The Health Information Trust Alliance (HITRUST) is the group that developed and maintains the Common Security Framework (CSF), a certifiable security framework that enables mainly health care companies to handle risk management and regulatory compliance.
Any organization that conducts a HITRUST CSF Self-Assessment or a HITRUST CSF Validated Assessment is required to score its control environment compliance according to the HITRUST Maturity Model. This maturity model assures that the organization has properly implemented each control in the HITRUST CSF.
HITRUST calculates an organization’s risk per control based on five maturity levels:
- Policy
- Procedure
- Implemented
- Measured
- Managed
Each maturity level in the HITRUST CSF Maturity Model builds on the level that comes before it in a cycle of continuous improvement. The first three levels center on design effectiveness, while the last two levels focus on operational effectiveness.
The HITRUST Maturity Model is used by HITRUST and CSF assessors to assess an organization’s compliance with each objective in the HITRUST CSF.
A summary of the five HITRUST maturity levels is as follows:
- Policy: Reviews all the existing policies and standards that define an organization’s overarching compliance program to determine if they cover the major operations and facilities of the organization. Also evaluates whether there is effective communication between business leaders and the workforce in terms of correctly transmitting the policies and standards.
- Procedures: Analyzes whether a company has communicated the implementation procedures for each component of the requirements to the people who have to follow them. This lets HITRUST know that the assigned individuals are knowledgeable enough to carry out their responsibilities.
- Implemented: Determines whether an organization consistently implements the controls that are defined in its policies and procedures wherever they need to be implemented.
- Measured: Reviews the testing or measurement of the organization’s policies, procedures, and control implementations to determine if they continue to remain effective.
- Managed: Assesses the effectiveness of the corrective actions an organization has taken to solve the weaknesses in the controls that were identified in the first four levels.
The HITRUST CSF helps healthcare organizations integrate compliance with a variety of standards, regulations, and best practices, including HIPAA (the Health Insurance Portability and Accountability Act of 1996) and the ISO/IEC 27000 series of standards that help companies improve their information security.
The HITRUST MyCSF tool lets health care organizations securely access the HITRUST CSF via the internet to perform CSF assessments, manage corrective actions, and report and track compliance.
HITRUST CSF assessments use a maturity level scoring model and risk ratings that provide accurate scoring and help organizations take the right corrective actions.