The Health Information Trust Alliance (HITRUST) is an organization made up of leaders from a variety of industries, including Health Care, Security, and Information Technology, which was founded in 2006 to meet serious challenges in the Health Care industry, specifically in the areas of inconsistency, inefficiency, rising costs, and increasing risk. This organization has established a Common Security Framework (CSF) which is intended to serve as a set of guidelines by which healthcare companies and their business associates can measure their own security programs.
Purpose of the Common Security Framework (CSF)
The overriding purpose of the CSF is to standardize security controls across the broad spectrum of organizations that need to access, create, store, or exchange sensitive healthcare information, including governmental and third-party organizations. The first version of the CSF was released in 2009, but it is not an entirely new set of standards; on the contrary, it actually represents the unification of several pre-existing protocols, such as the PCI Data Security Standards, ISO 27001, the Health Insurance Portability and Accountability Act (HIPAA), and various state requirements. Those precursor protocols were supplemented, clarified, and refined with the input of HITRUST leaders, and the CSF was born.
In its present state, the CSF is comprised of 14 control categories, 46 control objectives, and 149 implementation requirements, and the levels at which it may be implemented are tied to organizational factors, system factors, and regulatory factors. Version 7 was released in 2015, and incorporated Privacy as an area of concern, thus meeting state healthcare regulations in Texas, Nevada, and Massachusetts.
HITRUST CSF assessments
CSF assessments are conducted for an organization to determine how effectively the organization meets security objectives through examining, interviewing, and testing. The scope of the assessment can be for a single hospital, a hospital group, or a single department within a medical institution, and it applies to all sensitive information, regardless of storage or transmission medium.
A CSF self-assessment can be performed by an organization on itself, testing its methods against the common security framework. There is no validation resulting from a self-assessment, but any security gaps are brought to light so they can be corrected or somehow managed.
A Validated CSF assessment is comprised of:
- An examination of documentation
- Interviewing of organization personnel, and
- Testing of technical implementation
Following completion of a validated assessment, all findings are generally submitted to HITRUST for a thorough quality assurance review. When the assessed organization achieves a 3+ or higher rating for successful implementation of security controls, HITRUST will grant that organization formal certification demonstrating compliance with its standards.
Healthcare organizations and the HITRUST program
Adoption of the HITRUST program among healthcare organizations continues to grow by leaps and bounds, because its CSF provides a comprehensive framework in the industry for assessing the profile of a given organization, relative to healthcare standards, security, privacy, and regulatory compliance. In addition, all third party associates of organizations are subject to those same requirements.
In June of 2015, HITRUST announced a widespread extension for industry usage of the Common Security Framework program, representing a significant increase in efforts to manage third-party risk and achieve greater regulatory compliance. A whole new wave of healthcare organizations will now make it mandatory for their healthcare business partners to achieve certification in the CSF assurance program. In effect, an additional 7,500 organizations that do not currently have CSF Certification will be required to obtain it within the next 24 month period to demonstrate that their business practices align with those of the healthcare industry.
About the Author
Greg Miller is a Principal at Schellman. Greg leads the HITRUST service line. Greg has more than 20 years of combined audit experience in both public accounting and private industry.More Content by Greg Miller