HITRUST Common Security Framework Updates

The Health Information Trust Alliance (HITRUST) is the most widely adopted privacy and security framework in the United States. Earlier this month, it announced that it has updated the HITRUST common security framework (CSF). Furthermore, they also launched a new CSF initiative specifically designed to aid small healthcare organizations protect their PHI against cyberattacks and other breaches.

The HITRUST CSF is followed by healthcare organizations to improve their risk management and compliance efforts. However, for many smaller healthcare organizations following the framework is simply not viable. The full HITRUST CSF framework requires a great deal of staff dedication and expertise; smaller healthcare organizations often lack these human resources to implement such a security network. While smaller healthcare organisations may, in general, be at smaller risk of cyberattack, they also have fewer plausible security options.

Given that the risks are lower, and the requirements to comply with HIPAA already utilises many of their resources, HITRUST has developed a more simplified, streamlined framework. They state that this more compact framework is far more suited to small healthcare organizations, and should offer them an improvement in cybersecurity.

The new framework – called CSF Basic Assurance and Simple Institution Cybersecurity or CSFBASICs for short – has a more streamlined assessment approach in comparison to the “full” framework. It is also easier to understand and implement, yet will still help smaller healthcare organizations with their risk management and compliance efforts.

To develop the pilot CSFBASICs program, HITRUST collaborated with small businesses and the physician community. The pilot is now in the final phase and HITRUST expects to make the CSFBASICs program widely available by Q3, 2017.
Dr. J. Stefan Walker of Corpus Christi Medical Associates (CCMA), a Corpus Christi, TX-based five-physician primary healthcare practice, explained the problem, “I really don’t know many small practices that can comply with all our regulatory obligations, including HIPAA.” Walker went on to say, “We generally don’t have the staff or the expertise, nor can we hire consultants, to manage these programs on an ongoing basis. I honestly didn’t know how my practice could be secure or demonstrate HIPAA compliance, but that was before I had the opportunity to pilot CSFBASICs.”

 In addition to the CSFBASICs program, HITRUST has also announced that it has enhanced its HITRUST CSF programs (V8.1 and V9) along with the supporting HITRUST CSF Assurance Program (V9). The updates include new guidance and better assurance and support for healthcare organizations to help them deal with the increase in cyber threats and to improve resilience against those threats.

HITRUST (and the HITRUST CSF Advisory Council) sought input from healthcare industry stakeholders on potential changes and updates to the framework. Working with these individuals, they designed several improvements to implement in their systems. These improvements have been commended by the healthcare community who have already had the opportunity to test the updates.

HITRUST CSF v8.1, which was made available on February 6, 2017, includes updated content and support for PCI DSS v3.2 and MARS-E v2. The CSF Assurance Program V9 has been enhanced with the HITRUST CSF Assessment also including a NIST Cybersecurity Framework certification, a HIPAA risk assessment and auditable documentation.

HITRUST CSF v9 update includes the latest OCR Audit Protoco (v2), FEDRAMP Support for Cloud and IaaS Service Providers and FFIEC IT Examination Handbook for Information Security. The updated version is not expected to be available until July 2017. This gives HITRUST time to slowly introduce the new requirements of the program to with the current program. They aim to ensure that the changes to not overly add to the complexity of the framework, and therefore make it difficult for employees to utilise in its full form.