Skip to content Skip to navigation

HITRUST Releases 2012 HIT Security Framework

January 12, 2012
by Gabriel Perna
| Reprints

The Health Information Trust Alliance (HITRUST), a Frisco, Texas-based collection of health information technology stakeholders aimed at establishing standards for security, has released version 4.0 of the HITRUST Common Security Framework (CSF) and it updated to the CSF Assurance Program.

The 2012 CSF includes changes and new guidance pertaining to the National Institute of Standards and Technology’s (NIST) 800-53 revision 3 (SP 800-53 r3) and reflects industry recommendations, loss data trend analysis, and input from HITRUST Health Information Exchange and Mobile Device Working Groups.

Updates have been made to the CSF Assurance Program so that the program’s components accurately reflect both regulatory and market dynamics. The CSF certification requirements have been adjusted to provide an appropriate level of information protection and assurance. These changes were made in collaboration with industry experts and after the analysis of healthcare-related cyber-security threats and data losses.

HITRUST provides regular updates to the CSF and CSF Assurance Program with the goal of making sure it remains relevant to the organizations that use its service. It includes federal and state regulations, standards and frameworks such as HIPAA, ISO, NIST and COBIT.  

HITRUST has also performed a comprehensive harmonization between the CSF, HIPAA security rule and NIST SP 800-53 r3 and prepared guidance that provides what it says is a better explanation and substantiation to demonstrate how the CSF controls, which are based on the ISO/IEC 27001 control clauses, map to NIST SP 800-53 r3 and the HIPAA Security Rule. It also provides guidance on how it aligns with HIPAA.  

Other advancements related to the CSF Assurance Program include the availability of an integrated Common Health Information Protection (CHIP) Questionnaire and CSF Compliance Worksheet, as well as new illustrative guidance for the CHIP Questionnaire, clarification of assessment and documentation requirements, and tighter alignment of scoring criteria with NIST’s capability maturity model to better support assessment scoping and execution.

Going forward, in response to industry demand, HITRUST says it will incorporate privacy requirements into the CSF to create an integrated security and privacy framework. Available in December 2012, this transformative enhancement to the CSF will reportedly ensure alignment between healthcare organizations’ security and privacy programs and ensure organizations have an integrated approach for protecting health information. The integrated framework will initially incorporate the new privacy control catalog in the recent release of NIST SP 800-53 r4 as well as changes resulting from ISACA’s release of COBIT 5 in 2012.

Other recent updates to the CSF reflected changes in several regulatory and best practice frameworks such as the Centers for Medicare and Medicaid Services (CMS) Information Security Acceptable Risk Safeguards (ARS), CMS Minimum Security Requirements version 1.0 (CMSR v1.0) and Payment Card Industry Data Security Standard (PCI-DSS) v2.0.



CMS Awards Funding to Special Innovation Projects

The Centers for Medicare & Medicaid Services (CMS) has awarded 20, two-year Special Innovation Projects (SIPs) aimed at local efforts to deliver better care at lower cost.

Center of Excellence in Genomic Science to be Established in Chicago

The National Human Genome Research Institute has awarded $10.6 million over five years for the establishment of a new research center in Chicago to advance genomic science.

EHNAC and HITRUST Combine HIPAA Security Criteria, CSF Framework

The Electronic Healthcare Network Accreditation Commission (EHNAC) and the Health Information Trust Alliance (HITRUST) announced plans to streamline their accreditation and certification programs.

Halamka on MACRA Final Rule: “CMS is Listening and I Thank Them”

Health IT notable expert John Halamka, M.D., CIO of Beth Israel Deaconess Medical Center in Boston, recently weighed in on the Medicare Access and CHIP Reauthorization Act (MACRA) final rule.

Texas Patient Care Clinic Hit with Ransomware Attack

Grand Prairie, Texas-based Rainbow Children's Clinic was the victim of a ransomware attack on its IT systems in August, affecting more than 33,000 patients, according to multiple news media reports this week.

Healthcare Organizations Again Go to Bat for AHRQ

Healthcare organizations are once again urging U.S. Senate and House leaders to protect the Department of Health and Human Services’ Agency for Healthcare Research and Quality (AHRQ) from more budget cuts for 2017.