HITRUST makes updates to Common Security Framework

By Molly Merrill
09:56 AM

The Health Information Trust Alliance has updated the HITRUST Common Security Framework (CSF) to reflect new regulations and user experiences.

The 2010 version of the CSF reflects updated requirements and references to the HITECH Act interim final rule, the addition of certification control requirements, and improved tools and templates to apply the CSF to an organization or system, as well as other enhancements based on industry feedback, said officials.

The HITRUST Common Security Framework Assurance Program provides healthcare organizations and their business associates with a common approach to managing security assessments. The program leverages the HITRUST CSF, a comprehensive security framework that incorporates the existing security requirements of healthcare organizations, including federal, state, third party (e.g., PCI and COBIT) and other government agencies (e.g., NIST, FTC and CMS).

"The CSF is a dynamic, prescriptive framework that not only adapts quickly to changes in regulatory standards and requirements, but also incorporates feedback from the organizations adopting it, ensuring its continued relevance to the healthcare industry and the organizations that rely on it to lessen the cost and burden of their compliance efforts," said Daniel Nutkis, chief executive officer of HITRUST. "By continually refining the CSF, HITRUST provides healthcare organizations and their business associates ample time to implement changes necessary to address assurance requirements effectively."

The current updates include a number of changes such as the addition of certification control requirements to protect against Web application vulnerabilities, improve password strength and management, and manage electronic media and hard copy destruction in accordance with the guidance associated with HITECH. 

"The healthcare community can truly benefit from a risk-oriented framework that provides a prescriptive approach to implementing and managing an effective security and privacy program," said Cal Slemp, managing director and global leader for security and privacy services for Protiviti, a global business consulting and internal audit firm and a HITRUST CSF Assessor. "The CSF provides a practical, consistent and cost-effective solution. The continual refinement of the CSF ensures its real-world relevance and value as the healthcare industry moves forward with the adoption of electronic health records and health information systems and exchanges."

Officials said the enhancements to the CSF come at a critical time as state health information exchanges look for guidance in securing their environments and those of organizations connecting into them.

"A common struggle for healthcare organizations is maintaining compliance with a myriad of dynamic regulatory requirements," said Brian Selfridge, chief information security officer of AtlantiCare Health System based in Egg Harbor Township, N.J.

"The CSF traces specific controls back to these requirements and interprets them for us in a way that is directly applicable to our organization. By providing us with a holistic view of risk-management procedures, including physical security, business continuity, and regular updates, we can look to the CSF as a key component of our long-term security and privacy strategy," said Selfridge.