The Health Information Trust Alliance (HITRUST) announced that more than 50 percent of hospitals and 70 percent of health plans with more than 5,00,000 members are utilising the HITRUST Common Security Framework (CSF). In addition, the number of organisations undergoing HITRUST CSF assessments is increasing at the same time that a growing number of healthcare organisations have committed to accepting the assessment results as a means of evaluating their business associates’ capabilities for protecting health information. The CSF Assurance program, through which the assessments are conducted, was created in response to the information security challenges and inefficiencies associated with evaluating compliance with various regulations and proprietary third party assessment approaches. The program has also become the most widely-used approach for measuring third-party information security assurance in the healthcare industry.

HITRUST has begun to issue CSF Validated and CSF Certified reports, which organisations can use to report the state of their information security to multiple internal and external parties (e.g., state and federal agencies, HIOs, customers, healthcare organisations, business associates). Many healthcare organisations have agreed to accept the CSF assessment results in lieu of proprietary third-party information security assessments as a way to evaluate and verify their business partners’ capabilities for protecting health information. This comes at a critical time with the recent amendments to the HIPAA rules extending applicability directly to business associates and subcontractors, requiring greater due diligence on their part and the parts of covered entities.

“We are very pleased with the rate of adoption of the CSF and CSF assurance program,” said Daniel Nutkis, Chief Executive Officer, HITRUST. “We are also very satisfied with the progress organisations are making in achieving CSF Certified status. The controls established to become CSF certified in 2010 are those deemed critical based on analysis of breach data to mitigate risk and minimise loss. The actions being taken indicate progress being made in the industry toward greater information protection.”

The CSF Assurance program helps all organizations in healthcare manage compliance spending while also facilitating trust and transparency around information security. Organiations participating in the CSF assurance program, either as healthcare organisations or business associates, are able to focus their often limited resources on remediation and monitoring activities instead of the ongoing management of complex, proprietary approaches to compliance measurement and reporting.

“Having a standard, efficient approach for delivering security assurance among third parties alleviates some of the challenges and complexities inherent with protecting health information and adhering to federal, state and other third-party regulations and requirements,” said Cliff Baker, Chief Strategy Officer, HITRUST. “It has been HITRUST’s goal from the beginning to provide the industry with the guidance and tools needed to advance the state of healthcare information protection while creating efficiencies and cost savings. The continued adoption of the CSF and increase in CSF assessments tells us we are meeting the needs of the industry.”

As part of the CSF Assurance program, HITRUST offers tools and processes to aid organisations in assessing and reporting against the CSF. The CSF assurance toolkit serves as a practical means for an organisation to perform a self assessment or undergo an assessment conducted by a CSF assessor. Included in the toolkit is the Common Health Information Protection (CHIP) questionnaire, which takes an innovative, new approach over traditional check-box assessments by focusing on the key measures that will reflect the maturity of a security program and highlight control weaknesses that are most likely to result in a breach.