Skip to content

HITRUST Continues to Improve with 2012 Release

January 16, 2012

The Health Information Trust Alliance (HITRUST) has released the HITRUST Common Security Framework (CSF) version 4.0 and updates to the CSF Assurance Program. The 2012 CSF includes changes and new guidance pertaining to the National Institute of Standards and Technology’s (NIST) 800-53 revision 3 (SP 800-53 r3) and reflects industry recommendations, loss data trend analysis, and input from HITRUST Health Information Exchange and Mobile Device Working Groups.

“The harmonization effort was undertaken in response to a common question we receive, which is how does the CSF support my organization’s specific requirements under HIPAA,” said Bryan Cline, PhD, vice president, CSF development and implementation at HITRUST. “The guidance prepared provides clarity around both the actual requirements and how to determine if your organization is meeting them, which is where many standards fall short.”

Other advancements related to the CSF Assurance Program include the availability of an integrated Common Health Information Protection (CHIP) Questionnaire and CSF Compliance Worksheet, as well as new illustrative guidance for the CHIP Questionnaire, clarification of assessment and documentation requirements, and tighter alignment of scoring criteria with NIST’s capability maturity model to better support assessment scoping and execution.

Updates have been made to the CSF Assurance Program so that the program’s components accurately reflect both regulatory and market dynamics. The CSF certification requirements have been adjusted to provide an appropriate level of information protection and assurance. These changes were made in collaboration with industry experts and through analysis of healthcare-related cyber-security threats and data losses. Twelve controls were added and one removed from the controls required for certification under the 2012 CSF Assurance Program.

HITRUST provides regular updates to the CSF and CSF Assurance Program to ensure the offerings remain relevant to the organizations that rely upon them to address evolving security requirements and maintain regulatory compliance. With the inclusion of federal and state regulations, standards and frameworks such as HIPAA, ISO, NIST and COBIT, the CSF is a comprehensive and flexible framework that remains sufficiently prescriptive in how control requirements can be scaled and tailored for healthcare organizations of varying types and sizes.

“The CSF makes it possible for organizations to develop and maintain a single information security program that adequately addresses all their requirements and aids in their ability to satisfy their internal information protection assurance obligations and requirements of partners and other third parties,” said Daniel Nutkis, HITRUST’s CEO. “The prescriptive guidance coupled with a well-defined assurance methodology has led to the CSF being the most widely-adopted security framework in the U.S. healthcare industry in only four years.”

Availity, a leading health information network that exchanges more than a billion secure transactions per year, became HITRUST CSF Certified in 2011 and finds that CSF certification satisfies the majority of security concerns among the company’s stakeholders. “Our healthcare business partners and customers quickly recognize the value the HITRUST CSF provides, and respect the rigorous process we undertook to become CSF Certified,” said Russ Thomas, chief operating officer, Availity. “Certification removes administrative burden for Availity and our partners—many of whom would otherwise elect to conduct individual audits.”

HITRUST has also performed a comprehensive harmonization between the CSF, HIPAA security rule and NIST SP 800-53 r3 and prepared guidance that provides a better explanation and substantiation to demonstrate how the CSF controls, which are based on the ISO/IEC 27001 control clauses, map to NIST SP 800-53 r3 and the HIPAA Security Rule. The guidance provides organizations with a clearer view of how the CSF aligns with other standards and regulations and details how the CSF is the best framework for addressing the specific needs of the healthcare industry.


From → Uncategorized

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: