The Health Information Trust Alliance, HITRUST, has announced updates to the HITRUST Common Security Framework (CSF) and a new CSF initiative targeting smaller healthcare organizations to support their information risk management programs and improve their cyber resilience.
Developed by healthcare and IT professionals, the HITRUST CSF helps organizations by providing a privacy and security framework that provides healthcare organizations with a comprehensive, scalable and certifiable approach to regulatory compliance and risk management.
HITRUST has developed CSFBASICs, a streamlined versions of the HITRUST CSF and supporting HITRUST CSF Assurance Program designed to help small and lower-risk healthcare organizations meet otherwise difficult regulatory and risk management requirements.
The organization also announced HITRUST CSF V8.1 with continued enhancements including support for PCI DSS v3.2 and MARS-E v2. In addition, the organization announced HITRUST CSF v9 with continued enhancements including the Department of Health and Human Services Office for Civil Rights (OCR) Audit Protocol v2, FEDRAMP Support for Cloud and IaaS Service Providers and FFIEC IT Examination Handbook for Information Security.
Further, the organization announced its CSF Assurance Program v9, which has been enhanced so that a HITRUST CSF Assessment also includes a National Institute of Standards and Technology (NIST) Cybersecurity Framework certification with auditable documentation in addition to a Health Portability and Accountability Act of 1996 (HIPAA) risk assessment.
In response to feedback from smaller healthcare organizations looking for a viable means to meet regulatory demands while protecting their business against cyber threats, HITRUST collaborated with the physician community and small businesses to develop and pilot a new program called CSFBASICs (CSF Basic Assurance and Simple Institution Cybersecurity). This program provides lower-risk organizations with a simplified set of requirements and a streamlined assessment approach that is easier to understand and implement, and offers third parties—including regulators—appropriate assurances and transparency into their information privacy and security programs, according to HITRUST.
“I really don’t know many small practices that can comply with all our regulatory obligations, including HIPAA,” J. Stefan Walker, M.D., physician, Corpus Christi Medical Associates (CCMA), a small five-physician primary care practice in Corpus Christi, Texas, said in a statement. “We generally don’t have the staff or the expertise, nor can we hire consultants, to manage these programs on an ongoing basis. I honestly didn’t know how my practice could be secure or demonstrate HIPAA compliance, but that was before I had the opportunity to pilot CSFBASICs.”
The CSFBASICs and CSFBASICs Assurance programs are currently in the final phase of piloting and are scheduled for general availability in the third quarter of 2017.
Given the increased risks associated with cyber threats and renewed focus on cyber resilience, HITRUST is further enhancing the CSF and CSF Assurance programs to provide better guidance, assurance and support to organizations, while encouraging a greater focus on cyber resilience within the industry, according to the organization.
“HITRUST is expanding the controls required for HITRUST CSF Certification, from 66 to no more than 75, to enhance its support for an organization’s certification of compliance with the NIST Cybersecurity Framework,” Bryan Cline, M.D., vice president, standards and analytics, HITRUST, said. “CSF Certified organizations will be able to provide both HIPAA and NIST Cybersecurity Framework compliance scorecards based on a single CSF assessment, which are incorporated into the HITRUST CSF Assessment Report.”
There are two HITRUST CSF releases scheduled in 2017. A minor release—CSF v8.1—that was made available on February 6, 2017, and a major release—CSF v9—which is scheduled for July 2017. With the v9 release targeted for July, HITRUST will ensure relevant CSF control requirements are aligned with language in the second release of the OCR’s Audit Protocol. Given the healthcare industry’s increasing reliance on the Cloud, FedRAMP requirements will also be incorporated. The intent is to provide guidance to providers and consumers of Infrastructure as a Service (IaaS) offerings on roles and responsibilities for HITRUST CSF control requirements, and support a targeted assessment and certification approach for IaaS providers.
