Customizable Tool Provides Simpler and More Consistent Approach for Managing CSF Assessments, Tracking Compliance, and Benchmarking
Dec 19, 2012
Frisco, TX – December 19, 2012 –The Health Information Trust Alliance (HITRUST) is announcing continuing updates to the HITRUST Common Security Framework (CSF), the most widely-adopted security framework in the U.S. healthcare industry, to ensure the framework remains relevant and practical for those organizations that rely upon it to manage their information protection programs.
Along with the annual updates to the CSF, HITRUST is announcing significant enhancements to the CSF assessment tool, which will enable healthcare organizations to more easily perform and manage CSF assessments, track overall compliance with greater scalability and efficiency, and receive improved information security benchmarking data. With the enhanced tool and other CSF-related services, HITRUST offers the most efficient approach to regulatory compliance and risk management around privacy and security.
“HITRUST offers comprehensiveness, scalability and simplicity within a single framework – built for healthcare – that is now supported by a full-featured and user-friendly tool that streamlines the CSF assessment and compliance process,” said Daniel Nutkis, chief executive officer, HITRUST. “The most recent updates were made in recognition of the fact that better assessment guidance is needed to ensure more accurate results. This improved approach will allow organizations of all types and sizes to streamline the assessment process and track their remediation progress, with the support of a community of experienced and skilled professionals that include HITRUST CSF Assessors and Certified CSF Practitioners.”
MyCSF, the web-based tool available in January 2013, features the full integration of the CSF and authoritative sources, improved workflow and navigation, and creates an enhanced and consistent process to support scoping assessments. The MyCSF View feature of the tool will provide users with fully searchable online access and customized views of the CSF based on multiple factors. MyCSF View will allow an organization to capture its unique risk information to scope its environment and only view the applicable CSF controls in an intuitive and efficient manner.
The customizable interface also allows users of the tool to benefit greatly from the ability to easily create dashboards and reports via simple drag-and-drop that will help them quickly identify areas of strengths and weaknesses and allow them to track their compliance in real-time. Organizations will now not only have a complete picture of their current state of compliance, but also the support and direction needed to lead their remediation efforts and report their progress against the CSF and the variety of regulations and standards it incorporates.
Another major enhancement for those organizations using the CSF in their security programs is the ability for the tool to produce more accurate and relevant benchmarking data. Organizations will be able to evaluate their progress compared to other organizations both at a macro-level and a more granular level, drilling down to individual controls. Because the data is based on the standard approach of the CSF, the output offers a more reliable, consistent and accurate view of where an organization stands against its peers and within the industry – above and beyond what is available from other sources.
“HITRUST worked with RSAM, a leading provider of Governance, Risk, and Compliance (GRC) software solutions, to enhance RSAM’s existing offering to deliver a solution that is the foundation for the HITRUST MyCSF solution,” said Nutkis. “We are pleased to offer the healthcare industry a solution that provides more consistent and accurate results for organizations committed to advancing the state of information protection.”
The 2013 CSF will include updates relating to Stage 2 Meaningful Use requirements, and incorporate new standards and regulations, including NIST SP 800-53 revision 4, Texas House Bill 300, the CORE security requirements, and a mapping to relevant COBIT 5 controls. Enhancements are also being made in areas relating to mobile devices, cloud security, data and device encryption, and third party assurance. Many of the improvements to the CSF stem from industry feedback, recommendations from HITRUST Working Groups, and lessons learned from breach data analysis. The 2013 release of the CSF will include a revision list outlining updates that have been made, and HITRUST will conduct a webinar in January to review the enhancements.
HITRUST is also moving ahead with the incorporation of privacy requirements into the CSF to create an integrated security and privacy framework that will ensure better alignment between healthcare organizations’ security and privacy programs. In conjunction with the release of the 2013 CSF in January, HITRUST will release a draft set of privacy controls for public comment. Following the comment period, HITRUST will revise the controls and integrate changes into the CSF for a future release.
In addition to the other updates, HITRUST will release in early 2013 detailed illustrative procedures to provide standardized, industry-approved audit and assessment guidance to HITRUST CSF Assessors, covered entities and business associates. These updates and others to the HITRUST CSF Assurance Program will result in more consistency among assessments.
The CSF is available through HITRUST Central free of charge to healthcare organizations and their business associates. For more information on accessing the CSF, visitHITRUSTalliance.net/hitrustcentral. MyCSF is part of a Professional subscription to HITRUST Central and pricing is available by contacting HITRUST at 469-269-1110 orsales@HITRUSTalliance.net. Organizations who currently have a Professional subscription to HITRUST Central will gain access to the MyCSF tool for the remainder of their subscription.
The Health Information Trust Alliance (HITRUST) was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST, in collaboration with healthcare, business, technology and information security leaders, has established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Beyond the establishment of the CSF, HITRUST is also driving the adoption of and widespread confidence in the framework and sound risk management practices through awareness, education, advocacy and other outreach activities. For more information, visit HITRUSTalliance.net.