The first version of the Health Information Trust Alliance Common Security Framework (HITRUST CSF) was released in March 2009 and was developed to provide organizations with a framework specifically devoted to the protection of ePHI and PHI data in the healthcare industry, while also allowing for the adoption of health information systems and exchanges. Under HITRUST, the CSF incorporates security controls and requirements based on those from multiple standards and regulations, as well as some unique to HITRUST, into a certifiable framework of security controls that scales according to the type, size, and complexity of the organization and its systems. These requirements, synced into a single set of controls, are mapped to their sources for compliance purposes. Efficiencies are achieved by implementing this combined framework due to the comprehensive and prescriptive nature of the CSF control set, allowing organizations to simultaneously meet multiple compliance initiatives based on a single audit. The HITRUST CSF includes 14 control categories, 49 objectives, and 149 total control specifications (which may contain multiple levels of control components). At least 64 of these control specifications are required to be in place and operating effectively for an organization to become HITRUST certified.
HITRUST offers a self-assessment option for organizations looking to conduct an assessment internally; however, organizations are well served to obtain the expertise of a qualified CSF assessor organization, such as Interactive Security, to identify the strengths and weaknesses of their information security program and to make recommendations about how to address any issues.
Based on:
Control Objectives for Information and Related Technology (COBIT)
National Institute of Standards and Technology (NIST) Risk Management Framework (RMF)
Federal Trade Commission (FTC) Red Flags Rule
Centers for Medicare and Medicaid Services Addressable Risk Safeguards (CMS ARS)
State requirements
Multiple other standards
Applies to:
Health plans / insurance plans
Hospitals and medical facilities
Doctor’s offices
Pharmacies
HIPAA and HITRUST assessments share the common objective of safeguarding healthcare information and ePHI. Performing a security assessment around HIPAA Security Rule controls and addressing any resulting audit recommendations can evidence the organization’s compliance with HIPAA requirements, however the HIPAA Security Rule was originally intended to apply to a wide range of organizations from a small clinic to a large hospital chain, which led to the subjective and vague nature of the requirements to be HIPAA compliant without also relying on ISO or NIST assessments.
With the more prescriptive and risk-based HITRUST assessment and certification process, requirements are adjusted based on the specific risks of the organization and focus on common causes of information breaches within the healthcare industry. The HITRUST approach also considers compliance with other regulations, allowing organizations to take a comprehensive approach towards meeting compliance and information security objectives. The HITRUST CSF’s implementation specifications scale is based on several key factors and allows organizations of varying sizes to leverage the CSF as a guide to develop an effective approach to information security. HITRUST represents a certifiable framework that incorporates and maps requirements of existing frameworks and standards and current regulations, while taking an efficient and risk-based approach to information security and protecting ePHI.