HITRUST Releases New Framework

Update Provides Harmonization for Various Regulations, Standards
HITRUST Releases New Framework
The Health Information Trust Alliance has released its Common Security Framework version 4.0, which provides changes that account for federal and state regulations and standards and frameworks such as HIPAA, ISO, NIST and COBIT.

See Also: The Application Security Team's Framework For Upgrading Legacy Applications

HITRUST's updated framework and CSF Assurance Program reflect industry recommendations, loss data trend analysis and input from HITRUST health information exchange and mobile device working groups.

HITRUST is an industry consortium that works in collaboration with healthcare, business, technology and information security leaders. Through that collaboration, it has developed the CSF as a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information.

"The CSF makes it possible for organizations to develop and maintain a single information security program that adequately addresses all their requirements and aids in their ability to satisfy their internal information protection assurance obligations and requirements of partners and other third parties," said Daniel Nutkis, chief executive officer, HITRUST, in a statement.

HITRUST's framework provides comprehensive harmonization between the CSF, NIST SP 800-53 r3 and the HIPAA security rule to provide organizations with a "clearer view of how the CSF aligns with other standards and regulations and details how the CSF is the best framework for addressing the specific needs of the healthcare industry," the statement says.

"The harmonization effort was undertaken in response to a common question we receive, which is how does the CSF support my organization's specific requirements under HIPAA," says Bryan Cline, vice president, CSF development and implementation. "The guidance prepared provides clarity around both the actual requirements and how to determine if your organization is meeting them, which is where many standards fall short."

The changes to the framework were made through collaboration with industry experts and analysis of healthcare-related cybersecurity threats and data losses. Twelve controls were added and one removed from the controls required for certification under the 2012 CSF Assurance Program.

Privacy Framework Coming in December

HITRUST will also incorporate privacy requirements into the CSF in order to create an integrated security and privacy framework [see HITRUST Framework to Address Privacy]. The privacy framework, which will be available in December 2012, will ensure better alignment between healthcare organizations' security and privacy programs and ensure organizations have an integrated approach for protecting health information.


About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.