The Health Information Trust Alliance (HITRUST) is slated to release updates on Dec.16 to its Common Security Framework (CSF), which officials say is the most comprehensive and widely adopted security framework in the U.S. healthcare industry.
The updates incorporate additional and revised security requirements as well as recognition of new technologies and security practices.
Officials said timely enhancements to the CSF ensure organizations can adapt their security processes as needed so that they may continue to address new assurance requirements such as meaningful use and those unique to the states in which they conduct business.
"HITRUST has seen great momentum in the adoption of the CSF in the healthcare industry with more organizations relying on it as a critical component of their security programs," said Daniel Nutkis, chief executive officer, HITRUST.
"We understand and respect the need to maintain its relevancy," said Nutkis. "HITRUST is privileged to work with leading organizations so that the CSF reflects the contributions of not only our own knowledgeable and dedicated professionals, but also the industry's leading thinkers and collaborators. By making regular and timely updates to the CSF, we are able to present organizations with everything they need to ensure their programs meet evolving and complex assurance requirements."
Now in its third version, the CSF is an all‐inclusive security framework available to organizations handling protected health information (PHI). Introduced in early 2009 and developed in collaboration with healthcare, professional services and information technology organizations, the CSF is a comprehensive security framework that incorporates the existing security requirements of healthcare organizations, including federal (e.g., HIPAA, HITECH), state, third party (e.g., PCI and COBIT) and other government agencies (e.g., NIST, FTC and CMS). The CSF is also the foundation of the HITRUST CSF Assurance program, which measures third‐party information security assurance in the healthcare industry.
"The availability of the CSF and CSF Assurance program provide BlueCross BlueShield of Tennessee with a practical and common approach to evaluating and verifying our business partners' capabilities for protecting health information," said Robert Mandel, senior vice president of healthcare services for BlueCross BlueShield of Tennessee. "Our acceptance of assessments conducted under the program enables us and our partners to benefit from reduced costs and complexities associated with meeting compliance requirements. It also ensures our partners are meeting the same requirements as our organization."
The updates made to the CSF for 2011 incorporate feedback and best practices from the healthcare industry, including input from those organizations that have already adopted the CSF. Enhancements include updates to the CSF requirements and mappings and the integration of the recently released Centers for Medicare and Medicaid Services (CMS) Information Security Acceptable Risk Safeguards (ARS) as an authoritative source.
"These updates continue to refine the CSF, making it more prescriptive, simpler to understand, and ultimately easier to use," said Chris Hourihan, manager of CSF development and programs, HITRUST. "CMS contractors should realize great gains in their ability to more easily align their organizations and their business associates with the CMS requirements by utilizing the CSF and CSF Assurance program."
"As we assist healthcare organizations with their assurance needs, which includes leveraging the CSF to build a more robust standards‐based information security function, these regular updates driven by industry thought leaders help us achieve these goals," added Mark Fulford, partner – risk services/IT assurance, Lattimore Black Morgan & Cain, PC (LBMC). "The inclusion of new regulatory mandates and relevant emerging security standards in the update process is particularly valuable."
To assist organizations in adopting and understanding the updates to the CSF, HITRUST will host a webcast on Dec. 16 from 2:00‐3:00 p.m. EST.
