HITRUST CSF Certification - Frequently Asked Questions
By: Zachary Shales, Senior Consultant, Healthcare and Life Sciences, Coalfire
Experienced security professionals at healthcare and life sciences organizations are familiar with the Health Insurance Portability and Accountability Act’s (HIPAA) baseline requirements, however these requirements are often characterized by vague verbiage and subjective interpretations, leaving organizations perplexed by the challenge of deciding which actions satisfy an appropriate level of security and privacy protection for Protected Health Information (PHI). Left unaddressed, this challenge can leave critical systems without essential administrative, physical, technical, and organizational safeguards.
This is where the Health Information Trust Alliance (HITRUST) comes in as the necessary actionable roadmap for organizations that process, transmit, and store PHI. The HITRUST Common Security Framework® (CSF) was developed by IT and healthcare professionals to provide a highly prescriptive framework for managing the security requirements inherent in HIPAA. As such, HITRUST provides a certifiable information security framework that supplements and cross-references existing, globally recognized standards, regulations, and business requirements with healthcare industry insights and best practices to provide much-needed clarity and consistency. This harmonization of processes allows healthcare and life sciences organizations and their vendors to conduct a single assessment while meeting the requirements of multiple compliance initiatives.
As with any complex framework, there are often questions regarding how to obtain certification, the issues surrounding the CSF, and the relationship between HIPAA and HITRUST. The objective of this FAQ document is to address and clarify common questions regarding the assurance program, HITRUST CSF scoring, and the underlying HITRUST CSF.
This document requires registration. Please fill out the form located on this page to receive access.