HITRUST’s common security framework becomes critical

In an effort to stem the loss of protected health information (PHI) via business associates, leading healthcare organizations will increasingly require their business associates to participate in the Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) Assurance Program and submit CSF assessment reports as part of their information protection programs. That is the view of Daniel Nutkis, chief executive officer, HITRUST.

“Since the number of combined business associates providing services to healthcare organizations requiring the CSF Assurance Program is in the tens of thousands, we believe the efficiencies and cost-savings they realize will help influence others and provide the momentum needed to improve adoption in the industry,” he said.

The CSF and the CSF Assurance Program offer the only highly flexible implementation and management framework for healthcare information protection by providing a standardized way of scaling and tailoring safeguards based on an organization’s specific risk factors. Organizations also have the ability to implement alternate approaches to address specific threats and vulnerabilities, and employ a standardized methodology for assessment and reporting that is easily understood by both the requesting organization and the business partner being assessed.

The program has been welcomed by healthcare organizations and their business associates.

“As a business associate for many healthcare organizations, we receive numerous requests for information security assessment-related information, much of which consists of varying detail and reporting formats, and it takes up a significant amount of time to respond effectively,” said Kurt Hagerman, director of information security, FireHost. “The CSF Assurance Program, on the other hand, provides the context and uniformity needed to communicate the same information, assurance level and remediation guidance with one assessment and meet all of our customers’ needs.”