Best Practices

HIPAA, HITRUST, CSF, And Server Hardening Part 2

Reading time: 6 Minutes Read
Roy Ludmir
Published on: June 29, 2025
HIPAA, HITRUST, CSF, And Server Hardening Part 2

Before we move forward with our exploration of HIPAA, HITRUST, and server hardening, let’s review what we learned in Part One. We began as experienced IT professionals and consultants working in the private sector, after starting a new job in the US Healthcare industry. 

Following the path we mapped out, you know that the best way to achieve HIPAA compliance, asses potential risks, and mitgate cyber attacks is through the HITRUST Common Security Framework (CSF). Next, we demonstrated how the CSF combines federal and state legislation, US government and industry standards, and international regulations, including HIPAA, NIST, the California Consumer Privacy Act, GDPR, and PCI-DSS, to provide a comprehensive framework for highly regulated industries, like healthcare. We illustrated how the CSF concepts, such as Control Categories, Objectives, Specifications, and implementation requirements, relate to server hardening through Control Reference 09.m: Network Controls. 

When it comes to server hardening, the CSF contains more than one isolated reference. In this article, we take a broader view and examine server hardening across the CSF. We will focus on Access Controls, Communications and Operations, and System Management. We will explore the roots of each domain in the HIPAA Security Rule, the frameworks and requirements HITRUST draws upon to implement these requirements, and illustrate them with practical examples.

What You Will Learn

  • To build on the foundations provided in part one
  • How HIPAA security rules directly relate to HITRUST CSF control categories
  • The types of attacks that each control is designed to prevent and/or mitigate
  • How do these controls relate to server hardening and configuration management
  • Practical examples from the CSF for the control

See how CalCom enabled secure, compliant servers without impacting patient care.

View case study

Access Controls

Control Category 01.0 – Access Control has its roots in the HIPAA Security Rule’s Security Management Process, which requires establishing and maintaining a comprehensive security management process. Failure to implement access controls could result in unauthorized users gaining access to the system. In 2024, Change Healthcare was the victim of a ransomware attack that resulted from malware that bypassed its authentication servers’ access controls. 

To prevent and or mitigate these attacks, this section provides controls that include:

  • 01.02 Authorized Access to Information Systems: Authorized user accounts are registered, tracked, and validated to prevent unauthorized access.
  • 01.04 Network Access Control: Prevent unauthorized access to networked services.
  • 01.07 Mobile Computing and Teleworking: To ensure the security of information when using mobile computing devices and teleworking facilities.

The best way to comply with these requirements is through managing server hardening baselines. Control Reference: 01.x Mobile Computing and Communications control specification provides an implementation in relation to Federal Tax Information (FTI):

All mobile device management servers that receive, process, store, or transmit FTI are hardened. 

Communications and Operations Management

Control Category 09.0 – Communications and Operations Management is based on the HIPAA Security Rule’s Information System Activity Review requirement. The requirement mandates regular reviews of information system activity. Implementing system monitoring could prevent attacks such as the Ascension Health data breach (2024), which exposed five and a half million patient records.

To prevent and or mitigate these attacks, this section provides controls that include:

  • 09.02 Control Third-Party Service Delivery: Maintain security requirements and levels of service as part of their service delivery agreements
  • 09.06 Network Security Management: Ensure the protection of information in networks and network infrastructure.
  • 09.07 Media Handling: Prevent unauthorized disclosure, modification, removal, or destruction of information assets, or interruptions to business activities

In addition to system monitoring, implementing these requirements involves managing and enforcing secure configuration parameters across your servers, which is a key component of server hardening. Control Reference: 09.m Network Controls Control specifications provide the following practical implementation example:

The organization utilizes a hardened system to prevent end-users from directly communicating with administrative network zones.

How to plan and manage a hardening project

See our guide

Information Systems Acquisition, Development, and Maintenance

Control Category: 10.0 – Information Systems Acquisition, Development, and Maintenance deals with the IT system management lifecycle. This control is derived from the HIPAA security rules, Business associate contracts, and other arrangements. This mandates appropriate protections for health records shared between a provider and its suppliers and subcontractors through their supply chains. Healthcare-related supply chain attacks, such as the attack on Octapharma (2024), a blood plasma provider. This attack resulted in the closure of over 190 US plasma donation centers.

To prevent and or mitigate these attacks, this section provides controls that include

  • 10.03 Cryptographic Controls: Protect data confidentiality, authenticity, and integrity with cryptography
  • 10.05 Security in Development and Support Processes: To ensure the security of application system software and information through the development process, project and support environments shall be strictly controlled.
  • 10.06 Technical Vulnerability Management: Vulnerability management shall be implemented in a practical, systematic, and repeatable way

As with the previous requirements, the implementation of these requirements can be achieved by a widespread rollout of server hardening and the enforcement of a range of consistent security policies. This section provides a practical example of server hardening:

The configuration standard for all system components (workstations, databases, servers, applications, routers, switches, wireless access points) is hardened to address, to the extent practical, all known security vulnerabilities.

