What is HITRUST?

The HITRUST Common Security Framework (CSF) was developed to address the multitude of security, privacy and regulatory challenges facing healthcare organizations. The HITRUST CSF was developed by healthcare and IT professionals to provide an efficient and prescriptive framework for managing the security requirements inherent in HIPAA. HITRUST CSF rationalizes healthcare-relevant regulations and standards into a single overarching security framework. An important part of the “What is HITRUST” answer is understanding that the CSF is risk-based and compliance-based so that organizations can tailor the security control baselines and vendor management programs that they follow based on their specific organization type, size, systems, and regulatory requirements.

Why does HITRUST matter?

There are several reasons why HITRUST is important to the healthcare industry:

  1. HITRUST is the most widely-adopted security framework in the U.S. healthcare industry. It provides an industry-wide approach for managing Business Associate compliance.
  2. HITRUST is required by some major payers. On February 8, 2016, 5 major healthcare payers issued a letter to their business associates explaining the need for them to comply with the HITRUST Common Security Framework within two years. (Read that letter). As a result, companies must ask themselves “what is HITRUST going to require” and “what changes will we need to make to achieve and maintain our certification”.
  3. HITRUST is updated regularly. The framework is updated regularly to ensure that healthcare organizations leveraging the framework are prepared whenever new regulations and security risks are introduced. It is the most frequently updated security framework in use, with quarterly updates and annual audit changes. This means that people who abide by the CSF will actually be actively ensuring that their security is maximized.

Where did the HITRUST CSF come from?

The development of the CSF leveraged nationally and internationally accepted standards. Today, the HITRUST CSF is a comprehensive security framework that includes, harmonizes and cross-references existing, globally-recognized standards, regulations and business requirements, including: HIPAA, HITECH, NIST, ISO, PCI, FTC, COBIT and relevant State laws.

What is HITRUST able to do to help protect against cyberattacks?

HITRUST is the most dynamic security standard that offers a certification. It evolves according to user input and changing conditions in the healthcare industry and in the overall regulatory environment on an annual basis. As needs change, the HITRUST CSF changes with it. As an example, the CSF changes based on feedback from the community and from an updated set of cross-references and security requirements which, among other sources, can include HIPAA’s Privacy Rules, and the National Institute of Standards and Technology’s (NIST) Special Publications.