HITRUST Common Security Framework Matures with Enhancements for 2010
<< All Press Releases

Date: February 1, 2010

Updates to industry’s most widely-adopted framework reflect new regulations and user experiences

Feb 1, 2010

Frisco, TX – February 1, 2010 – The Health Information Trust Alliance (HITRUST) announced today enhancements to the HITRUST Common Security Framework (CSF), the healthcare industry framework for protecting health information. The 2010 version of the CSF reflects updated requirements and references to the HITECH Act interim final rule, the addition of certification control requirements, and improved tools and templates to apply the CSF to an organization or system, as well as other enhancements based on industry feedback. Introduced in 2009 and developed in collaboration with healthcare, professional services and information technology organizations, the CSF is a comprehensive security framework that incorporates the existing security requirements of healthcare organizations, including federal (e.g., HIPAA, HITECH), state, third party (e.g., PCI and COBIT) and other government agencies (e.g., NIST, FTC and CMS). The CSF is available at no charge through HITRUST Central (HITRUSTcentral.net).

“The CSF is a dynamic, prescriptive framework that not only adapts quickly to changes in regulatory standards and requirements, but also incorporates feedback from the organizations adopting it, ensuring its continued relevance to the healthcare industry and the organizations that rely on it to lessen the cost and burden of their compliance efforts,” said Daniel Nutkis, Chief Executive Officer, HITRUST. “By continually refining the CSF, HITRUST provides healthcare organizations and their business associates ample time to implement changes necessary to address assurance requirements effectively.”

HITRUST is committed to providing regular updates to the CSF so that it remains current to the needs of the organizations adopting it. The guidance and best practices incumbent in the CSF will continue to be refined based on those elements that present the greatest security risks to organizations. The current updates include a number of changes such as the addition of certification control requirements to protect against Web application vulnerabilities, improve password strength and management, and manage electronic media and hard copy destruction in accordance with the guidance associated with HITECH. The enhancements to the CSF come at a critical time as state health information exchanges look for guidance in securing their environments and those of organizations connecting into them.

“A common struggle for healthcare organizations is maintaining compliance with a myriad of dynamic regulatory requirements,” said Brian Selfridge, Chief Information Security Officer, AtlantiCare Health System. “The CSF traces specific controls back to these requirements and interprets them for us in a way that is directly applicable to our organization. By providing us with a holistic view of risk-management procedures, including physical security, business continuity, and regular updates, we can look to the CSF as a key component of our long-term security and privacy strategy.”

The CSF also serves as a fundamental component to the HITRUST CSF Assurance program, which provides healthcare organizations and their business associates with a common approach to managing security assessments and reporting their results. Organizations adopting the CSF and taking part in the CSF Assurance program benefit from a streamlined, cost-efficient compliance process and a consistent, incremental approach to assessing and reporting compliance to multiple constituents.

“The healthcare community can truly benefit from a risk-oriented framework that provides a prescriptive approach to implementing and managing an effective security and privacy program,” said Cal Slemp, managing director and global leader for Security and Privacy Services for Protiviti, a global business consulting and internal audit firm and a HITRUST CSF Assessor. “The CSF provides a practical, consistent and cost-effective solution. The continual refinement of the CSF ensures its real-world relevance and value as the healthcare industry moves forward with the adoption of electronic health records and health information systems and exchanges.”

The Health Information Trust Alliance (HITRUST) was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST, in collaboration with healthcare, business, technology and information security leaders, has established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Beyond the establishment of the CSF, HITRUST is also driving the adoption of and widespread confidence in the framework and sound risk management practices through awareness, education, advocacy and other outreach activities. For more information, visit HITRUSTalliance.net.


All product and company names herein may be trademarks of their respective owners.

Media Contact
Mary Hall

Chat Now

This is where you can start a live chat with a member of our team