HITRUST
The Health Information Trust Alliance, or HITRUST, is a privately held company located in the United States that, in collaboration with healthcare, technology and information security leaders, has established a Common Security Framework (CSF) that can be used by all organizations that create, access, store or exchange sensitive and/or regulated data. The CSF includes a prescriptive set of controls that seek to harmonize the requirements of multiple regulations and standards.
Executive Council
HITRUST is led by a management team and governed by an Executive Council made up of leaders from across a variety of industry. These leaders represent the governance of the organization, but other founders also comprise the leadership to ensure the framework meets the short and long term needs of the entire industry.
Executive Council members represent the following organizations:
- Anthem, Inc.
- Express Scripts, Inc.
- Health Care Service Corporation
- Highmark
- Hospital Corporation of America
- Humana Inc.
- IMS Health
- Kaiser Permanente
- McKesson Corporation
- UnitedHealth Group
- Walgreens
Common Security Framework (CSF)
The HITRUST Common Security Framework (CSF) is a framework that seeks to normalize security control implementations of healthcare organizations including federal (e.g., ARRA and HIPAA), state (Mass.), third party (e.g., PCI and COBIT) and government (e.g., NIST, FTC and CMS). The CSF is not a new standard; rather, it attempts to unify the control requirements of many disparate standards such as PCI, HIPAA, etc. The CSF supplements the existing controls with the industry knowledge and leading practices of HITRUST’s community and provides the clarity and consistency lacking in many standards and regulations.
Development of the CSF
The ongoing development of the CSF is overseen by the HITRUST Executive Council, which is composed of leaders from a variety of industry segments with expertise in healthcare and information security. The initial development of the CSF occurred throughout 2008 prior to the release of the first version in March 2009. The initial development group consisted of security professionals from:
- Security vendors
- Technology and IT infrastructure organizations
- Professional services firms
- Healthcare providers
- Health plans
- Pharmacies and PBMs
- Medical device manufacturers
- Information networks and clearinghouses
Organization of the CSF
The CSF has the following components:
Implementation Requirement Levels
Each control specification includes multiple levels (1, 2 and 3) of implementation requirement(s), which are the details to support the implementation of the control in meeting the control objective. The implementation requirement levels relate to the degree of restrictiveness for a particular control. HITRUST leveraged the concept adopted by the National Institute of Standards and Technology’s Computer Security Division for the Special Publication 800 Series security standards (i.e., NIST 800-53). Level 1 is the minimum set of security requirements for all systems and organizations regardless of size, sophistication, or complexity. Level 2 and Level 3 are required only for organizations and systems of increased risk and complexity as determined by the associated organization and system factors. For example, with respect to password controls, six character passwords would be a lower level of control compared with two factor authentication at a higher level. The levels are also designed to account for the increased requirements of the varying standards and regulations that comprise the CSF. For example, where HIPAA is in almost every instance met at level 1, NIST 800-53 is both more comprehensive and more detailed and thus is generally captured in the level 2 or 3 requirements.
Alternate Controls
HITRUST has also defined an alternate control process to allow for the temporary adoption of standardized Alternate Controls for systems (e.g. medical devices and applications) that cannot meet the CSF’s requirements. If an Alternate Control is not yet defined in the CSF, any organization can propose a solution to appropriately mitigate the risk of a control failure. This process is closely integrated into the CSF and any approved Alternate Controls are made available to the entire industry to provide the standard adoption of accepted short and long-term compensating strategies.
Availability
The HITRUST CSF is available by subscribing to HITRUST Central, the managed online community for healthcare information security professionals. A Standard subscription, which includes access to the core CSF, is available at no charge to individuals from qualified organizations (as defined by HITRUST) and Professional subscriptions are available for an annual fee based on organization type.
CSF Assurance
The HITRUST CSF Assurance program provides compliance assessment and reporting for HIPAA, HITECH, state and business associate requirements by leveraging the CSF. Under the CSF Assurance program, organizations can proactively or reactively, per a request from a relying entity, perform an assessment against the requirements of the CSF. This single assessment will give an organization insight into its state of compliance against the various requirements incorporated into the CSF to be used in lieu of proprietary requirements and processes for validating third-party compliance. The program includes the risk management oversight and assessment methodology governed by HITRUST and designed for the unique regulatory and business needs of the healthcare industry.
References
- Merill, Molly. HITRUST makes updates to Common Security Framework. Healthcare IT News. 1 February 2010. Print and Web. 10 May 2010.
- Roiter, Neil. HITRUST CSF offers path through healthcare security maze. SearchSecurityChannel.com. 7 December 2009. Web. 10 May 2010.
- Reuters. Rsam Integrates HITRUST Common Security Framework into Leading GRC Platform 5 April 2011. Web.
- The Health Information Trust Alliance: Listing of Approved CSF Assessors