CSF Assurance Program Adoption Key to More Effective Third-Party Risk Management in the Healthcare Industry
<< All Press Releases

Date: June 29, 2015

Additional 7,500 business associates required to obtain CSF Certification within 24 months

Frisco, TX—June 29, 2015: The Health Information Trust Alliance (HITRUST) is announcing today an expansion of the healthcare industry’s use of the CSF Assurance program in support of efforts to efficiently and effectively manage the third-party assurance process. An increasing number of healthcare organizations will now require their business associates within the healthcare industry to obtain CSF Certification within the next 24 months. The CSF Assurance Program is already the most widely adopted assessment approach by healthcare organizations and business associates to evaluate and communicate their information privacy and security posture.

Healthcare organizations are recognizing the increasing cyber threats targeting and significance of the role played by their business associates, and acknowledging the systemic risk that interconnected companies across the health industry pose.

Many healthcare organizations have been leveraging the HITRUST CSF Assurance program as part of their third-party assurance process. Historically, each organization has determined which aspects of the program they would utilize, ranging from accepting CSF Assessment reports to requiring a CSF Certification. Recently a growing number of healthcare organizations, including Anthem, Health Care Services Corp., Highmark, Humana, and UnitedHealth Group will now be requiring their business associates obtain CSF Certification as a means of demonstrating effective security and privacy practices aligned with the requirements of the health industry. This will require an additional 7,500 organizations that do not currently have a CSF Certification do so with within the next 24 months.

“Teaming up with HITRUST has enabled us to provide athenahealth Marketplace partners with a third- party verification of security integrity, irrespective of their size,” said Kyle Armbrester, chief product officer, athenahealth. “This makes it easier for partners, particularly startups, to prove value, while assuring clients that information is secure.”

A business associate or partner can receive hundreds of unique requests per year for some form of information protection assessment or attestation of their security and privacy controls. These assessments require considerable resources in trained personnel and operational dollars. The complexities, risks and costs associated with the current processes used by covered entities and their business associates to review security programs as well as the inherent cost to the health industry resulting from competing and uncoordinated approaches have been widely recognized for some time. The CSF Assurance program is the first comprehensive and coordinated effort to address these challenges and to adopt, in a meaningful manner, a unified approach to third-party assurance.

“The HITRUST CSF allows healthcare organizations to gauge their—and their business associates’—information security programs’ maturity across a spectrum of assurance levels that go beyond HIPAA level requirements,” said Mohamed Ayad, industry specialist, U.S. Health and Life Sciences, Microsoft. “To this end, Microsoft is once again leading the charge, empowering healthcare organizations to move faster to the cloud, in particular, to Office 365. Partnering with a certified HITRUST assessor, Microsoft has undergone an assessment based on the requirements of the HITRUST CSF for Office 365.”

While many covered entities are leveraging the CSF Assurance program, an increasing number of business associates are also requesting that their CSF Assurance reports be accepted by the healthcare organizations they do business with in an effort to minimize the duplicity, costs and inefficiencies resulting from the current multitude of assessment requests. These dynamics are driving more efficient and effective third-party risk management and further adding to the wide-scale adoption of the HITRUST CSF and CSF Assurance Program within the healthcare industry.

The CSF and the CSF Assurance programs offer the only highly flexible implementation and management framework for healthcare information protection by providing a standardized way of scaling and tailoring security and privacy safeguards based on an organization’s specific risk factors. The CSF and CSF Assurance program enables an “assess once, report many” approach, so organizations can implement one set of controls, and conduct an assessment that allows reporting for numerous purposes such as HIPAA, NIST Cybersecurity Framework, SOC 2, MARS-E or other standards and regulations.

“Conducting numerous non-standard assessments, which has been the historical approach, creates unnecessary economic burden in healthcare,” said Trent Gavazzi, chief technology officer, Availity. “The HITRUST CSF Assurance program standardizes healthcare security assessments and obtaining a CSF Certification simplifies the process further, which brings a balance to the industry. We value that effort since it complements our mission to make meaningful, sustainable improvements in healthcare.”

“The HITRUST CSF has become the information protection framework for the health care industry, and the CSF Assurance program is bringing a new level of effectiveness and efficiency to third-party assurance,” said Daniel Nutkis, chief executive officer, HITRUST. “The CSF Certification is now the benchmark that organizations required to safeguard PHI are measured against with regards to information protection.”

For more information on the CSF Assurance Program, visit HITRUSTalliance.net/thirdparty.


Founded in 2007, the Health Information Trust Alliance (HITRUST) was born out of the belief that information protection should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST—in collaboration with public and private healthcare technology, privacy and information security leaders—has championed programs instrumental in safeguarding health information systems and exchanges while ensuring consumer confidence in their use.

HITRUST programs include the establishment of a common risk and compliance management framework (CSF); an assessment and assurance methodology; educational and career development; advocacy and awareness; and a federally recognized cyber Information Sharing and Analysis Organization (ISAO) and supporting initiatives. Over 84 percent of hospitals and health plans, as well as many other healthcare organizations and business associates, use the CSF, making it the most widely adopted security framework in the industry.

For more information, visit www.HITRUSTalliance.net.

Chat Now

This is where you can start a live chat with a member of our team