Healthcare Information Security

Cybersecurity News

HITRUST CSF Roadmap Focuses on Small Healthcare Orgs, NIST CSF

A new HITRUST CSF roadmap said how the agency hopes to help small healthcare organizations in risk management and cybersecurity measures, as well as NIST CSF certification.

HITRUST CSF will have new ways to assist small healthcare organizations in regulatory compliance.

Source: Thinkstock

By Elizabeth Snell

- HITRUST announced enhancements to its cybersecurity framework, which will assist smaller healthcare organizations create stronger risk management programs, cybersecurity measures, and help them achieve NIST Cybersecurity Framework (NIST CSF) certification.

The HITRUST roadmap explained that there will now be streamlined versions of the HITRUST CSF and supporting HITRUST CSF Assurance Program. This is meant to help small and low-risk healthcare organizations meet regulatory and risk management requirements.

Furthermore, a HITRUST CSF Assessment will also now include a NIST Cybersecurity Framework certification with auditable documentation in addition to a HIPAA risk assessment.

“HITRUST is expanding the controls required for HITRUST CSF Certification, from 66 to no more than 75, to enhance its support for an organization’s certification of compliance with the NIST Cybersecurity Framework,” HITRUST Standards and Analytics Vice President Dr. Bryan Cline said in a statement. “CSF Certified organizations will be able to provide both HIPAA and NIST Cybersecurity Framework compliance scorecards based on a single CSF assessment, which are incorporated into the HITRUST CSF Assessment Report.”

HITRUST explained that it collaborated with the physician community and small businesses to develop and pilot a new program, taking in feedback that smaller organizations needed better options for meeting regulatory requirements.

The CSF Basic Assurance and Simple Institution Cybersecurity program (CSFBASICs) “provides lower-risk organizations with a simplified set of requirements and a streamlined assessment approach that is easier to understand and implement,” according to HITRUST. Third parties, such as regulators, can also implement assurances and transparency into their information privacy and security programs. 

The final CSFBASICs and CSFBASICs Assurance pilot programs are taking place, and are scheduled for general availability in Q3 2017.

The NIST CSF was also part of the HITRUST roadmap. While the HITRUST CSF and CSF Assurance programs lay the groundwork for the NIST CSF, HITRUST stated that the increasing cybersecurity threats require better guidance, assurance and support.

“To help ensure continued efficacy and relevancy, HITRUST, in consultation with the HITRUST CSF Advisory Council, actively solicits input from the industry on potential changes and updates to the framework, in addition to comments on those changes implemented with each new release of the HITRUST CSF,” the statement explained.

This is not the first time that HITRUST has targeted small healthcare organizations for improved cybersecurity measures.

In August 2016, HITRUST CyberAid was created to help smaller entities find the right healthcare cybersecurity solutions at an affordable price.

HITRUST stated at the time that physician practices are more reliant on electronic and networked information systems, which can make healthcare data breaches especially devastating. Federal and state regulations for protecting patient information are also becoming more demanding.

“As a small physician practice with limited IT support, I rest easier knowing that CyberAid monitoring is in place. Having this level of protection allows me to maintain my focus on caring for patients, while also ensuring their data is protected,” Waxahachie, Texas-based Mary Jean Strength, MD said in a statement.

Overall, HITRUST said it would ensure the program stayed effective by monitoring the following areas:

  • Ability to mitigate cyber risks
  • Practicality of use within small organizations
  • Capacity to support cyber threat information sharing of IOCs
  • Proficiency in facilitating routine, streamlined security assessments
  • Acquisition and maintenance affordability

“Effectively addressing cyber security challenges, engaging in cyber information sharing and streamlining the HITRUST CSF Assessment process for physician practices have been a goal of HITRUST,” HITRUST CEO Daniel Nutkis explained at the time. “This program is a big step forward towards those goals.”


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks