HITRUST Releases 2012 HIT Security Framework

June 24, 2013
The Health Information Trust Alliance (HITRUST), a Frisco, Texas-based collection of health information technology stakeholders aimed at establishing standards for security, has released version 4.0 of the HITRUST Common Security Framework (CSF) and it updated to the CSF Assurance Program.

The Health Information Trust Alliance (HITRUST), a Frisco, Texas-based collection of health information technology stakeholders aimed at establishing standards for security, has released version 4.0 of the HITRUST Common Security Framework (CSF) and it updated to the CSF Assurance Program.

The 2012 CSF includes changes and new guidance pertaining to the National Institute of Standards and Technology’s (NIST) 800-53 revision 3 (SP 800-53 r3) and reflects industry recommendations, loss data trend analysis, and input from HITRUST Health Information Exchange and Mobile Device Working Groups.

Updates have been made to the CSF Assurance Program so that the program’s components accurately reflect both regulatory and market dynamics. The CSF certification requirements have been adjusted to provide an appropriate level of information protection and assurance. These changes were made in collaboration with industry experts and after the analysis of healthcare-related cyber-security threats and data losses.

HITRUST provides regular updates to the CSF and CSF Assurance Program with the goal of making sure it remains relevant to the organizations that use its service. It includes federal and state regulations, standards and frameworks such as HIPAA, ISO, NIST and COBIT.  

HITRUST has also performed a comprehensive harmonization between the CSF, HIPAA security rule and NIST SP 800-53 r3 and prepared guidance that provides what it says is a better explanation and substantiation to demonstrate how the CSF controls, which are based on the ISO/IEC 27001 control clauses, map to NIST SP 800-53 r3 and the HIPAA Security Rule. It also provides guidance on how it aligns with HIPAA.  

Other advancements related to the CSF Assurance Program include the availability of an integrated Common Health Information Protection (CHIP) Questionnaire and CSF Compliance Worksheet, as well as new illustrative guidance for the CHIP Questionnaire, clarification of assessment and documentation requirements, and tighter alignment of scoring criteria with NIST’s capability maturity model to better support assessment scoping and execution.

Going forward, in response to industry demand, HITRUST says it will incorporate privacy requirements into the CSF to create an integrated security and privacy framework. Available in December 2012, this transformative enhancement to the CSF will reportedly ensure alignment between healthcare organizations’ security and privacy programs and ensure organizations have an integrated approach for protecting health information. The integrated framework will initially incorporate the new privacy control catalog in the recent release of NIST SP 800-53 r4 as well as changes resulting from ISACA’s release of COBIT 5 in 2012.

Other recent updates to the CSF reflected changes in several regulatory and best practice frameworks such as the Centers for Medicare and Medicaid Services (CMS) Information Security Acceptable Risk Safeguards (ARS), CMS Minimum Security Requirements version 1.0 (CMSR v1.0) and Payment Card Industry Data Security Standard (PCI-DSS) v2.0.

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?