HITRUSTHealth Information Trust Alliance
As a leading provider of information security services to healthcare organizations, FRSecure strives to stay ahead of current trends by improving not only its own proprietary assessment methodology but also by engaging organizations that seek to advance information security within the healthcare industry. FRSecure has been chosen to be a HITRUST CSF Assessor by the Health Information Trust Alliance (HITRUST). With this achievement, FRSecure is now able to provide services using the HITRUST CSF, a comprehensive security framework that addresses the multitude of security, privacy and regulatory challenges facing healthcare organizations in order to comply with healthcare (HIPAA, HITECH), third-party (PCI, COBIT) and government (NIST, FTC) regulations and standards.
FRSecure as a CSF Assessor provides healthcare organizations of varying size and complexity the ability to assess compliance with security control requirements and document corrective action plans. Thereby, enhancing and maturing an organizations information security posture.
What is the HITRUST CSF?
The HITRUST CSF was developed to address the multitude of security, privacy and regulatory challenges facing healthcare organizations. By including federal and state regulations, standards and frameworks, and incorporating a risk-based approach, the CSF helps organizations address these challenges through a comprehensive and flexible framework of prescriptive and scalable security controls.
The HITRUST CSF:
- Includes, harmonizes and cross-references existing, globally recognized standards, regulations and business requirements, including HIPAA, HITECH, NIST, ISO, PCI, FTC, COBIT and State laws
- Scales controls according to type, size and complexity of an organization
- Provides prescriptive requirements to ensure clarity
- Follows a risk-based approach offering multiple levels of implementation requirements determined by risks and thresholds
- Allows for the adoption of alternate controls when necessary
- Evolves according to user input and changing conditions in the healthcare industry and regulatory environment on an annual basis
- Provides an industry-wide approach for managing Business Associate compliance
The CSF contains 14 security control categories comprised of 46 control objectives and 149 control specifications. The CSF Control Categories, along with the number of Objectives and Specifications, are:
- Information Protection Program
- Endpoint Protection
- Portable Media Security
- Mobile Device Security
- Wireless Security
- Configuration Management
- Vulnerability Management
- Network Protection
- Transmission Protection
- Password Management
- Access Control
- Audit Logging & Monitoring
- Education, Training and Awareness
- Third Part Assurance
- Incident Management
- Business Continuity & Disaster Recovery
- Risk Management
- Physical & Environmental Security
- Data Protection & Privacy