By Nish Bhalla and Nima Dezhkam
There are many frameworks that industry has and regulations have tried to put together to help organizations follow and succeed in securing their environment.
Health Information Trust Alliance (HITRUST) was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges.
The HITRUST Common Security Framework (CSF) was put together by an alliance built from healthcare, business, technology and information security leaders and is based of combination of existing standards and regulations, including federal (HIPAA, HITECH), third party (PCI, COBIT) and government (NIST, FTC). The Standards and Regulations Mapping tool reconciles the HITRUST CSF with multiple common and accepted standards and regulations applicable to healthcare organizations. Covered standards and regulations include but are not limited to: ISO 27001, ISO 27002, COBIT 4.1, HIPAA, and PCI DSS 2.0.
The HITRUST CSF is a comprehensive tool developed to aid organizations that create, store, access or exchange electronic health and other sensitive information. The CSF is comprised of two components:
- Information Security Implementation Manual
- Standards and Regulations Mapping.
The Implementation Manual contains 13 security control categories comprised of 42 control objectives and 135 control specifications.
The controls can be implemented leveraging policies and can be tested using some of assessment described below. The 13 CSF control categories are as follows:
- Information Security Management Program
- Access Control
- Human Resources Security
- Risk Management
- Security Policy
- Organization of Information Security
- Asset Management
- Physical and Environmental Security
- Communications and Operations Management
- Information Systems Acquisition, Development and Maintenance
- Information Security Incident Management
- Business Continuity Management
Implementing the CSF
Implementation of the HITRUST CSF will vary by organization in both time commitment and level of effort. This can be due to several factors. Despite these variations, all organizations can follow the following process provided by HITRUST in preparing for and performing an assessment of their existing infrastructure against the CSF:
The Step 6 of the proposed process, i.e. Perform System Tests, involves evaluating and validating control implementations via incorporation of technical security assessments. This step of the process relates to multiple CSF control categories, and each category demands specific types of security assessments.
HITRUST provides a list of CSF Assessors that are those organizations that have been approved by HITRUST for performing assessment and services associated with the CSF Assurance Program.
In addition to the approved organizations, there are other security companies that have a deep understanding of HITRUST CSF and its underlying control objectives. These companies can help organizations with performing CSF gap analysis and conducting various technical security assessments.
The following table provides a mapping between the CSF control categories and the demanded technical security assessments, including network and infrastructure penetration testing, and application vulnerability assessment.
CSF Control Category
Applicable Security Assessment
Network and Infrastructure Penetration Testing
Physical and Environmental Security
Physical Security Assessment
Communications and Operations Management
Device Configuration Review, Network and Wireless Assessment
Information Systems Acquisition, Development and Maintenance
Application and Mobile Vulnerability Assessment, Source Code Review
The controls not described above (such as Information Security Management Program, Human Resources Security, Risk Management, Security Policy, Organization of Information Security, Compliance, Asset Management, Physical and Environmental Security, and Business Continuity Management) can also be assessed by reviewing policies and performing spot checks.
The HITRUST framework is catching momentum in many of the health care organizations. The detailed HITRUST CSF can be downloaded from the HITRUST website.