Small providers now can seek HITRUST security certification
HITRUST, a coalition of industry stakeholders collaborating to better secure protected health information, is unveiling a stripped down version of a framework that it’s developed that offers security guidance and tools.
The organization has historically focused its offerings on large and mid-sized healthcare organizations by promoting the use of its Common Security Framework (CSF) of cybersecurity guidance and applications. By following CSF, healthcare organizations can become HITRUST-certified and able to show they can meet a series of security requirements to better protect the data.
Now, the recently released coalition is unveiling a slimmed down version of the CSF, known as CSFBASICs, for small healthcare organizations, particularly critical access hospitals, physician practices and vendors. These smaller groups that want to get CSF-certified will need to capture about 50 percent less information when preparing for CSF certification.
The assessment form is intuitive and modeled after question-and-answer formats made popular in publicly marketed computer-based tax preparation tools, say Daniel Nutkis, CEO at HITRUST. An automated tool can ease collection of assessment information and upload it to the CSF assessment tool.
The core information that small providers and vendors must capture and report covers firewalls, updating of policies, end-point security policies and patching—all to support specific technical security controls.
Corpus Christi Medical Associates, a five-physician family care practice, was a pilot site for CSFBASICs. “We generally don’t have the staff or the expertise, nor can we hire consultants to manage these programs on an ongoing basis,” says James Stefan Walker, MD. “I honestly didn’t know my practice could be secure or demonstrate HIPAA compliance, but that was before I had the opportunity to pilot CSFBASICS.”
The rollout of CSFBASICs is expected in the third quarter of 2017.