Understanding and Leveraging the CSF

Developed in collaboration with healthcare and information security professionals, the Common Security Framework (CSF) is the first IT security framework developed specifically for healthcare information.

The HITRUST CSF:

  • Leverages existing, globally recognized standards, including HIPAA, NIST, ISO, PCI, FTC and Cobit
  • Scales according to type, size and complexity of an implementing organization
  • Provides prescriptive requirements to ensure clarity
  • Follows a risk-based approach offering multiple levels of implementation requirements determined by risks and thresholds
  • Allows for the adoption of alternate controls when necessary
  • Evolves according to user input and changing conditions in the healthcare industry and regulatory environment

It is only through registering for a HITRUST Central subscription that individuals can access the CSF. Individuals from qualified organizations* can register to receive a Standard subscription at no charge. Access to the online, interactive version of the CSF, authoritative sources and the CSF Assessment Toolkit is available only through a paid subscription.

* A qualified organization is any organization employing a function or activity involving the use or disclosure of individually identifiable health information, provided that said organization does not provide technology or security products or services. Additionally, any federal, state, or local agency or department may qualify for a Standard subscription. HITRUST has the right to verify eligibility.

Read the CSF Brochure to learn more about how the CSF is organized and how to implement the framework.
View a sample of the Security Implementation Manual, one of the three components of the HITRUST CSF.
Understand the value and ROI of the HITRUST CSF by reviewing the CSF Value Proposition.


HITRUST Central

A Professional subscription provides access to the online, interactive CSF , the CSF Assurance Toolkit, and many other resources developed specifically for healthcare information security professionals.

CSF Assurance Program

Learn how the program simplifies compliance assessment and reporting through a common set of information security requirements.

News Events