HITRUST CSF Certification and Hitrust Security Assessment - https://intactsec.com/hitrus...

The first version of the Health Information Trust Alliance Common Security Framework (HITRUST CSF) was released in March 2009 and was developed to provide organizations with a framework specifically devoted to the protection of ePHI and PHI data in the healthcare industry, while also allowing for the adoption of health information systems and exchanges.

Under HITRUST, the CSF incorporates security controls and requirements based on those from multiple standards and regulations, as well as some unique to HITRUST, into a certifiable framework of security controls that scales according to the type, size, and complexity of the organization and its systems. These requirements, synced into a single set of controls, are mapped to their sources for compliance purposes.

Efficiencies are achieved by implementing this combined framework due to the comprehensive and prescriptive nature of the CSF control set, allowing organizations to simultaneously meet multiple compliance initiatives based on a single audit. The HITRUST CSF includes 14 control categories, 49 objectives, and 149 total control specifications (which may contain multiple levels of control components). At least 64 of these control specifications are required to be in place and operating effectively for an organization to become HITRUST certified.

HITRUST offers a self-assessment option for organizations looking to conduct an assessment internally; however, organizations are well served to obtain the expertise of a qualified CSF assessor organization, such as Interactive Security, to identify the strengths and weaknesses of their information security program and to make recommendations about how to address any issues.