Acceptance and Utilization Driven by Security Risks Posed by Business Associates
Feb 7, 2012
Frisco, TX – February 7, 2012 – The Health Information Trust Alliance (HITRUST) announced today that the HITRUST CSF Assurance Program, based on the HITRUST Common Security Framework (CSF), continues to be the most widely utilized program for assessing the security posture of business associates and managing third-party compliance. The CSF Assurance Program provides multiple benefits to both healthcare organizations and their business associates by offering a common and efficient approach to managing security assessments associated with multiple and varied assurance requirements.
“Our analysis continues to find that business associates pose the greatest information security risk to healthcare organizations,” said Bryan Cline, PhD, vice president, CSF development and implementation, HITRUST. “The CSF Assurance Program allows for a very practical and manageable process for covered entities to ensure their business associates are complying with appropriate security practices without subjecting their business associates to a proprietary, complex and often confusing assessment.”
Organizations seeking an established, efficient and cost-effective approach for meeting regulatory requirements such as HIPAA and meaningful use are using the CSF Assurance Program to conduct risk assessments that achieve this goal as well as satisfy their own internal requirements to improve the protection of personal health information. In addition, organizations are finding they can also provide the same assessment report to external parties such as business partners and health information exchanges (HIEs), eliminating the need to perform separate assessments for each business relationship.
“HITRUST believes in order for an assurance program to be successful, an ‘assess once and report many’ approach supported by an information security framework with a well-defined and accepted methodology must be utilized,” said Daniel Nutkis, chief executive officer, HITRUST. “This approach has been crucial to the adoption and acceptance of the CSF Assurance Program. With the CSF assessment reports now being broadly accepted by health plans, provider organizations and now HIEs, we are starting to see this approach driving real costs out of the system by minimizing the number of unique assessment requests.”
The continuing adoption of the CSF has led to an increase in the number of healthcare organizations participating in the CSF Assurance Program, which in turn has led to a rise in the number of healthcare organizations requiring their business partners be assessed against the CSF. Organizations, including providers, insurers and service providers, continue to obtain CSF Certified status, demonstrating the industry’s ability to meet the requirements and commitment to protecting health information.
“The CSF is a very important part of Humana’s overall risk assessment program, which includes our business partners,” said Jon Moore, chief information security officer, Humana Inc. “The CSF and its normalized set of security and privacy controls from state, federal and industry compliance authorities is a logical ‘go-to’ framework for all healthcare organizations. Attempting to align with the numerous regulations on one’s own is a very daunting and inefficient approach. The quality and value return from aligning with the CSF makes good business sense and provides all types and sizes of healthcare organizations with an opportunity to optimize their security and privacy compliance.”
HITRUST remains committed to responding to ongoing regulatory updates, evolving market dynamics and industry feedback that lead to regular updates being made to the CSF and CSF Assurance Program. Recent updates to the program include enhancements to the certification requirements and the CSF Assurance Kit, which serves as the only practical means for an organization to perform a self assessment focused on healthcare and scoped and tailored to their individual needs, or undergo an assessment conducted by a third party. The Kit includes the CSF Assessment Tool featuring the newly integrated CSF Compliance Worksheet and Common Health Information Protection (CHIP) Questionnaire and optional templates for scoping an environment and managing a test plan.
HITRUST provides guidance to organizations seeking to adopt the CSF and participate in the CSF Assurance Program. This year HITRUST will present HITRUST 2012, a unique event for healthcare information security and privacy professionals charged with advancing the state of information protection within their organizations. During three days of intense learning and exploration on May 7-9 in Dallas-Fort Worth, HITRUST 2012 will feature themes that include risk and compliance, market dynamics, and the implementation of security controls and practices. To view the recently released agenda and to register, visit HITRUST2012.net.
Resource materials are available through HITRUST Central free of charge to healthcare organizations and their business associates. A Standard subscription allows access to the CSF as a PDF download as well as several other benefits within the online community. For organizations already familiar with the benefits and functionality of the CSF, HITRUST recommends they upgrade to a Professional subscription, which provides user-friendly access to the CSF, authoritative sources, and all associated tools, including the CSF Assurance Kit. For more information on accessing the CSF and a Professional subscription, visitHITRUSTalliance.net/hitrustcentral.
The Health Information Trust Alliance (HITRUST) was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST, in collaboration with healthcare, business, technology and information security leaders, has established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Beyond the establishment of the CSF, HITRUST is also driving the adoption of and widespread confidence in the framework and sound risk management practices through awareness, education, advocacy and other outreach activities. For more information, visit www.HITRUSTalliance.net.
All product and company names herein may be trademarks of their respective owners.