HITRUST Develops Security Framework for Small Healthcare Organizations | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

HITRUST Develops Security Framework for Small Healthcare Organizations

March 1, 2017
by Heather Landi
| Reprints
Click To View Gallery

The Health Information Trust Alliance, HITRUST, has announced updates to the HITRUST Common Security Framework (CSF) and a new CSF initiative targeting smaller healthcare organizations to support their information risk management programs and improve their cyber resilience.

Developed by healthcare and IT professionals, the HITRUST CSF helps organizations by providing a privacy and security framework that provides healthcare organizations with a comprehensive, scalable and certifiable approach to regulatory compliance and risk management.

HITRUST has developed CSFBASICs, a streamlined versions of the HITRUST CSF and supporting HITRUST CSF Assurance Program designed to help small and lower-risk healthcare organizations meet otherwise difficult regulatory and risk management requirements.

The organization also announced HITRUST CSF V8.1 with continued enhancements including support for PCI DSS v3.2 and MARS-E v2. In addition, the organization announced HITRUST CSF v9 with continued enhancements including the Department of Health and Human Services Office for Civil Rights (OCR) Audit Protocol v2, FEDRAMP Support for Cloud and IaaS Service Providers and FFIEC IT Examination Handbook for Information Security.

Further, the organization announced its CSF Assurance Program v9, which has been enhanced so that a HITRUST CSF Assessment also includes a National Institute of Standards and Technology (NIST) Cybersecurity Framework certification with auditable documentation in addition to a Health Portability and Accountability Act of 1996 (HIPAA) risk assessment.   

In response to feedback from smaller healthcare organizations looking for a viable means to meet regulatory demands while protecting their business against cyber threats, HITRUST collaborated with the physician community and small businesses to develop and pilot a new program called CSFBASICs (CSF Basic Assurance and Simple Institution Cybersecurity). This program provides lower-risk organizations with a simplified set of requirements and a streamlined assessment approach that is easier to understand and implement, and offers third parties—including regulators—appropriate assurances and transparency into their information privacy and security programs, according to HITRUST.

“I really don’t know many small practices that can comply with all our regulatory obligations, including HIPAA,” J. Stefan Walker, M.D., physician, Corpus Christi Medical Associates (CCMA), a small five-physician primary care practice in Corpus Christi, Texas, said in a statement. “We generally don’t have the staff or the expertise, nor can we hire consultants, to manage these programs on an ongoing basis. I honestly didn’t know how my practice could be secure or demonstrate HIPAA compliance, but that was before I had the opportunity to pilot CSFBASICs.” 

The CSFBASICs and CSFBASICs Assurance programs are currently in the final phase of piloting and are scheduled for general availability in the third quarter of 2017.

Given the increased risks associated with cyber threats and renewed focus on cyber resilience, HITRUST is further enhancing the CSF and CSF Assurance programs to provide better guidance, assurance and support to organizations, while encouraging a greater focus on cyber resilience within the industry, according to the organization.

“HITRUST is expanding the controls required for HITRUST CSF Certification, from 66 to no more than 75, to enhance its support for an organization’s certification of compliance with the NIST Cybersecurity Framework,” Bryan Cline, M.D., vice president, standards and analytics, HITRUST, said. “CSF Certified organizations will be able to provide both HIPAA and NIST Cybersecurity Framework compliance scorecards based on a single CSF assessment, which are incorporated into the HITRUST CSF Assessment Report.”

There are two HITRUST CSF releases scheduled in 2017. A minor release—CSF v8.1—that was made available on February 6, 2017, and a major release—CSF v9—which is scheduled for July 2017. With the v9 release targeted for July, HITRUST will ensure relevant CSF control requirements are aligned with language in the second release of the OCR’s Audit Protocol. Given the healthcare industry’s increasing reliance on the Cloud, FedRAMP requirements will also be incorporated. The intent is to provide guidance to providers and consumers of Infrastructure as a Service (IaaS) offerings on roles and responsibilities for HITRUST CSF control requirements, and support a targeted assessment and certification approach for IaaS providers. 



Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Analysis: Healthcare Ransomware Attacks Decline in First Half of 2018

In the first half of 2018, ransomware events in major healthcare data breaches diminished substantially compared to the same time period last year, as cyber attackers move on to more profitable activities, such as cryptojacking, according to a new report form cybersecurity firm Cryptonite.

Dignity Health, UCSF Health Partner to Improve the Digital Patient Experience

Dignity Health and UCSF Health are collaborating to develop a digital engagement platform that officials believe will provide information and access to patients when and where they need it as they navigate primary and preventive care, as well as more acute or specialty care.

Report: Digital Health VC Funding Surges to Record $4.9 Billion in 2018

Global venture capital funding for digital health companies in the first half of 2018 was 22 percent higher year-over-year (YoY) with a record $4.9 billion raised in 383 deals compared to the $4 billion in 359 deals in the same time period last year, according to Mercom Capital Group’s latest report.

ONC Roundup: Senior Leadership Changes Spark Questions

The Office of the National Coordinator for Health IT (ONC) has continued to experience changes within its upper leadership, leading some folks to again ponder what the health IT agency’s role will be moving forward.

Media Report: Walmart Hires Former Humana Executive to Run Health Unit

Reigniting speculation that Walmart and insurer Humana are exploring ways to forge a closer partnership, Walmart Inc. has hired a Humana veteran to run its health care business, according to a report from Bloomberg.

Value-Based Care Shift Has Halted, Study Finds

A new study of 451 physicians and health plan executives suggests that progress toward value-based care has stalled. In fact, it may have even taken a step backward over the past year, the research revealed.