Small Healthcare Organizations now can get HITRUST security certification

A coalition of the industry stakeholders cooperating to better secure the protected health information, HITRUST, is revealing a stripped down version of a framework that is developed to offer security guidance and tools.

The offerings of the organization have been historically focused on large and mid-sized healthcare organizations by promoting the use of its Common Security Framework (CSF) of cybersecurity guidance and applications. By following the guidelines of CSF, healthcare organizations can become HITRUST-certified and capable to prove they can meet a series of security requirements to better secure the data.
The recently issued coalition is now disclosing a slimmed down version of the CSF, termed as CSFBASICs, for small healthcare agencies, specifically critical access hospitals, physician practices and vendors. These smaller groups that need to get CSF-certified will require capturing about 50% less data when preparing for CSF certification.
Daniel Nutkis, CEO at HITRUST says, “The assessment form is intuitive and modeled after question-and-answer formats made famous in publicly marketed computer-based tax preparation tools.” An automated tool can ease the collection of assessment data and upload it to the CSF assessment tool.
The key information that small providers and vendors must capture and report covers firewalls, updating of policies, end-point security policies and patching—all to support particular technical security controls.
A five-physician family care practice, Corpus Christi Medical Associates, was a pilot site for CSFBASICs. James Stefan Walker, MD says, “We basically do not have the staff or the expertise, nor can we employ consultants to handle these programs on an ongoing basis. I honestly did not know my practice could be secure or indicate HIPAA compliance, but that was before I had the chance to pilot CSFBASICS.”
The CSFBASICs’ rollout is expected in the third quarter of 2017.