HITRUST CSF Now Most Widely Adopted Security Control Framework in U.S. Healthcare Industry

The Health Information Trust Alliance (HITRUST) announced that more than 50 percent of hospitals and 70 percent of health plans with more than 500,000 members are utilizing the HITRUST Common Security Framework (CSF). In addition, the number of organizations undergoing HITRUST CSF assessments is increasing at the same time that a growing number of healthcare organizations have committed to accepting the assessment results as a means of evaluating their business associates' capabilities for protecting health information. The CSF Assurance program, through which the assessments are conducted, was created in response to the information security challenges and inefficiencies associated with evaluating compliance with various regulations and proprietary third party assessment approaches. The program has also become the most widely-used approach for measuring third-party information security assurance in the healthcare industry.

HITRUST has begun to issue CSF Validated and CSF Certified reports, which organizations can use to report the state of their information security to multiple internal and external parties (e.g., state and federal agencies, HIOs, customers, healthcare organizations, business associates). Many healthcare organizations have agreed to accept the CSF assessment results in lieu of proprietary third-party information security assessments as a way to evaluate and verify their business partners' capabilities for protecting health information. This comes at a critical time with the recent amendments to the HIPAA rules extending applicability directly to business associates and subcontractors, requiring greater due diligence on their part and the parts of covered entities.

"We are very pleased with the rate of adoption of the CSF and CSF Assurance program," said Daniel Nutkis, Chief Executive Officer, HITRUST. "We are also very satisfied with the progress organizations are making in achieving CSF Certified status. The controls established to become CSF Certified in 2010 are those deemed critical based on analysis of breach data to mitigate risk and minimize loss. The actions being taken indicate progress being made in the industry toward greater information protection."

"As an organization that is committed to protecting the health information of our patients and customers, AtlantiCare utilizes the CSF Assurance program to evaluate the capability and willingness of our business partners to meet our extremely high information security standards," said Brian Selfridge, CISSP, Information Security Officer, AtlantiCare. "Knowing our business partners have achieved CSF Validated or CSF Certified status is a reassurance that we can trust them to access, store and exchange protected information securely and with thoughtful concern for our patients' privacy."

The CSF Assurance program helps all organizations in healthcare manage compliance spending while also facilitating trust and transparency around information security. Organizations participating in the CSF Assurance program, either as healthcare organizations or business associates, are able to focus their often limited resources on remediation and monitoring activities instead of the ongoing management of complex, proprietary approaches to compliance measurement and reporting.

"To facilitate the development of a robust information security program that meets regulatory requirements and satisfies meaningful use criteria, we chose to adopt the HITRUST CSF rather than one of the more generic standards such as ISO/IEC 27002," said Bryan Cline, Ph.D., Director, Information Security, Catholic Health East. "Knowing our partners are meeting those same requirements signifies to us that adequate controls are in place to significantly reduce the risk of breaches. Having confidence in our business partners' ability to protect personal health information is critical to the success of our business."

"Having a standard, efficient approach for delivering security assurance among third parties alleviates some of the challenges and complexities inherent with protecting health information and adhering to federal, state and other third-party regulations and requirements," said Cliff Baker, Chief Strategy Officer, HITRUST. "It has been HITRUST's goal from the beginning to provide the industry with the guidance and tools needed to advance the state of healthcare information protection while creating efficiencies and cost savings. The continued adoption of the CSF and increase in CSF assessments tells us we are meeting the needs of the industry."

As part of the CSF Assurance program, HITRUST offers tools and processes to aid organizations in assessing and reporting against the CSF. The CSF Assurance Toolkit serves as a practical means for an organization to perform a self assessment or undergo an assessment conducted by a CSF Assessor. Included in the toolkit is the Common Health Information Protection (CHIP) Questionnaire, which takes an innovative, new approach over traditional check-box assessments by focusing on the key measures that will reflect the maturity of a security program and highlight control weaknesses that are most likely to result in a breach.

To learn more about the HITRUST CSF Assurance program, visit HITRUSTalliance.net/assurance. About HITRUST The Health Information Trust Alliance (HITRUST) was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST, in collaboration with healthcare, business, technology and information security leaders, has established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Beyond the establishment of the CSF, HITRUST is also driving the adoption of and widespread confidence in the framework and sound risk management practices through awareness, education, advocacy and other outreach activities. For more information, visit HITRUSTalliance.net.

All product and company names herein may be trademarks of their respective owners.