Founded in 2007, the Health Information Trust (HITRUST) Alliance is a vendor consortium that developed the Common Security Framework (CSF). The goal is to help the healthcare industry to ensure compliance and consistency with HIPAA and other applicable security regulations (such as PCI DSS). The adoption of HITRUST CSF enables organizations to streamline their compliance efforts and remove redundancies.
HITRUST requirements cover 19 security domains:
- Information Protection
- Endpoint Protection
- Portable Media Security
- Mobile Device Security
- Wireless Protection
- Configuration Management
- Vulnerability Management
- Network Protection
- Transmission Protection
- Password Management
- Access Control
- Audit Logging & Monitoring
- Education, Training & Awareness
- Third-Party Security
- Incident Management
- Business Continuity & Disaster Recovery
- Risk Management
- Physical & Environmental Security
- Data Protection and Privacy
Companies can demonstrate their compliance with the framework in three ways:
- HITRUST Self Assessment:
In this case, the organization performs a self-assessment using the HITRUST MyCSF tool and obtains a self-assessment report.
- HITRUST CSF Validation
This type of assertion is similar to self-assessment, however, the self-assessment is validated by an independent HITRUST assessor, who issues a validated assessment.
- HITRUST CSF Certification
This approach offers the highest level of compliance assertion. The assessment is performed by a HITRUST assessor and certified by HITRUST Alliance.
Each HITRUST certification is issued for two years and requires interim assessments in the years between the certification assessments.