Although HITRUST specifically provides for significant tailoring of the CSF based on an organization’s specific risk factors, any framework can be applied inappropriately. An organization should not apply the CSF broadly unless it is scoped and tailored to the specific types of information, systems and/or business and clinical units requiring protection. However, given the relatively uncontrolled sprawl of ePHI in many healthcare organizations, the CSF can—and should—be applied as broadly since HIPAA security requirements must be addressed anywhere ePHI is “created, received, maintained or transmitted” (45 CFR § 164.306(a)(1)). Even so, an organization can scope the CSF more narrowly in much the same way as the PCI-DSS by limiting the sprawl of the information requiring protection. This can be done by ensuring that work flows requiring the use of ePHI are understood and uses are restricted to the minimum necessary, as required under HIPAA. Information assets and data flows with ePHI can also be isolated from other asset and data flow types, e.g., through network segmentation.
For more information, refer to the CSF Assessment Methodology and the Risk Analysis Guide for HITRUST Organizations and Assessors.