Calendar Icon White
February 26, 2024
Clock Icon
 min read


Learn in depth about HITRUST 19 domains

Calendar Icon White
February 26, 2024
Clock Icon
 min read


Learn in depth about HITRUST 19 domains


  • The HITRUST CSF consists of 19 domains focusing on data protection.
  • Each domain covers different aspects of information security.
  • Implementing controls in these domains can enhance security posture and compliance.
  • Strac offers solutions for DLP, endpoint security, and data protection.
  • HITRUST domains help organizations manage risks and demonstrate compliance with industry standards.

Exploring the 19 HITRUST Domains in Depth

The HITRUST Common Security Framework (CSF) consists of 19 domains that focus on data protection. These domains cover various aspects of information security, such as endpoint protection, wireless security, vulnerability management, and more. By complying with the requirements of these domains, organizations can strengthen their data security, improve compliance with regulations, and minimize risks. To fully understand the HITRUST domains and their importance, continue reading the rest of the article.

Comprehensive Guide to Data Protection with HITRUST CSF

HITRUST CSF (Common Security Framework) is a certifiable framework that offers a comprehensive, flexible, and efficient approach to regulatory compliance and risk management. It integrates relevant information from existing security standards and compliance regulations, such as NIST, HITECH, and HIPAA. The framework is designed to streamline the compliance process, facilitate secure data sharing, and adapt to the organizational and system structure.

Understanding HITRUST CSF: An Overview

HITRUST CSF is based on ISO27001 and integrates 44 standards. It is structured similarly to ISO/IEC 27001:2005 and is regularly updated to reflect technological and policy changes. The framework is internationally recognized and applicable across various industries, not just healthcare.

The framework comprises 19 domains and 156 security and privacy controls. These include 21 controls dedicated to privacy practices, 135 Security Controls, and 14 Privacy Controls. The domains cover a wide range of information security aspects, such as information protection, endpoint security, access control, audit logging and monitoring, education, training, and awareness, third-party assurance, incident management, business continuity and disaster recovery, risk management, physical and environmental security, and data protection and privacy.

HITRUST provides self-assessment and validated assessment options, including e1, i1, and r2 assessments. Certification involves a thorough self-assessment and third-party audit, covering 75 required security controls. Companies like I.S. Partners, LLC and RSI Security are HITRUST Assessors offering services for HITRUST readiness, certification, compliance, gap assessment, and third-party risk management.

Domain 1: Information Protection

This domain focuses on protecting sensitive information from unauthorized access, disclosure, alteration, or destruction. Measures such as encryption, data classification, data loss prevention, and secure disposal of information are included.

Strac DLP (Data Loss Prevention) for Email

Strac DLP (Data Loss Prevention):

  • Strac seamlessly connects with numerous widely-used SaaS platforms, including Zendesk, Slack, Gmail, Google Drive, O365 Email, OneDrive, Intercom, and others, delivering a robust solution for safeguarding cloud and endpoint data.
  • It employs sophisticated algorithms to automatically identify and redact sensitive information across various channels of communication, removing the necessity for manual checks while providing precise and adaptable settings.
  • Strac is capable of redacting a variety of file types, such as PDFs, images, and Microsoft Office documents, adhering to key regulations and standards like PCI, SOC 2, HIPAA, ISO-27001, CCPA, GDPR, and NIST.
  • The system is designed for effortless integration, enabling users to swiftly configure and deploy DLP/live scanning/redaction functions in their SaaS applications.
  • Utilizing proprietary machine learning models, Strac precisely identifies and redacts sensitive personal and financial information, significantly reducing the chances of false detections.
  • It offers a wide range of customization features for drafting policies, managing sensitive data elements, setting access controls, and specifying remediation actions. Explore Strac's extensive list of identifiable sensitive data elements.
  • Strac leads in offering the most extensive set of integrations for SaaS and Cloud services, further enhanced by API and AI integration capabilities, including support for LLM APIs and AI-driven websites, to strengthen data protection within AI environments.
  • The platform includes built-in and customizable detectors for identifying sensitive data elements mandated by standards like PCI, HIPAA, and GDPR, offering ready-to-use compliance templates and flexible settings for thorough data security.
  • Strac stands out as the only platform providing accurate and all-encompassing DLP solutions that cover SaaS, Cloud, and Endpoint data. For more information, visit:
  • It introduces inline redaction features that conceal or obscure sensitive information in attachments, ensuring the privacy of the data.
  • Strac prides itself on offering exceptional customer support, guiding users through the integration process and providing continuous assistance to ensure a smooth experience.

Domain 2: Endpoint Security

Endpoint protection is vital for combating viruses and malware. This domain includes intrusion detection systems, patches, firewalls, and software updates. It also covers the security of mobile storage devices, which can pose vulnerabilities if not properly managed. Strac Endpoint Security solution protects from vulnerabilities like:

  1. Denying users the access to unauthorized websites
  2. Blocking access to upload any sensitive PHI file on any website
  3. Blocking file sharing access of sensitive PHI files over cloud drive solutions like Google Drive, One Drive, and more

Learn more about Strac Endpoint Security here: ‎

Strac Endpoint Security for Mac and Windows

Domain 3: Portable Media Security

This domain focuses on the control and management of mobile storage devices. Implementing controls to secure portable media is essential in preventing unauthorized access to sensitive information.

