HITRUST Expands Programs and Offerings as Adoption Grows
Jan 12, 2012
Frisco, TX – January 12, 2012 – The Health Information Trust Alliance (HITRUST) has released the HITRUST Common Security Framework (CSF) version 4.0 and updates to the CSF Assurance Program. The 2012 CSF includes changes and new guidance pertaining to the National Institute of Standards and Technology’s (NIST) 800-53 revision 3 (SP 800-53 r3) and reflects industry recommendations, loss data trend analysis, and input from HITRUST Health Information Exchange and Mobile Device Working Groups.
Updates have been made to the CSF Assurance Program so that the program’s components accurately reflect both regulatory and market dynamics. The CSF certification requirements have been adjusted to provide an appropriate level of information protection and assurance. These changes were made in collaboration with industry experts and through analysis of healthcare-related cyber-security threats and data losses. Twelve controls were added and one removed from the controls required for certification under the 2012 CSF Assurance Program.
HITRUST provides regular updates to the CSF and CSF Assurance Program to ensure the offerings remain relevant to the organizations that rely upon them to address evolving security requirements and maintain regulatory compliance. With the inclusion of federal and state regulations, standards and frameworks such as HIPAA, ISO, NIST and COBIT, the CSF is a comprehensive and flexible framework that remains sufficiently prescriptive in how control requirements can be scaled and tailored for healthcare organizations of varying types and sizes.
“The CSF makes it possible for organizations to develop and maintain a single information security program that adequately addresses all their requirements and aids in their ability to satisfy their internal information protection assurance obligations and requirements of partners and other third parties,” said Daniel Nutkis, chief executive officer, HITRUST. “The prescriptive guidance coupled with a well-defined assurance methodology has led to the CSF being the most widely-adopted security framework in the U.S. healthcare industry in only four years.”
Availity, a leading health information network that exchanges more than a billion secure transactions per year, became HITRUST CSF Certified in 2011 and finds that CSF certification satisfies the majority of security concerns among the company’s stakeholders. “Our healthcare business partners and customers quickly recognize the value the HITRUST CSF provides, and respect the rigorous process we undertook to become CSF Certified,” said Russ Thomas, chief operating officer, Availity. “Certification removes administrative burden for Availity and our partners—many of whom would otherwise elect to conduct individual audits.”
HITRUST has also performed a comprehensive harmonization between the CSF, HIPAA security rule and NIST SP 800-53 r3 and prepared guidance that provides a better explanation and substantiation to demonstrate how the CSF controls, which are based on the ISO/IEC 27001 control clauses, map to NIST SP 800-53 r3 and the HIPAA Security Rule. The guidance provides organizations with a clearer view of how the CSF aligns with other standards and regulations and details how the CSF is the best framework for addressing the specific needs of the healthcare industry.
“The harmonization effort was undertaken in response to a common question we receive, which is how does the CSF support my organization’s specific requirements under HIPAA,” said Bryan Cline, PhD, vice president, CSF development and implementation, HITRUST. “The guidance prepared provides clarity around both the actual requirements and how to determine if your organization is meeting them, which is where many standards fall short.”
Other advancements related to the CSF Assurance Program include the availability of an integrated Common Health Information Protection (CHIP) Questionnaire and CSF Compliance Worksheet, as well as new illustrative guidance for the CHIP Questionnaire, clarification of assessment and documentation requirements, and tighter alignment of scoring criteria with NIST’s capability maturity model to better support assessment scoping and execution.
Going forward, in response to industry demand, HITRUST will incorporate privacy requirements into the CSF to create an integrated security and privacy framework. Available in December 2012, this transformative enhancement to the CSF will ensure better alignment between healthcare organizations’ security and privacy programs and ensure organizations have an integrated approach for protecting health information. The integrated framework will initially incorporate the new privacy control catalog in the recent release of NIST SP 800-53 r4 as well as changes resulting from ISACA’s release of COBIT 5 in 2012.
Other recent updates to the CSF reflected changes in several regulatory and best practice frameworks such as the Centers for Medicare and Medicaid Services (CMS) Information Security Acceptable Risk Safeguards (ARS), CMS Minimum Security Requirements version 1.0 (CMSR v1.0) and Payment Card Industry Data Security Standard (PCI-DSS) v2.0.
In addition to continuing to advance the CSF and CSF Assurance Program, HITRUST takes seriously the role it plays in educating information security professionals about information security requirements and equipping them to lead their organizations in the implementation of the CSF and preparing for and conducting assessments. HITRUST is working with academia and other certification organizations to help educate and certify healthcare information security professionals.
To ensure the proper level of education occurs and professional needs are met, HITRUST has updated its Training for Practitioners course to reflect attendee feedback that called for more hands-on learning and real-world application of the curriculum. The new course material includes case studies featuring organizations that have adopted the CSF and conducted CSF assessments.
Also, heading into 2012, HITRUST is seeing expanded interest in and support for the CSF internationally in locales such as Hong Kong, Italy and India and will work closely with other organizations and associations in efforts to support the international adoption of the CSF. Other CSF-related programs for 2012 include providing recommendations around the use of adaptive, risk-based authentication techniques to provide additional flexibility for organizations using strong or two-factor authentication, proposed standards for de-identification of protected health information, and qualifications for the professionals who can certify the de-identification standards.
This year HITRUST will also present HITRUST 2012, a unique event for healthcare information security and privacy professionals charged with advancing the state of information protection within their organizations. During three days of intense learning and exploration on May 7-9 in Dallas-Fort Worth, HITRUST 2012 will feature themes that include risk and compliance, market dynamics, and the implementation of security controls and practices. For more information and to register, visit HITRUST2012.net.
The CSF is available through HITRUST Central free of charge to healthcare organizations and their business associates. A Standard subscription allows access to the CSF as a PDF download as well as several other benefits within the online community. For organizations already familiar with the benefits and functionality of the CSF, HITRUST recommends they upgrade to a Professional subscription, which provides user-friendly access to the CSF, authoritative sources, and all associated tools. For more information on accessing the CSF and a Professional subscription, visit HITRUSTalliance.net/hitrustcentral.
The Health Information Trust Alliance (HITRUST) was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST, in collaboration with healthcare, business, technology and information security leaders, has established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Beyond the establishment of the CSF, HITRUST is also driving the adoption of and widespread confidence in the framework and sound risk management practices through awareness, education, advocacy and other outreach activities. For more information, visit www.HITRUSTalliance.net.
All product and company names herein may be trademarks of their respective owners.