If I’ve already adopted the HITRUST CSF, does that mean I’ve adopted the NIST Cybersecurity Framework?
Yes, you’re well on your way as the HITRUST Risk Management Framework (RMF)—consisting of the HITRUST CSF, CSF Assurance Program and related method and tools—is the foundation for a model implementation of the NIST CsF in the private sector.
Since the NIST CsF lacks the prescriptive controls needed for an organization to implement the framework, HITRUST provides NIST CsF-implementing organizations a single, comprehensive, prescriptive, yet tailorable control framework to meet its business objectives. The HITRUST CSF also helps organizations satisfy multiple regulatory and other compliance requirements—including the Health Insurance Portability and Accountability Act (HIPAA) Security Rule’s standards and implementation specifications—and ultimately meet industry-recognized due care and due diligence requirements for the adequate protection of health information.
By implementing the HITRUST RMF, organizations automatically implement the NIST CsF recommendations and meet the cyber resilience objectives specified by the NIST CsF Subcategories.
For more information on how the HITRUST CSF is used to support an organization’s implementation of the NIST Cybersecurity Framework, see the Healthcare Sector Cybersecurity Framework Implementation Guide, Version 1.1.
For more information on the HITRUST CSF, see the Introduction to the HITRUST CSF, and the HITRUST CSF Framework FAQ.
For more information on HIPAA, see the HIPAA Administrative Simplification Regulation Text for 45 CFR Parts 160, 162, and 164 (Unofficial Version, as amended through March 26, 2013).