Assessment Controls in HITRUST CSF

By Nish Bhalla and Nima Dezhkam

There are many frameworks that industry has and regulations have tried to put together to help organizations follow and succeed in securing their environment.

Health Information Trust Alliance (HITRUST) was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges.

The HITRUST Common Security Framework (CSF) was put together by an alliance built from healthcare, business, technology and information security leaders and is based of combination of existing standards and regulations, including federal (HIPAA, HITECH), third party (PCI, COBIT) and government (NIST, FTC). The Standards and Regulations Mapping tool reconciles the HITRUST CSF with multiple common and accepted standards and regulations applicable to healthcare organizations. Covered standards and regulations include but are not limited to: ISO 27001, ISO 27002, COBIT 4.1, HIPAA, and PCI DSS 2.0.

The HITRUST CSF is a comprehensive tool developed to aid organizations that create, store, access or exchange electronic health and other sensitive information. The CSF is comprised of two components:

  • Information Security Implementation Manual
  • Standards and Regulations Mapping.

The Implementation Manual contains 13 security control categories comprised of 42 control objectives and 135 control specifications.

The controls can be implemented leveraging policies and can be tested using some of assessment described below. The 13 CSF control categories are as follows:

  1. Information Security Management Program
  2. Access Control
  3. Human Resources Security
  4. Risk Management
  5. Security Policy
  6. Organization of Information Security
  7. Compliance
  8. Asset Management
  9. Physical and Environmental Security
  10. Communications and Operations Management
  11. Information Systems Acquisition, Development and Maintenance
  12. Information Security Incident Management
  13. Business Continuity Management

Implementing the CSF

Implementation of the HITRUST CSF will vary by organization in both time commitment and level of effort. This can be due to several factors. Despite these variations, all organizations can follow the following process provided by HITRUST in preparing for and performing an assessment of their existing infrastructure against the CSF:

The Step 6 of the proposed process, i.e. Perform System Tests, involves evaluating and validating control implementations via incorporation of technical security assessments. This step of the process relates to multiple CSF control categories, and each category demands specific types of security assessments.

HITRUST provides a list of CSF Assessors that are those organizations that have been approved by HITRUST for performing assessment and services associated with the CSF Assurance Program.

In addition to the approved organizations, there are other security companies that have a deep understanding of HITRUST CSF and its underlying control objectives. These companies can help organizations with performing CSF gap analysis and conducting various technical security assessments.

The following table provides a mapping between the CSF control categories and the demanded technical security assessments, including network and infrastructure penetration testing, and application vulnerability assessment.

CSF Control Category
Applicable Security Assessment

Access Control
Network and Infrastructure Penetration Testing

Physical and Environmental Security
Physical Security Assessment

Communications and Operations Management
Device Configuration Review, Network and Wireless Assessment

Information Systems Acquisition, Development and Maintenance
Application and Mobile Vulnerability Assessment, Source Code Review

The controls not described above (such as Information Security Management Program, Human Resources Security, Risk Management, Security Policy, Organization of Information Security, Compliance, Asset Management, Physical and Environmental Security, and Business Continuity Management) can also be assessed by reviewing policies and performing spot checks.

The HITRUST framework is catching momentum in many of the health care organizations. The detailed HITRUST CSF can be downloaded from the HITRUST website.

Previous Article
The New York Times Hack: Malware and Secure Software Development
The New York Times Hack: Malware and Secure Software Development

Yesterday I was quoted on for an article on the New York Times hack. In a nutshell, the Times repor...

Next Article
4 Reasons Why Developers Don’t Read Secure Programming Guides
4 Reasons Why Developers Don’t Read Secure Programming Guides

At Security Compass, we had the experience of building secure programming guideline documents for a number ...