The Health Information Trust Alliance (HITRUST), a Frisco, Texas-based collection of health information technology stakeholders aimed at establishing standards for security, has released version 4.0 of the HITRUST Common Security Framework (CSF) and it updated to the CSF Assurance Program.
The 2012 CSF includes changes and new guidance pertaining to the National Institute of Standards and Technology’s (NIST) 800-53 revision 3 (SP 800-53 r3) and reflects industry recommendations, loss data trend analysis, and input from HITRUST Health Information Exchange and Mobile Device Working Groups.
Updates have been made to the CSF Assurance Program so that the program’s components accurately reflect both regulatory and market dynamics. The CSF certification requirements have been adjusted to provide an appropriate level of information protection and assurance. These changes were made in collaboration with industry experts and after the analysis of healthcare-related cyber-security threats and data losses.
HITRUST provides regular updates to the CSF and CSF Assurance Program with the goal of making sure it remains relevant to the organizations that use its service. It includes federal and state regulations, standards and frameworks such as HIPAA, ISO, NIST and COBIT.
HITRUST has also performed a comprehensive harmonization between the CSF, HIPAA security rule and NIST SP 800-53 r3 and prepared guidance that provides what it says is a better explanation and substantiation to demonstrate how the CSF controls, which are based on the ISO/IEC 27001 control clauses, map to NIST SP 800-53 r3 and the HIPAA Security Rule. It also provides guidance on how it aligns with HIPAA.
Other advancements related to the CSF Assurance Program include the availability of an integrated Common Health Information Protection (CHIP) Questionnaire and CSF Compliance Worksheet, as well as new illustrative guidance for the CHIP Questionnaire, clarification of assessment and documentation requirements, and tighter alignment of scoring criteria with NIST’s capability maturity model to better support assessment scoping and execution.
Going forward, in response to industry demand, HITRUST says it will incorporate privacy requirements into the CSF to create an integrated security and privacy framework. Available in December 2012, this transformative enhancement to the CSF will reportedly ensure alignment between healthcare organizations’ security and privacy programs and ensure organizations have an integrated approach for protecting health information. The integrated framework will initially incorporate the new privacy control catalog in the recent release of NIST SP 800-53 r4 as well as changes resulting from ISACA’s release of COBIT 5 in 2012.
Other recent updates to the CSF reflected changes in several regulatory and best practice frameworks such as the Centers for Medicare and Medicaid Services (CMS) Information Security Acceptable Risk Safeguards (ARS), CMS Minimum Security Requirements version 1.0 (CMSR v1.0) and Payment Card Industry Data Security Standard (PCI-DSS) v2.0.