HITRUST Releases New FrameworkUpdate Provides Harmonization for Various Regulations, Standards
See Also: HIPAA Audits: A Revised Game Plan
HITRUST's updated framework and CSF Assurance Program reflect industry recommendations, loss data trend analysis and input from HITRUST health information exchange and mobile device working groups.
HITRUST is an industry consortium that works in collaboration with healthcare, business, technology and information security leaders. Through that collaboration, it has developed the CSF as a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information.
"The CSF makes it possible for organizations to develop and maintain a single information security program that adequately addresses all their requirements and aids in their ability to satisfy their internal information protection assurance obligations and requirements of partners and other third parties," said Daniel Nutkis, chief executive officer, HITRUST, in a statement.
HITRUST's framework provides comprehensive harmonization between the CSF, NIST SP 800-53 r3 and the HIPAA security rule to provide organizations with a "clearer view of how the CSF aligns with other standards and regulations and details how the CSF is the best framework for addressing the specific needs of the healthcare industry," the statement says.
"The harmonization effort was undertaken in response to a common question we receive, which is how does the CSF support my organization's specific requirements under HIPAA," says Bryan Cline, vice president, CSF development and implementation. "The guidance prepared provides clarity around both the actual requirements and how to determine if your organization is meeting them, which is where many standards fall short."
The changes to the framework were made through collaboration with industry experts and analysis of healthcare-related cybersecurity threats and data losses. Twelve controls were added and one removed from the controls required for certification under the 2012 CSF Assurance Program.
Privacy Framework Coming in December
HITRUST will also incorporate privacy requirements into the CSF in order to create an integrated security and privacy framework [see HITRUST Framework to Address Privacy]. The privacy framework, which will be available in December 2012, will ensure better alignment between healthcare organizations' security and privacy programs and ensure organizations have an integrated approach for protecting health information.