Written by HITRUST Independent Security Journalist Sean Martin. 

Get ready for more comprehensive compliance and risk management — with less work. HITRUST is putting the finishing touches on the HITRUST CSF v9 and corresponding updates to the HITRUST CSF Assurance Program, with this latest iteration of both expected in July 2017.

If there is one overarching message for the v9 release, it’s enabling healthcare organizations of all sizes and business models to do more with the HITRUST CSF by expanding the mappings of the CSF to additional protocols and frameworks.

HITRUST, in conjunction with its HITRUST CSF Advisory Council, has worked closely with the industry to make improvements to existing parts of the CSF. In addition, the new HITRUST CSF and HITRUST CSF Assurance Program releases integrate and harmonize other industry and regulatory standards, including:

HITRUST CSF Assurance:

• National Institutes of Standards & Technology Cybersecurity Framework: HITRUST CSF Assessments will incorporate controls related to the NIST Cybersecurity Framework (NIST CsF) and the HITRUST CSF Assessment Report will include an appendix showing compliance with the NIST CsF. In addition, organizations obtaining HITRUST CSF Certification will also receive a NIST CsF Certification.

HITRUST CSF:

• Office of Civil Rights Audit Protocol: Updated in April 2016, the HHS’s OCR Audit Protocol ensures that organizations are protecting patient privacy according to HHS regulations. The audit rules cover both business entities and business associates.
• Federal Risk and Authorization Management Program: FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services, including those used by healthcare services and their vendors and providers.
• Federal Financial Institutions Examination Council’s IT Examination Handbook: The FFIEC IT Examination Handbook prescribes uniform standards and report forms for the Federal examination of financial institutions. This alignment focuses on the Examination’s InfoSec requirements.
• Department of Homeland Security’s Cyber Resilience Review: The CRR is a free, voluntary and non-technical assessment to evaluate an organization’s resilience and cybersecurity practices. It is closely aligned with the NIST CsF framework.

In addition, the v9 releases were influenced by the new HITRUST Threat Catalogue. This exciting HITRUST initiative aligns real-world cyber threats with CSF risk factors and controls.

CSFBASICs Coming Soon to a Small Practice Near You

While not officially part of the CSF and CSF Assurance Program updates, HITRUST is releasing a major iteration of its small business security program, renamed CSFBASICs, in the same timeframe. BASICs stands for “Basic Assurance and Simple Institution Cybersecurity.”

Currently being piloted, CSFBASICs will help small, low-risk organizations adopt a serious, HIPAA-compliant cybersecurity and assurance program. Although CSFBASICs is based on the HITRUST CSF, the requirements and assurance processes are streamlined to help smaller, lower-risk organizations demonstrate compliance and manage risk with less effort. HITRUST is in the final phase of piloting CSFBASICs and elements of its associated CSFBASICs Assurance Program, and estimates both will be generally available later this year.

“I really don’t know many small practices that can comply with all our regulatory obligations, including HIPAA,” said Dr. J. Stefan Walker with Corpus Christi Medical Associates (CCMA), a five-physician primary care practice in Texas. “We generally don’t have the staff or the expertise, nor can we hire consultants, to manage these programs on an ongoing basis. I honestly didn’t know how my practice could be secure or demonstrate HIPAA compliance, but that was before I had the opportunity to pilot CSFBASICs.”

Want to learn more? Be sure to read the blog Finding the Cure: HITRUST Simplifies Cybersecurity Compliance for Small Medical Practices.

A Standardized Approach

The HITRUST CSF is the most widely adopted information privacy and security framework for healthcare organizations, and provides them with a comprehensive, scalable and certifiable approach to regulatory compliance and risk management. The popular HITRUST CSF Assurance Program helps organizations streamline the compliance process by allowing them to assess once and report against multiple sets of requirements. The result: less time and money spent on assurance and demonstrating compliance.