's AI risk management program, and more specifically, the “Artificial Intelligence Risk Management” compliance factor in v11.2.0, positions itself as a comprehensive guide for organizations venturing into the AI landscape. With a meticulous set of controls, both external and internal, HITRUST ensures that organizations can navigate the complexities of AI development and use while prioritizing transparency, accountability, and responsible AI practices.  

If your organization has further interest in the HITRUST AI Assurance Program and its associated requirements, Meditology is well-equipped to guide and assist your organization through AI risk management.  

Meditology Services is a leading provider of risk management, cybersecurity, and regulatory compliance consulting services that is exclusively focused on serving the healthcare community. More than a provider of services, Meditology is a strategic partner committed to providing our clients actionable solutions to achieve their most pressing objectives. With experience serving healthcare organizations ranging in size, structure, and operational complexity, we uniquely understand the challenges our clients face every day and dedicate ourselves to helping solve them. 

Our service lines span cybersecurity certifications, security risk assessments, penetration testing, medical device security, incident response, staff augmentation, and more. Our team is run by former CISOs and privacy officers who have walked in our clients’ shoes, and our experienced consultants hold certifications spanning CISSP, CEH, CISA, HCISPP, CIPP, OSCP, HITRUST, and more. In addition, we maintain strong relationships with healthcare regulatory and standards bodies, including serving as HIPAA expert advisors to the Office for Civil Rights, providing us a uniquely thorough perspective on the healthcare cybersecurity landscape. 

Third-party attestations demonstrate that your organization has implemented effective controls to safeguard the security and privacy of sensitive data.  

HITRUST utilizes its framework, the HITRUST CSF, to assess compliance with security regulations. HITRUST certification is based on a standardized and prescriptive set of controls tailored to an organization's specific risk factors.  

Our third-party attestation solutions include: 

• (e1, i1, r2) HITRUST certifications 
• HITRUST readiness assessments 
• Remediation services to prepare for HITRUST certification 

Resources 

https://hitrustalliance.net/press_release/hitrust-releases-the-industrys-first-ai-assurance-program/  

https://hitrustalliance.net/ai-hub 

---

Author 

BRANDON WEIDEMANN | MANAGER, IT RISK MANAGEMENT 

Brandon has an extensive background spanning over 8 years in IT and Cybersecurity risk management. His multifaceted experience encompasses a wide array of roles, from conducting internal and external audits for Fortune 500 companies to delivering expert consulting services to small start-ups. At present, Brandon serves as the leader of Meditology's HITRUST and Incident Response Tabletop Exercise service lines, where he plays a pivotal role in maturing internal processes in order to improve the customer experience. In addition to these responsibilities, Brandon assumes leadership roles in various engagements, including HITRUST, SRA, SOC2, and more.  

https://www.linkedin.com/in/brandon-weidemann-a158128a/