Domain 4: Mobile Device Security

This domain focuses on securing mobile devices and ensuring that they are protected from unauthorized access or data leakage. Measures such as strong authentication, encryption, and remote wipe capabilities are included.

Domain 5: Wireless Security

This domain covers all aspects of wireless security, including network segmentation, encryption, access controls, and intrusion detection systems.

Domain 6: Configuration Management

This domain covers everything about configuration management, including change control, configuration audit, configuration item identification, configuration status accounting, and environments for testing and development.

Domain 7: Vulnerability Management

This domain covers vulnerability scanning, patching, antivirus software, anti-malware, and network/host-based penetration detection systems.

Domain 8: Network Protection

This domain focuses on securing an organization's network infrastructure. It covers various aspects of network and web connections, including network segmentation, firewalls, intrusion detection systems, and secure remote access.

Domain 9: Transmission Protection

This domain ensures the secure transmission of sensitive information across networks. It covers encryption, secure protocols, and secure file transfer mechanisms.

Strac OneDrive DLP - Prevents sharing of sensitive files

Domain 10: Password Management

This domain focuses on password policies, password complexity requirements, multi-factor authentication, and secure password storage.

Domain 11: Access Control

This domain covers user access provisioning, role-based access control, access reviews, and privileged access management.

Domain 12: Audit Logging and Monitoring

This domain focuses on capturing and tracking system and user activities to detect and respond to potential security incidents.

Domain 13: Education, Training, and Awareness

This domain covers security awareness programs, training sessions, and ongoing education to ensure that employees are aware of their roles and responsibilities in protecting sensitive information.

Strac DLP helps with Employee Education, Awareness and Training

Domain 14: Third-Party Assurance

This domain focuses on managing the risks associated with engaging third-party vendors and service providers. It covers vendor risk assessments, due diligence, contract management, and ongoing monitoring of third-party relationships.

Domain 15: Incident Management

This domain covers incident response planning, incident detection and reporting, containment, eradication, and recovery.

Domain 16: Business Continuity and Disaster Recovery

This domain covers business impact analysis, business continuity planning, backup and recovery procedures, and testing and maintenance of continuity plans.

Domain 17: Risk Management

This domain focuses on identifying, assessing, and managing risks to an organization's information assets. It includes risk assessments, risk treatment plans, risk monitoring, and risk reporting.

Domain 18: Physical and Environmental Security

This domain covers physical access controls, video surveillance, environmental monitoring, and disaster recovery site security.

Domain 19: Data Protection and Privacy

This domain covers data classification, data retention, data disposal, privacy policies, and privacy incident response. Please learn more about Strac Sensitive Data Classification and Remediation here: ‎

Strac Data Classification

Drawing Conclusions from HITRUST Domains

By implementing the controls outlined in these domains, organizations can enhance their security posture, protect sensitive information, and demonstrate compliance with industry standards and regulations. Risk management and compliance are crucial in the healthcare industry, but they come with challenges. However, with the right approach and the comprehensive framework provided by HITRUST CSF, these challenges can be effectively managed.

At Strac, we understand the importance of data protection and compliance. Our comprehensive range of services, including risk assessments, security consulting, and managed security services, can help your organization navigate the complexities of the HITRUST CSF and ensure the security of your sensitive information. Contact us today to learn more about how we can assist you in achieving your data protection goals.

Frequently Asked Questions about HITRUST Domains

How many HITRUST domains are there?

There are a total of 19 HITRUST domains that focus on different aspects of risk management and regulatory compliance in the healthcare sector. Each domain is designed to address specific areas such as access control, privacy, security policies, physical security, and mobile device security.

Is CSF divided into 19 different domains?

Yes, the CSF is indeed divided into 19 different domains such as endpoint protection, mobile device security, and access control. These domains help ensure comprehensive coverage of security controls across various areas within an organization.

How many HITRUST controls are there?

There are a total of 156 HITRUST controls, which are categorized into 14 Control Categories, 19 Domains, and 49 Control Objectives. Additionally, there are 3 Implementation Levels within the HITRUST CSF framework.

What is the domain score for HITRUST?

The domain score for HITRUST is calculated by averaging all requirement statements within that domain. In order to receive a HITRUST validated assessment report with certification, an organization must achieve a score of 62.00 or higher for each domain.

Which HITRUST domains can a DLP (Data Loss Prevention) solution help with?

A comprehensive DLP (Data Loss Prevention) solution like Strac can cover following HITRUST domains:

Founder, Strac. ex-Amazon Payments Infrastructure (Widget, API, Security) Builder for 11 years.

Latest articles

Browse all