HITRUST updates CSF for Stage 2 MU, unveils assessment tool improvements
The Health Information Trust Alliance (HITRUST) has announced updates to its Common Security Framework (CSF) related to Stage 2 meaningful use, mobile devices and more. It has also unveiled new enhancements to its CSF assessment tool.
As part of its mission to drive better information security practice in the healthcare industry, the HITRUST Alliance developed the CSF as a certifiable framework that can be used by all organizations that create, access, store or exchange personal health and financial information.
The CSF assessment tool enables healthcare organizations to more easily perform and manage CSF assessments, track compliance with greater scalability and efficiency, and receive better information security benchmarking data.
The newest updates to the tool "were made in recognition of the fact that better assessment guidance is needed to ensure more accurate results," said Daniel Nutkis, chief executive officer, HITRUST. "This improved approach will allow organizations of all types and sizes to streamline the assessment process and track their remediation progress, with the support of a community of experienced and skilled professionals that include HITRUST CSF Assessors and Certified CSF Practitioners.”
The Web-based MyCSF tool – which will be available in January 2013 – features the full integration of the CSF and authoritative sources, improved workflow and navigation, and creates a consistent process to support scoping assessments, say HITRUST officials.
The MyCSF View feature of the tool offers users searchable online access and customized views of the CSF based on multiple factors. It allows an organization to capture its unique risk information to scope its environment and only view the applicable CSF controls in an intuitive and efficient manner.
HITRUST officials say the tool's customizable interface also allows users to benefit greatly from the ability to easily create dashboards and reports via simple drag-and-drop that will help them quickly identify areas of strengths and weaknesses and allow them to track their compliance in real-time. This will offer organizations a complete picture of their current state of compliance, point the way toward the remediation efforts needed and help them report their progress against the CSF and the variety of regulations and standards it incorporates.
The CSF tool also helps produce more accurate and relevant benchmarking data, officials point out. Organizations will be able to evaluate their progress compared to other organizations both at a macro-level and a more granular level, drilling down to individual controls. Because the data is based on the standard approach of the CSF, the output offers a more reliable, consistent and accurate view of where an organization stands against its peers and within the industry -- above and beyond what is available from other sources.
“HITRUST worked with RSAM, a leading provider of Governance, Risk, and Compliance (GRC) software solutions, to enhance RSAM’s existing offering to deliver a solution that is the foundation for the HITRUST MyCSF solution,” said Nutkis. “We are pleased to offer the healthcare industry a solution that provides more consistent and accurate results for organizations committed to advancing the state of information protection.”
The 2013 version of CSF will include updates relating to Stage 2 meaningful use, and incorporate new standards and regulations, including NIST SP 800-53 revision 4, Texas House Bill 300, the CORE security requirements, and a mapping to relevant COBIT 5 controls, officials say.
Enhancements are also being made in areas relating to mobile devices, cloud security, data and device encryption, and third party assurance. Many of the improvements to the CSF stem from industry feedback, recommendations from HITRUST Working Groups, and lessons learned from breach data analysis, say HITRUST officials.