HITRUST Common Security Framework Continues to Advance with Updates for 2011

Comprehensiveness and usability of framework drives increasing adoption

FRISCO, Texas--(BUSINESS WIRE)-- The Health Information Trust Alliance (HITRUST) announced today it will release updates on December 16, 2010, to the HITRUST Common Security Framework (CSF), the most comprehensive and widely-adopted security framework in the U.S. healthcare industry. The updates incorporate additional and revised security requirements as well as recognition of new technologies and security practices.

HITRUST continues to update and enhance the CSF to maintain its relevancy and reflect the results of ongoing collaboration with leading healthcare organizations and other organizations that support the industry. Timely enhancements to the CSF ensure organizations can adapt their security processes as needed so that they may continue to address new assurance requirements such as meaningful use and those unique to the states in which they conduct business. HITRUST considers the impact updates to the CSF have on organizations and evaluates the appropriateness and benefits to be had with any cost or complexities to come from added requirements.

“HITRUST has seen great momentum in the adoption of the CSF in the healthcare industry with more organizations relying on it as a critical component of their security programs,” said Daniel Nutkis, Chief Executive Officer, HITRUST. “We understand and respect the need to maintain its relevancy. HITRUST is privileged to work with leading organizations so that the CSF reflects the contributions of not only our own knowledgeable and dedicated professionals, but also the industry’s leading thinkers and collaborators. By making regular and timely updates to the CSF, we are able to present organizations with everything they need to ensure their programs meet evolving and complex assurance requirements.”

Now in its third version, the CSF is the only all-inclusive security framework available to organizations handling protected health information (PHI). Introduced in early 2009 and developed in collaboration with healthcare, professional services and information technology organizations, the CSF is a comprehensive security framework that incorporates the existing security requirements of healthcare organizations, including federal (e.g., HIPAA, HITECH), state, third party (e.g., PCI and COBIT) and other government agencies (e.g., NIST, FTC and CMS). The framework incorporates new and ongoing security requirements by interpreting emerging risks and changing standards so that organizations can focus their attention and resources on remediation efforts and other critical security initiatives. The CSF is also the foundation of the HITRUST CSF Assurance program, the most widely-used approach for measuring third-party information security assurance in the healthcare industry.

“The availability of the CSF and CSF Assurance program provide BlueCross BlueShield of Tennessee with a practical and common approach to evaluating and verifying our business partners’ capabilities for protecting health information,” said Dr. Robert Mandel, senior vice president of health care services for BlueCross BlueShield of Tennessee. “Our acceptance of assessments conducted under the program enables us and our partners to benefit from reduced costs and complexities associated with meeting compliance requirements. It also ensures our partners are meeting the same requirements as our organization.”

The updates made to the CSF for 2011 incorporate feedback and best practices from the healthcare industry, including input from those organizations that have already adopted the CSF. Enhancements include updates to the CSF requirements and mappings and the integration of the recently released Centers for Medicare and Medicaid Services (CMS) Information Security Acceptable Risk Safeguards (ARS) as an authoritative source.

“These updates continue to refine the CSF, making it more prescriptive, simpler to understand, and ultimately easier to use,” said Chris Hourihan, Manager of CSF Development and Programs, HITRUST. “CMS contractors should realize great gains in their ability to more easily align their organizations and their business associates with the CMS requirements by utilizing the CSF and CSF Assurance program.”

“Lattimore Black Morgan & Cain, PC (LBMC) remains an enthusiastic supporter of HITRUST, and we, along with our customers, are excited to see the continued maturation of the CSF,” said Mark Fulford, partner - risk services/IT assurance, LBMC. “As we assist healthcare organizations with their assurance needs, which includes leveraging the CSF to build a more robust standards-based information security function, these regular updates driven by industry thought leaders help us achieve these goals. The inclusion of new regulatory mandates and relevant emerging security standards in the update process is particularly valuable.”

To assist organizations in adopting and understanding the updates to the CSF, HITRUST will host a webcast on December 16, 2010, from 2:00-3:00 p.m. EST. HITRUST’s Cliff Baker, Chief Strategy Officer, and Chris Hourihan, Manager of CSF Development and Programs, will discuss the impact of the changes to organizations adopting or already using the CSF and conducting CSF assessments. Registration for this webcast is available now for organizations wanting to learn how the CSF and CSF Assurance program can equip their organizations to more effectively address information security requirements. Attendees should register at www.hitrustalliance.net/CSFevent.

The CSF is available through HITRUST Central (HITRUSTcentral.net) free of charge to healthcare organizations and their business associates. Also available in HITRUST Central with a Professional subscription is the CSF Assurance Toolkit, including the CSF Compliance Worksheet, which enables an organization to perform a compliance gap analysis against the requirements of the CSF. The toolkit is also being enhanced with the integration of the CMS ARS controls along with new features such as multi-system support and the ability to assign specific requirements to organizational personnel. To learn more about the HITRUST CSF, visit hitrustalliance.net/csf.

About HITRUST

The Health Information Trust Alliance (HITRUST) was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST, in collaboration with healthcare, business, technology and information security leaders, has established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Beyond the establishment of the CSF, HITRUST is also driving the adoption of and widespread confidence in the framework and sound risk management practices through awareness, education, advocacy and other outreach activities. For more information, visit HITRUSTalliance.net.

All product and company names herein may be trademarks of their respective owners.

HITRUSTMary Hall, 972-330-4919
[email protected]

Source: HITRUST