20. What is HITRUST CSF | Common Security Framework and why are information security policies so important?

Known simply as HITRUST, the "Health Information Trust Alliance" is an organization that seeks to promote a set of prescriptive controls known as the Common Security Framework (CSF) regarding the creation, access, storing, and/or exchanging of personal health and financial information. As for the CSF, it is a certifiable framework that "leverages" many pre-existing benchmarks, standards, and frameworks, such as HIPAA, NIST, ISO, PCI, COBIT, and many others. Some of the feature of the CSF are the following:

  • Prescriptive requirements.
  • Allows the use of alternate or compensating controls.
  • Adheres to a risk-based methodology and overall approach.
  • Is scalable to an organization's needs and requirements.
  • Requires the development of various operational and security policies and procedures for ensuring compliance.

Documented Policies and Procedures are Critical for Compliance

An extension of the CSF is actually the "HITRUST CSF Assurance Program", which provides compliance assessment reporting for HIPAA, HITECH, along with applicable state and "business associate" requirements. Simply stated, this is about protecting confidential, private, and personal consumer health care information and related financial information - better known as Personally Identifiable Information (PII). And what does every major regulatory compliance and industry specific directive always mandate as part of one's adherence to stated guidelines - documented policies and procedures. HITRUST is no different - just take a look at the Control Specifications for HITRUST CSF, which requires policy and procedure documentation for access control, network services, along with many areas within information security. Where can you get a comprehensive set of operational, business specific and information security policies and procedures - from FLANK.

Policies and Procedures are a BIG Part of HITRUST CSF

As a true global leader in providing documented operational, business specific and information security policies and procedures for all types of organizations, FLANK should be your only choice for HITRUST CSF security templates. HITRUST and their CSF Assurance Program is a notable player in the health care industry, and that's why organizations need to rely on industry leading policy and procedure documents, such as those provided by FLANK.

Disclaimer: FLANK provides a wide-range of security, governance and regulatory compliance services and solutions as requested by healthcare organizations who contact us in need of assistance. At times, such assistance may include professional recommendations/advice for internal controls relating to HITRUST compliance that are based on ISO 27001/27002 publications and/or the actual CSF guidelines. Such recommendations are only offered when a client provides us with relevant HITRUST documentation for which they have accessed from https://hitrustalliance.net/, and then provided to FLANK. Because FLANK is not a HITRUST assessor, we do not access the HITRUST portal at https://hitrustalliance.net/. Additionally, our documentation, the ISO 27001/27002:2013 All-in-One Toolkit, contains proprietary, copyrighted information that was developed independent from any input from the HITRUST CSF, rather, exclusively by FLANK personnel who have years of relevant ISO 27k expertise. FLANK does not endorse, promote HITRUST, and FLANK is not affiliated in any manner with HITRUST.