Understanding the Complete Picture

The HITRUST initiative was created by an alliance of Healthcare providers struggling to implement HIPAA, specifically HIPAA’s Security Rule. In Part One, we introduced you to the HITRUST CSF and how it normalizes a diverse range of sources, including federal and state legislation, U.S. government and industry standards, and international regulations. To introduce you to core CSF concepts, such as Controls, Objectives, and Specifications, and how these relate to server hardening, we examined a single control category in depth. In part two, we took a broader view and examined server hardening across the entire CSF. We reviewed three controls that directly related to server hardening and configuration management. For each control, we examined its origins in the HIPAA Security Rule, provided a security incident related to the control category, reviewed relevant sample controls, and provided practical server hardening implementation examples. 

Key Takeaways

  • Understanding HITRUST system security requirements at the highest and lowest levels
  • The ability to connect the HIPAA security rules and HITRUST CSF controls
  • How to be HIPAA compliant by implementing the CSF
  • Being able to reference specific server hardening implementation examples
  • Deploy CalCom’s Hardening Suite can help you implement and comply with CSF requirements

How CalCom Can Help You

The HITRUST CSF is an excellent resource for implementing server hardening. If you want to move beyond running basic hardening scripts and deploy a fully automated, intelligent solution, then CalCom can help you with CalCom’s Hardening Suite (CHS). CHS doesn’t just apply a baseline; it learns your needs, identifies misconfigurations, tests changes, and continuously monitors, all without any disruptions. CalCom is ideal for enterprise environments, those looking to scale, or for low-risk hardening. To learn more, go to our resources page and download our datasheets and white papers. 

 

FAQs

What are the NCUA and FFIEC cybersecurity regulations?
The NCUA enforces cybersecurity requirements for credit unions, while the FFIEC issues cybersecurity guidance and standards that financial institutions must follow to strengthen resilience.
How do these regulations connect to server hardening?
Both NCUA compliance and FFIEC cybersecurity frameworks stress the need for secure server configurations, making server hardening critical for reducing vulnerabilities and meeting regulatory standards.
Why should financial institutions prioritize server hardening for NCUA and FFIEC compliance?
Server hardening protects sensitive member and customer data, aligns with NCUA and FFIEC cybersecurity regulations, and reduces the risk of breaches, penalties, and operational disruptions.
Do NCUA and FFIEC cybersecurity frameworks align with CIS Benchmarks?
Automated server hardening tools ensure continuous compliance with NCUA and FFIEC cybersecurity regulations, reduce manual errors, streamline audits, and maintain security across all servers.
How does CalCom CHS automated server hardening support NCUA and FFIEC compliance?
CalCom Hardening Solution (CHS) automates secure configuration management, ensuring continuous alignment with NCUA and FFIEC cybersecurity regulations. It reduces manual errors, streamlines audits, and maintains compliance across all production servers.
Roy Ludmir
Roy Ludmir is a cybersecurity entrepreneur and CEO with over 15 years of experience driving product innovation and sales growth in the security industry. He is highly skilled in CIS Benchmarks, baseline hardening, and vulnerability management, helping organizations strengthen defenses and meet compliance requirements. With a unique blend of executive leadership and deep technical expertise, he bridges business strategy with practical security solutions.

Related Articles

NCUA and FFIEC Cybersecurity Regulations and Server Hardening
Compliance

NCUA and FFIEC Cybersecurity Regulations and Server Hardening

Reading time: 7 Minutes Read
NetBT NodeType Configuration: Security Risks & Best Practices
Best Practices

NetBT NodeType Configuration: Security Risks & Best Practices

Reading time: 4 Minutes Read
What The New CMMC Rules Mean For DoD Contractors
Compliance

What The New CMMC Rules Mean For DoD Contractors

Reading time: 5 Minutes Read

About Us

Established in 2001, CalCom is the leading provider of server hardening solutions that help organizations address the rapidly changing security landscape, threats, and regulations. CalCom Hardening Suite (CHS) is a security baseline hardening solution that eliminates outages, reduces operational costs, and ensures a resilient, constantly hardened, and monitored server environment.

More about us
Background Shape
About Us

Our Solutions to Strengthen Your Security Posture

CalCom Hardening Suite (CHS)
CalCom Hardening
Suite (CHS)
Secure IIS Server Hardening with CSS
Secure IIS Server
Hardening with CSS
Server Audit & Compliance Analysis Software
Server Audit & Compliance
Analysis Software

Stay Ahead with Our Newsletter

Get the latest insights, security tips, and exclusive resources straight to your inbox every month.

    Explore More Insights & Solutions

    Visit Our Resource Center
    Visit Our Resource Center

    In-depth guides, reports & webinars

    Read Our Latest Blog Posts
    Read Our Latest Blog Posts

    Stay updated with industry insights

    Ready to simplify compliance?

    See automated compliance in action—book your demo today!

    Get a Demo