HITRUST CSFBASICs: A New Framework Designed for Smaller Healthcare Organizations

As the data breach landscape in the healthcare industry evolves, so do organizations and their compliance with regulatory requirements. Doing ‘nothing’ to protect healthcare data is no longer an acceptable approach for small healthcare entities. Recognizing that one assessment size does not fit all, the HITRUST Alliance (HITRUST) has created the HITRUST CSF Basic Assurance and Simple Institution Cybersecurity Program (CSFBASICs). CSFBASICs is a new pilot program designed specifically for small and lower-risk healthcare organizations with limited resources who are unable to utilize existing HITRUST programs.

Through the simplification of requirements and a streamlined assessment approach, unassessed, small healthcare organizations can now meet the regulatory compliance requirements, while mitigating cyber risks and protecting patient information. Additionally, the program provides third parties the necessary assurance and support for their privacy and security controls.

The CSFBASICs program aims to help small healthcare organizations:

  • Increase protection of electronic health records (EHRs)
  • Improve resilience against cyber attacks
  • Provide necessary assurance at an affordable cost
  • Meet state and federal compliance requirements

The qualifying criteria for the program are based on size and risk. Using the U.S. Small Business Administration’s size standards, HITRUST determined the size criteria using total annual receipts and business type. An organization’s risk-level is calculated based on the ratio between the annual and the total number of records, as well as the maximum annual patient panel size.

In collaboration with smaller healthcare organizations over the course of three years, HITRUST revised the Small Organization Health Information Assurance (SOHIA) Program. Although CSFBASICs is recognized as an independent program, it utilizes the existing HITRUST CSF with 76 information security controls and 33 privacy controls. However, as part of evaluating each control, CSFBASICs simplifies the maturity model from 5 to 3 levels. The program’s scoring is also condensed to a 3-point model: fully compliant, partially compliant, and noncompliant. Additional controls may also be added to address the monitoring of a cybersecurity or information security program.

While the CSFBASICs framework is still undergoing revisions and has not been published for general use, the feedback of the pilot program has been positive. The participants have stated the new program and its simplified approach is better suited for smaller healthcare organizations. As CSFBASICs is now in its final phase of development, organizations can expect the official release in early 2018.

As a HITRUST CSF Assessor firm, A-LIGN helps provide compliance solutions for healthcare organizations and their business associates. Our certified practitioners are members of both the HITRUST CSF Assessor Council and Quality Subcommittee and have extensive experience providing information security auditing and advisory services to organizations in the healthcare industry.

For more information on HITRUST CSFBASICs or HITRUST Certifications, please reach out to [email protected] to speak with one of our HITRUST Practitioners.