HITRUST recognized the global nature of healthcare and the need to gain assurances around the protection of covered information from non-U.S. business associates, which led to the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) 27001:2005, Information technology – Security techniques – Information security management systems – Requirements, being used as the foundation upon which the CSF controls were built. ISO/IEC 27001:2005, provides an international standard for the implementation and maintenance of an information security management system (ISMS) with high-level controls designed to suit almost any organization, in any industry and in any country.
HITRUST then incorporated much of the high-level baseline (later reduced to moderate) from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 revision 2, Recommended Security Controls for Federal Information Systems into the CSF. Although NIST controls were designed specifically for U.S. government agencies, both ISO/IEC 27001 and NIST SP 800-53 provide information security controls that are applicable to a broad scope of environments and organizations. ISO/IEC 27002:2005, Information technology – Security techniques – Code of practice for information security management, was also used to provide additional prescription. And while neither addresses the specific needs of any single industry, both ISO and NIST discuss the application of their frameworks in a healthcare setting in separate documents: ISO/IEC 27799:2008, Health informatics – Information security management in health using ISO/IEC 27002, and NIST SP 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, respectively. Elements of ISO/IEC 27799 were incorporated into the original CSF published in 2009 and NIST SP 800-66 helped guide subsequent revisions. Additional sources considered relevant to healthcare, such as HIPAA and the Payment Card Industry Digital Security Standard (PCI-DSS) were also integrated into the 2009 framework.
A detailed set of risk factors were then developed to support scaling and tailoring of the CSF to different types and sizes of organizations, system and data-related exposures, and regulatory obligations. The intent was to help HITRUST determine relative risks and capabilities so that organizations could be assigned an appropriate control baseline.
The actual baselines were created by (1) dividing the consolidated requirements amongst up to three levels per control, with references to the authoritative sources provided for each level, and (2) assigning criteria for one or more of the three risk factors (organizational, system and regulatory) at each level. Organizations could then be assigned a scaled and tailored set of controls based on their individual risk factors as scoped to their particular needs, e.g., generally across their organization in support of an enterprise risk management program or targeted to specific business units, systems or regulatory requirements.
The CSF is structured along the lines of ISO 27001:2005 with the 11 control clauses (or categories) but adds an additional control category to address implementation of an Information Security Management Program, similar to that of the ISMS of ISO 27001:2005, and another category to address risk management in particular. HITRUST also added a 14th control category to address specific privacy practices, such as HIPAA and NIST, that are otherwise not addressed in the previous 13 categories.
- Control Categories: Topical information protection areas
- Control Objectives: States the desired result or purpose of what is to be achieved
- Control Specifications: The policies, procedures, guidelines, practices or organizational structures, which can be of administrative, technical, management or legal nature to meet the Control Objective
- Control Implementation Requirements: Detailed information to support the implementation of the control and meeting the Control Objective. Multiple levels (1, 2, and 3) of Implementation Requirements may be defined depending on an organization’s or system’s environment and risks, which is the set of minimum-security controls defined for an information system. Any additional, but related, functionality to a Level 1 control, and/or increase in the strength of a Level 1 control is placed in Level 2; and any additional, but related, functionality to a Level 2 control and/or increase in the strength of a Level 2 control is placed in Level 3.
- Standard Mapping: The cross-reference between each Implementation Requirement level and the requirements and controls of other common standards and regulations
There are 135 control specifications with associated implementation requirements (referred to simply as “controls”) that cover security and some privacy-related requirements and 14 controls that cover specific privacy practices in the CSF.