The Health Information Trust Alliance exists to ensure that information security becomes a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges.
HITRUST collaborated with healthcare, business, technology, and information security leaders and established the Common Security Framework (CSF) to be used by any and all organizations that create, access, store, or exchange protected health information (PHI).
HIPAA is not prescriptive, which makes it open to interpretation and difficult to apply. Organizations must necessarily reference additional standards for guidance on how to implement the requirements specified by HIPAA. It is also not the only set of security requirements healthcare organizations need to address (e.g., PCI, State, business partner requirements).
The HITRUST Common Security Framework (CSF) is not a new standard. The CSF is a framework that normalizes the security requirements of healthcare organizations including federal legislation (e.g.. ARRA and HIPAA), federal agency rules and guidance (e.g.. NIST, FTC and CMS), state legislation (e.g.. Nevada, Massachusetts and Texas), and industry frameworks (e.g.. PCI and COBIT), so the burden of compliance with the CSF is no more than what already applies to healthcare organizations. The CSF was built to simplify these issues by providing direction for security tailored to the needs of the organization.
The CSF is the only framework built to provide scalable security requirements based on the different risks and exposures of organizations in the industry.
The CSF contains 14 security Control Categories comprised of 19 domains, 46 Control Objectives/Names,149 Control Reference/Specifications and over 1000 Requirement statements. The CSF Control Categories, accompanied with the number of objectives and specifications, are: