HITRUST Plans Enhancements to Assessment Methodology and Revises Scope of CSF to Include Additional Authoritative Sources for Year-End Release
Aug 11, 2011
Frisco, TX – August 11, 2011 – The Health Information Trust Alliance (HITRUST) announced today it will include privacy requirements in an integrated security and privacy framework available in December 2012. This transformative enhancement to the existing framework will ensure better alignment between healthcare organizations” security and privacy programs and ensure organizations have an integrated approach for protecting health information. HITRUST also announced updates to the 2012 Common Security Framework (CSF) (version 4.0) due for release at the end of 2011, with enhancements to its assessment methodology that will provide more prescriptive guidance and ensure greater consistency and efficiency of assessments.
“HITRUST has always recognized that security and privacy are highly integrated and that the healthcare industry would benefit tremendously from a single security and privacy framework,” said Daniel Nutkis, Chief Executive Officer, HITRUST. “With NIST specifically addressing privacy in the next revision of 800-53 and the increasing adoption of the CSF, we believe the timing is appropriate for HITRUST to include privacy requirements in a comprehensive and integrated security and privacy framework. With this addition, organizations will benefit from improved and simplified guidance to protect sensitive information, meet their obligations under the HIPAA Privacy and Security Rules, and satisfy meaningful use.”
The maturing and widespread adoption of the CSF continues to make it the most comprehensive and widely-adopted security framework in the U.S. healthcare industry. The CSF provides the needed structure, clarity, functionality and cross-references to authoritative sources that enables organizations to maintain regulatory compliance. HITRUST’s commitment to maintaining the relevancy and currency of the CSF eliminates the need for organizations to dedicate time and resources to creating their own framework.
“It is of critical importance that Baylor Health Care System has access to the most current and comprehensive information security guidance and controls, and HITRUST has demonstrated we can rely on the continued relevancy and flexibility of the CSF,” said Michael Frederick, Chief Information Security Officer, Baylor Health Care System. “I can depend on HITRUST to ensure the CSF remains applicable to the industry by regularly updating the CSF to incorporate new regulations and best practices; therefore, I don’t have to dedicate Baylor’s internal security resources to developing and maintaining a security framework.”
Updates to the 2012 CSF (version 4.0) are being driven by regulatory changes, lessons learned, and evolving market dynamics such as those associated with Health Information Exchanges (HIEs), cloud computing and mobile devices. These updates, available in December 2011, will include changes and new guidance pertaining to NIST SP 800-53 revision 3 and the AICPA guide titled “Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy” (SOC 2). Updates associated with the Payment Card Industry Data Security Standard (PCI DSS) version 2.0 are now available in the CSF (version 3.2).
Also influencing updates to the CSF is HITRUST’s involvement with numerous states to develop a national model for HIE security and requirements for participants. HIEs introduce new exposures to the healthcare industry based on the proliferation of protected health information among a large number of third-party organizations.
“The State of Tennessee has been actively engaged with HITRUST and other states in the development of the information security requirements for HIEs and their participants,” said Keith Cox, Chief Executive Officer, Health Information Partnership for Tennessee. “Although a large undertaking, we believe our involvement has been valuable in helping to develop a model that can be adopted nationally.”
In addition to the CSF updates, HITRUST will be making enhancements to its assessment methodology and the CSF Assurance Toolkit, both of which are components of the CSF Assurance program. HITRUST believes it is crucial that consistency is maintained in the performance of CSF assessments and is working on providing additional guidance to healthcare organizations and HITRUST CSF Assessors around the procedures performed during assessments.
“The additional guidance will provide clearer and more specific procedures relative to reviews, sampling and testing, and will help ensure consistency of findings, irrespective of the firm performing the assessment,” said Ken Vander Wal, Chief Compliance Officer, HITRUST. This also allows healthcare organizations and business associates to better prepare for a CSF assessment. These enhanced assessment procedures will be available in December 2011 for Professional subscribers to HITRUST Central.
The CSF Assurance Toolkit, used by an organization conducting a self assessment or being assessed by a HITRUST CSF Assessor, includes new features that allow for greater linking between components, enhanced filtering, and using assessment results for trending and analysis. These updates are available now to Professional subscribers.
The CSF is available through HITRUST Central free of charge to healthcare organizations and their business associates. A Standard subscription allows access to the CSF as a PDF download as well as several other benefits within the online community. For organizations already familiar with the benefits and functionality of the CSF, HITRUST recommends they upgrade to a Professional subscription, which provides user-friendly access to the CSF, authoritative sources, and all associated tools, including the CSF Assurance Toolkit. For more information on accessing the CSF and a Professional subscription, visit HITRUSTalliance.net/hitrustcentral
For more information on the updates to the 2012 CSF, visit HITRUST Central.
The Health Information Trust Alliance (HITRUST) was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST, in collaboration with healthcare, business, technology and information security leaders, has established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Beyond the establishment of the CSF, HITRUST is also driving the adoption of and widespread confidence in the framework and sound risk management practices through awareness, education, advocacy and other outreach activities. For more information, visit www.HITRUSTalliance.net.