New Security Framework for Small Healthcare Providers

A security framework for small healthcare providers has been released by the Health Information Trust Alliance (HITRUST). The security framework is a revised version of the HITRUST common security framework (HITRUST CSF) and can be used to create, access, store and exchange healthcare data covered by the Health Insurance Portability and Accountability Act (HIPAA).

The HITRUST CSF is the most widely adopted security framework for the healthcare industry in the United States. The framework is comprehensive, scalable, and certifiable, and has been used by many healthcare organizations as part of their HIPAA compliance and risk management programs.

While the full HITRUST CSF can be adopted by healthcare organizations of all sizes, smaller healthcare organizations typically do not have the resources needed for adoption of the HITRUST CSF. Due to budgetary constraints, there simply isn’t the money available to hire external consultants to help them meet the requirements of the HITRUST CSF.

The new security framework for small healthcare providers was developed to help smaller healthcare organizations improve their resilience against cyberattacks and help them with their risk management programs. Essentially, the new security framework for small healthcare providers is a scaled down version of the HITRUST CSF, including all of the basic elements – hence its name, CSFBASICs.

The CSFBASICs framework is a streamlined version of the full HITRUST CSF program and is suitable for lower-risk healthcare organizations to help them meet their HIPAA risk management obligations. The new framework is much easier to understand and implement and require fewer resources. By adopting the CSFBASICs program, smaller healthcare providers can easily provide assurances to regulators such as the Office for Civil Rights that information privacy and security programs have been adopted. The program will allow small healthcare organizations to easily demonstrate that they are complying with HIPAA Rules.

The program was developed after feedback was received from smaller healthcare organizations requesting assistance with their HIPAA compliance programs and to help them better protect their businesses against cybersecurity threats. HITRUST collaborated with physicians and small businesses and developed the new framework, which is currently in the final stages of the pilot phase. The new program is expected to be made available to healthcare organizations in the third quarter of 2017.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of