HITRUST Releases 2012 HIT Security Framework | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

HITRUST Releases 2012 HIT Security Framework

January 12, 2012
by Gabriel Perna
| Reprints

The Health Information Trust Alliance (HITRUST), a Frisco, Texas-based collection of health information technology stakeholders aimed at establishing standards for security, has released version 4.0 of the HITRUST Common Security Framework (CSF) and it updated to the CSF Assurance Program.

The 2012 CSF includes changes and new guidance pertaining to the National Institute of Standards and Technology’s (NIST) 800-53 revision 3 (SP 800-53 r3) and reflects industry recommendations, loss data trend analysis, and input from HITRUST Health Information Exchange and Mobile Device Working Groups.

Updates have been made to the CSF Assurance Program so that the program’s components accurately reflect both regulatory and market dynamics. The CSF certification requirements have been adjusted to provide an appropriate level of information protection and assurance. These changes were made in collaboration with industry experts and after the analysis of healthcare-related cyber-security threats and data losses.

HITRUST provides regular updates to the CSF and CSF Assurance Program with the goal of making sure it remains relevant to the organizations that use its service. It includes federal and state regulations, standards and frameworks such as HIPAA, ISO, NIST and COBIT.  

HITRUST has also performed a comprehensive harmonization between the CSF, HIPAA security rule and NIST SP 800-53 r3 and prepared guidance that provides what it says is a better explanation and substantiation to demonstrate how the CSF controls, which are based on the ISO/IEC 27001 control clauses, map to NIST SP 800-53 r3 and the HIPAA Security Rule. It also provides guidance on how it aligns with HIPAA.  

Other advancements related to the CSF Assurance Program include the availability of an integrated Common Health Information Protection (CHIP) Questionnaire and CSF Compliance Worksheet, as well as new illustrative guidance for the CHIP Questionnaire, clarification of assessment and documentation requirements, and tighter alignment of scoring criteria with NIST’s capability maturity model to better support assessment scoping and execution.

Going forward, in response to industry demand, HITRUST says it will incorporate privacy requirements into the CSF to create an integrated security and privacy framework. Available in December 2012, this transformative enhancement to the CSF will reportedly ensure alignment between healthcare organizations’ security and privacy programs and ensure organizations have an integrated approach for protecting health information. The integrated framework will initially incorporate the new privacy control catalog in the recent release of NIST SP 800-53 r4 as well as changes resulting from ISACA’s release of COBIT 5 in 2012.

Other recent updates to the CSF reflected changes in several regulatory and best practice frameworks such as the Centers for Medicare and Medicaid Services (CMS) Information Security Acceptable Risk Safeguards (ARS), CMS Minimum Security Requirements version 1.0 (CMSR v1.0) and Payment Card Industry Data Security Standard (PCI-DSS) v2.0.



Community Data Sharing: Eight Recommendations From San Diego

A learning guide focuses on San Diego’s experience in building a community health information exchange and the realities of embarking on a broad community collaboration to achieve better data sharing.

HealthlinkNY’s Galanis to Step Down as CEO

Christina Galanis, who has served as president and CEO of HealthlinkNY for the past 13 years, will leave her position at the end of the year.

Email-Related Cyber Attacks a Top Concern for Providers

U.S. healthcare providers overwhelmingly rank email as the top source of a potential data breach, according to new research from email and data security company Mimecast and conducted by HIMSS Analytics.

Former Health IT Head in San Diego County Charged with Defrauding Provider out of $800K

The ex-health IT director at North County Health Services, a San Diego County-based healthcare service provider, has been charged with spearheading fraudulent operations that cost the organization $800,000.

Allscripts Touts 1 Billion API Shares in 2017

Officials from Chicago-based health IT vendor Allscripts have attested that the company has reached a new milestone— one billion application programming interface (API) data exchange transactions in 2017.

Dignity Health, CHI Merging to Form New Catholic Health System

Catholic Health Initiatives (CHI), based in Englewood, Colorado, and San Francisco-based Dignity Health officially announced they are merging and have signed a definitive agreement to combine ministries and create a new, nonprofit Catholic health system.