Understanding and Leveraging the CSF

Developed in collaboration with healthcare and information security professionals, the HITRUST Common Security Framework (CSF) is the most widely-adopted security framework in the U.S. healthcare industry. With the inclusion of federal and state regulations, standards and frameworks such as HIPAA, NIST, ISO and COBIT, the CSF is a comprehensive and flexible framework that remains sufficiently prescriptive in how control requirements can be scaled and tailored for healthcare organizations of varying types and sizes.

The HITRUST CSF:

  • Leverages existing, globally recognized standards, including HIPAA, NIST, ISO, PCI, FTC and COBIT
  • Scales according to type, size and complexity of an implementing organization
  • Provides prescriptive requirements to ensure clarity
  • Follows a risk-based approach offering multiple levels of implementation requirements determined by risks and thresholds
  • Allows for the adoption of alternate controls when necessary
  • Evolves according to user input and changing conditions in the healthcare industry and regulatory environment

Individuals can access the CSF through HITRUST Central or with a subscription to MyCSF, a secure, Web-based solution for performing assessments, managing remediation activities, and reporting and tracking compliance. Access to HITRUST Central is available at no charge to individuals from qualified organizations* and includes access to the CSF in PDF format. A subscription to MyCSF is available for an annual fee based on organization type. To learn more about a subscription to MyCSF, click here.

* A qualified organization is any organization employing a function or activity involving the use or disclosure of individually identifiable health information, provided that said organization does not provide security products or services. Additionally, any federal, state, or local agency or department may qualify. HITRUST has the right to verify eligibility.

Read the CSF Brochure to learn more about how the CSF is organized and how to implement the framework.
View a sample of the Security Implementation Manual, one of the three components of the HITRUST CSF.


Enhancements to the CSF Version 5.0 include guidance pertaining to :

  • Stage 2 Meaningful Use Requirements
  • NIST Special Publication 800-53 Revision 4
  • Council for Affordable Quality Healthcare (CAQH) Committee on Operating Rules for Information Exchange (CORE)
  • Texas House Bill 300
  • Mapping to relevant COBIT 5 controls

Additional Information

CSF Products and Services Guide
CSF Home

Access the CSF

The CSF is available as a PDF through HITRUST Central or with a subscription to MyCSF, a secure, Web-based solution for performing assessments, managing remediation activities, and reporting and tracking compliance.

MyCSF
HITRUST Central

CSF Assurance Program

Learn how the program simplifies compliance assessment and reporting through a common set of information security requirements.

News Events