Governance & Risk Management , HIPAA/HITECH , Risk Assessments

HITRUST Releases Streamlined Security Framework

'CSF Basics' Aimed at Resource-Strapped Smaller Organizations
HITRUST Releases Streamlined Security Framework

The Health Information Trust Alliance is making available a streamlined version of its Common Security Framework for use by smaller healthcare providers with fewer resources and less mature security programs.

See Also: Critical Differences Between HIPAA Security Evaluations and Risk Analysis

HITRUST CSF is a risk and compliance management framework designed for use by any organization that creates, accesses, stores or exchanges personal health and financial information.

In addition, HITRUST has made available a minor update to its current CSF version 8; it plans to issue a major upgrade in July with the new CSF version 9.

Less Complex for Smaller Entities?

Dan Nutkis, president of HITRUST, says CSF Basics, the streamlined version of CSF for smaller healthcare entities, such as clinics, is less complex to implement.

For instance, the current version of HITRUST CSF contains "over a thousand individual information security requirements and hundreds of individual privacy requirements that could be applied to an organization's information protection program based on multiple risk factors, such as the total number of individual records it holds or the regulatory requirements to which it is subject," he says.

By comparison, the new, streamlined CSF Basics program, "leverages the HIPAA Security Rule's flexibility of approach provisions to create a 'good hygiene' approach to information security and privacy for smaller, more resource-constrained healthcare entities that generally present relatively low inherent risk," he says.

Under the CSF Basics program, smaller organizations need to focus on 76 information security controls and 33 privacy controls to address their obligations under the HIPAA security, data breach notification and privacy rules "and provide an appropriate level of due diligence and due care consistent with NIST, SBA and HHS recommendations for small healthcare entities," Nutkis explains.

Also, unlike a HITRUST CSF Certification under the CSF Assurance Program - which primarily addresses security - certification under CSF Basics covers both security and privacy, he points out.

"Assessment and certification under the CSF Basics Assurance Program are much simpler and less expensive than under the traditional CSF Assurance Program," Nutkis adds. "First, there are fewer requirements to assess. Second, only three levels of maturity are evaluated for each control, as the organization's continuous monitoring program is specifically addressed by one of the 76 information security controls."

The pricing for CSFBASICs is not finalized, but the proposed cost for a CSFBASICs report is $1,000, says a HITRUST spokeswoman. "Organizations will not have to use a CSF Assessor firm [for a CSFBasics assessment], just a Certified CSF Practitioner," she says.

Choosing Frameworks

A recently released 2016 study by security vendor Symantec and the Healthcare Information and Management Systems Society found that of healthcare sector organizations that have implemented a security framework for HIPAA-based assessments, the National Institute of Standards and Technology cybersecurity framework was the most commonly used, followed by HITRUST CSF.

Phil Curran, CISO of Cooper Health in Camden, N.J., which uses HITRUST CSF, says any size healthcare organization needs to implement some sort of security framework. "Just like larger organizations, smaller organizations are mandated to implement controls to maintain the confidentiality, integrity and availability of patient information," he says.

"Without seeing the streamlined [CSF] version, I cannot say if [many] smaller organizations will implement the framework. I do know that smaller organizations with limited resources can find the CSF intimidating and may be hesitant to implement the framework."

Curt Kwak, CIO of Proliance Surgeons, a large surgical practice in Washington state, stresses that protecting patient privacy should be a priority for all providers, no matter their size. "Perhaps the smaller healthcare provider can look to scale the level of [framework] implementation according to their resources and patient data risk profile."

Although federal regulators often promote the use of the NIST cybersecurity framework, Kwak says there are pros and cons in healthcare organizations choosing to embrace NIST versus the CSF.

"My opinion is that either framework should work as they are both very rigorous and difficult to implement. However, with both HIPAA and HITRUST CSF being more aligned toward protection of ePHI and PHI, effort toward HITRUST CSF would be more fruitful for healthcare organizations in general."

Kwak says Proliance Surgeons conducts annual internal control assessments and audits according to the NIST framework, "but we generally follow closely the guidelines within the HIPAA Security Rule and we continue to involve ourselves in reviewing the HITRUST CSF to cover any details around our engagement with the state health information exchange, as well as any data exchange/interface risks."

In the Works

In addition to the new CSF offerings, Nutkis says HITRUST also plans this year to issue:

  • Updates for the CyberAid program to help physician group practices with less than 75 employees to address growing cyber risks and information protection challenges;
  • A new HITRUST Assessment Exchange to enable the sharing of CSF assessment information between organizations in an automated manner;
  • Additional findings from the Enhanced Cyber Threat Information Sharing program. HITRUST shares cyberthreat information through the HITRUST CTX with organizations in the healthcare sector as well as other industries.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.