HITRUST Announces Health IT Security & Privacy Certification Program

HITRUST CSF Assurance Program provides common approach to manage security assessments

November 16, 2009

6 Min Read


Frisco, TX " November 16, 2009 " The Health Information Trust Alliance (HITRUST) announced today a program that significantly alters how the healthcare industry assesses security and reports compliance for HIPAA, HITECH, state and other third-party requirements. The HITRUST CSF Assurance Program addresses the challenges with the historically proprietary process by providing healthcare organizations and their business associates with a common approach to manage security assessments that creates efficiencies and contains costs associated with multiple and varied assurance requirements. By offering two levels of assurance " CSF Validated and CSF Certified " the program makes it easier for organizations to realize benefits sooner by offering an incremental path to compliance according to their size, risk profile and reporting requirements.

The program leverages the HITRUST Common Security Framework (CSF), a comprehensive security framework that incorporates the existing security requirements of healthcare organizations, including federal, state, third party (e.g., PCI and COBIT) and other government agencies (e.g., NIST, FTC and CMS). With the broad adoption of the CSF, HITRUST is now able to provide healthcare organizations and their business associates with a streamlined compliance process and the guidance and tools that ensure a consistent and incremental approach to assessing and reporting compliance to multiple constituents.

"The current method of measuring and reporting compliance is fraught with rampant inconsistencies and tremendous waste of time and resources, all of which work against the goals of healthcare reform from both an efficiency and information protection perspective," said Daniel Nutkis, Chief Executive Officer, HITRUST. "The confirmation of the need for a new approach is evident in the fact that so many healthcare organizations are already requiring or encouraging their business associates to participate in the CSF Assurance Program. In addition, we are seeing many business associates proactively take part in the program prior to a request being made."

By utilizing the CSF Assurance Program, organizations can perform a single assessment against the requirements of the CSF and report the results to various constituents, reducing the time, costs and complexities of today's compliance efforts. For organizations that have already adopted the CSF, the program allows them to receive immediate and incremental value through common reporting tools and processes.

"As a leader in healthcare reform and innovation, the Health Information Partnership for Tennessee (HIP TN) is working with HITRUST to adopt the CSF as part of its health information exchange initiatives," said Bob Gordon, chairman of the board for HIP TN. "A single, comprehensive assessment approach would ensure we aren't adding complexity and cost to the healthcare system, while at the same time enabling the protection of health information. The CSF and the CSF Assurance Program should provide the needed mechanisms to ensure trust in the healthcare organizations that connect to the state's health information exchanges."

"Given our number of business associates, a simplified and consistent approach allows us to reduce the costs and time spent on our assessment efforts," said Jon Moore, Chief Information Security Officer, Humana. "The CSF Assurance Program will streamline our current assessment approach, reduce the burden on our business associates, and allow resources to be devoted to other matters critical to health information protection."

Recognizing that healthcare organizations require different levels of assurance based on their specific circumstances, the CSF Assurance Program sets a manageable path with multiple assessment and reporting options based on risk. Organizations can choose either CSF Validated or CSF Certified, both of which leverage the same processes, tools and requirements, but offer different degrees of assurance. CSF Validated allows organizations to be measured and report their progress against the CSF, as well as providing valuable information such as standardized corrective action plans. CSF Certified provides additional efficiencies by verifying that an organization has met all of the industry defined certification requirements of the CSF.

"The CSF Assurance Program allows us to evaluate our compliance with various standards and federal and state regulations, including HIPAA and HITECH, and the meaningful use security requirements," said Michael Frederick, Chief Information Security Officer, Baylor Health Care System. "By obtaining CSF Validated status, we can better satisfy our internal stakeholders as well as demonstrate our compliance due diligence to external stakeholders as needed."

"We use the HITRUST Common Security Framework to satisfy customer requests regarding components of our rigorous security program, including information privacy and security assessment requirements," said Jason Taule, director of Corporate Information Security, ViPS, a General Dynamics Information Technology company.

A critical element in the CSF Assurance Program is the oversight and governance provided by HITRUST. "As a partner to healthcare organizations in establishing trust in the industry, HITRUST takes its role seriously in ensuring the quality, accuracy and fairness of assessments and the resulting reports," said Kenneth Vander Wal, Chief Compliance Officer, HITRUST. "We are committed to providing greater confidence in security across the industry."

Assisting organizations in realizing the benefits from the CSF Assurance Program are CSF Assessors, those organizations uniquely qualified to deliver services under the program. Using CSF Assessors ensures that highly trained security professionals, knowledgeable in healthcare and the CSF, are accurately reporting findings to HITRUST, providing the increased level of assurance that healthcare organizations and their business associates demand.

"As a CSF Assessor, Verizon will provide services based on the HITRUST CSF Assurance Program as part of its health IT consulting services," said Rajeev Kapoor, global managing director " healthcare, Verizon. "By developing a new approach that incorporates multiple data security standards and regulations, this initiative will strengthen how healthcare organizations and their business partners assess and report on the protection of sensitive patient data as it passes between insurers, hospitals, clinics and doctors."

Visit www.HITRUSTalliance.net/assurance to learn more about the HITRUST CSF Assurance Program.

About HIP TN

The Health Information Partnership for Tennessee (HIP TN) seeks to improve the health of people served in Tennessee using a public-private framework to coordinate and empower the sharing of appropriate health information through local and regional Health Information Exchanges, as well as in areas not yet covered by an exchange, thereby improving quality, coordination of care, cost efficiency and public health.

About HITRUST The Health Information Trust Alliance (HITRUST) was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST, in collaboration with healthcare, business, technology and information security leaders, has established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Beyond the establishment of the CSF, HITRUST is also driving the adoption of and widespread confidence in the framework and sound risk management practices through awareness, education, advocacy and other outreach activities. For more information, visit HITRUSTalliance.net.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights