New Simplified HITRUST CSF for Small Healthcare Providers

This week, HITRUST announced it has created a new, simplified HITRUST CSF for small healthcare providers to help them with their compliance and risk management programs.

A New HITRUST CSF for Small Healthcare Providers

The HITRUST CSF is a certifiable framework that was developed to help healthcare organizations manage risk and comply with industry regulations such as HIPAA. The framework is flexible and can be tailored to suit healthcare organizations of all types and sizes. The HITRUST CSF has been widely adopted and it is now the most commonly used security framework in the healthcare industry in the United States.

However, smaller healthcare providers have struggled with the framework as they typically lack both the expertise and staff to meet the program’s requirements. To improve adoption rates with smaller healthcare organizations, HITRUST stripped down its framework to the basics. The new program is much better suited to smaller, lower-risk healthcare organizations.

HITRUST had received numerous requests for assistance from smaller healthcare practices that were looking to improve their cybersecurity defences and comply with HIPAA regulations. The new HITRUST CSF for small healthcare providers is easier to understand and implement, yet will still help organizations improve resilience to cyber threats and meet compliance requirements. The new program is called CSF Basic Assurance and Simple Institution Cybersecurity program (CSFBASICs).

The CSFBASICs program is still in the pilot phase and has only been adopted by a select group of smaller healthcare providers. According to HITRUST, the pilot has progressed well and will be made available in the third quarter of 2017.


In addition to a new HIRTUST CSF for small healthcare providers, updates have been made to the HITRUST CSF version 8.1 and the HITRUST CSF Assurance Program (V8). Version 9 of the HITRUST CSF is scheduled to be updated in July, 2017.

The update to HITRUST CSF v8.1 was released on February 6, 2017 and includes a content update and PCI DSS v3.2 and MARS-E v2 support. Version 9 will be enhanced to better align the program with the language of the second version of the Office for Civil Rights (OCR)’s Audit Protocol. Additional guidance will also be provided for adopters of Infrastructure-as-a-service (IaaS) with the inclusion of FedRAMP requirements. The FFIEC IT Examination Handbook for Information Security will also be added to the program.

The changes enhance the scope of the HITRUST CSF, increasing the controls for certification from 66 to 75 to support compliance with the NIST Cybersecurity Framework. According to HITRUST’s Bryan Cline – VP for standards and analytics – “CSF Certified organizations will be able to provide both HIPAA and NIST Cybersecurity Framework compliance scorecards based on a single CSF assessment, which are incorporated into the HITRUST CSF Assessment Report.”

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of