HITRUST announced yesterday an expansion of the healthcare industry’s use of the CSF Assurance program in support of efforts to efficiently and effectively manage third-party risk. A growing number of healthcare organizations, including Anthem, Health Care Services Corp., Highmark, Humana, and UnitedHealth Group will now require their business associates to obtain CSF Certification as a means of demonstrating effective security and privacy practices aligned with the requirements of the healthcare industry. This will require an additional 7,500 organizations that do not currently have a CSF Certification do so within the next 24 months.

There is no question that every healthcare organization that stores or exchanges PHI or other sensitive information with a business associate must ensure that information is appropriately and effectively safeguarded. Organizations are imposing a CSF Certification requirement, in part, because of the growing number of breaches involving third-party vendors including some of the recent cyber-related breaches.

At the same time, it is important organizations not introduce redundant and inconsistent assessment requirements on business associates. Doing so only increases costs and inefficiencies and distracts resources that could be monitoring and remediating information protection safeguards.

The HITRUST CSF and CSF Assurance programs are the most widely adopted security controls framework and assurance methodology for organizations that process PHI. We want to encourage organizations that are not currently leveraging these programs to strongly consider the benefits both to covered entities and business associates by reducing overall industry security risks and costs. To learn more about how to get started, visit the HITRUST Alliance Third Party page or send a note to info@hitrustalliance.net.