Understanding and Leveraging the CSF
Developed in collaboration with healthcare and information security professionals, the HITRUST Common Security Framework (CSF) is the most widely-adopted security framework in the U.S. healthcare industry. With the inclusion of federal and state regulations, standards and frameworks such as HIPAA, NIST, ISO and COBIT, the CSF is a comprehensive and flexible framework that remains sufficiently prescriptive in how control requirements can be scaled and tailored for healthcare organizations of varying types and sizes.
The HITRUST CSF:
- Leverages existing, globally recognized standards, including HIPAA, NIST, ISO, PCI, FTC and COBIT
- Scales according to type, size and complexity of an implementing organization
- Provides prescriptive requirements to ensure clarity
- Follows a risk-based approach offering multiple levels of implementation requirements determined by risks and thresholds
- Allows for the adoption of alternate controls when necessary
- Evolves according to user input and changing conditions in the healthcare industry and regulatory environment
Individuals can access the CSF through HITRUST Central or with a subscription to MyCSF, a secure, Web-based solution for performing assessments, managing remediation activities, and reporting and tracking compliance. Access to HITRUST Central is available at no charge to individuals from qualified organizations* and includes access to the CSF in PDF format. A subscription to MyCSF is available for an annual fee based on organization type. To learn more about a subscription to MyCSF, click here.
* A qualified organization is any organization employing a function or activity involving the use or disclosure of individually identifiable health information, provided that said organization does not provide security products or services. Additionally, any federal, state, or local agency or department may qualify. HITRUST has the right to verify eligibility.