top of page


HITRUST, or the Health Information Trust Alliance, is not a framework at all, but the organization that created and maintained the Common Security Framework, or CSF. The

CSF, is a certifiable framework that brings together or harmonizes, several

other compliance frameworks and standards including HIPAA, PCI, ISO, and

NIST. By “harmonize” the CSF maps all of those standards together, with the

CSF as the central mapping key.

The HITRUST Common Security Framework (CSF) is a comprehensive and

certifiable security framework used by healthcare organizations and their

business associates to manage regulatory compliance and risk management.  HITRUST unifies recognized standards and regulatory requirements from NIST, HIPAA/HITECH, ISO 27001, PCI DSS, FTC, COBIT, and can be completed according to SOC 2 criteria, making it the most widely-adopted security framework in the U.S. healthcare industry.

HITRUST (CSF) framework

The HITRUST CSF is organized by 14 Control Categories, which contain 49 Control Objectives and 156 Control Specifications based on ISO/IEC 27001:2005 and 27002:2005. Each Control Specification consists of as many as three implementation levels applied to healthcare organizations according to specific organizational, system and regulatory factors.

Control Categories

Specifications. The CSF Control Categories, accompanied by the number of objectives and specifications for each category, are:

0. Information Security Management Program (1, 1)

1. Access Control (7, 25)

2. Human Resources Security (4, 9)

3. Risk Management (1, 4)

4. Security Policy (1, 2)

5. Organization of Information Security (2, 11)

6. Compliance (3, 10)

7. Asset Management (2, 5)

8. Physical and Environmental Security (2, 13)

9. Communications and Operations Management (10, 32)

10. Information Systems Acquisition, Development, and Maintenance (6, 13)

11. Information Security Incident Management (2, 5)

12. Business Continuity Management (1, 5)

13. Privacy Practices (7, 21)

What organization are affected by HITRUST?

The HITRUST CSF applies to healthcare organizations of varying size and complexity due to the incorporation of all sensitive healthcare information security-related requirements and practices. In addition to the principle control categories contained in the ISO/IEC framework, the HITRUST CSF also includes specific categories for an “Information Security Management System” (ISMS) and risk management practices that help ensure that the system controls are correctly specified and implemented.

When is the HITRUST CSF framework required?

If you do business with relevant US health care organizations, those may require that your organization complies with the HITRUST CSF.

How my organization can demonstrate that she complies with the HITRUST CSF?

The easiest way is, if your organization is SOC 2 compliance, you can adjust your SOC 2 report to comply with the required NIST publication. Several SOC 2 principles will be used to integrate the HITRUST CSF.

Yucca IT Consulting can help you

We can assist you throughout your preparation process to respect the HITRUST CSF framework, from the gap analysis to the independent SOC 2 report (With HITRUST included). With the help of your in-house pilot, a realistic timetable will be documented and accepted by your management.

bottom of page