In this last installment of our three-part blog series on healthcare data security, we’ll describe the benefits of choosing technology vendors that are HITRUST Common Security Framework (CSF) certified.


Authored by Brenton McKinney, Vice President of Security

Earlier in this blog series, we discussed healthcare’s unique data security challenges and offered several steps organizations can take to Prepare, Respond and Recover from data security breaches. One of those steps mentioned HITRUST certification.

As an important component of a strong and agile security posture, it’s vitally important for health plans, providers and business associates to understand what the HITRUST Common Security Framework (CSF) is and the benefits certification brings.

The Health Information Trust Alliance, or HITRUST Alliance, is an independent, not-for-profit authorization body dedicated to safeguarding sensitive information and managing information risk. HITRUST CSF coalesces a multitude of federal, state, healthcare and cross-industry standards and regulations into one rigorous framework, with a prescriptive set of controls that are applied based on an organization’s scale and maturity level. This includes HIPAA, ISO, NIST and COBIT, among others.

CSF certification tests security controls and verifies not only that a vendor meets key regulations and industry-defined requirements, but also that it appropriately manages risk involving data security, availability, confidentiality, processing integrity and privacy. Although it is demanding, the HITRUST framework is also quite flexible. This uncommon combination of precision and flexibility allows the framework to be tailored to organizations of any size and readiness state.

CSF certification of a vendor gives health plans, providers and business associates independent, third-party assurance that the vendor adheres to exacting security standards. Certification can help reduce the time and cost of managing security audits by ensuring that the organization has simplified reporting and documentation of the vendor’s security stance at its fingertips.

In addition, the constant task of keeping up with regulatory requirements is a key challenge for any healthcare organization in today’s landscape. When third-party vendors are HITRUST CSF certified, however, organizations can be confident that their vendors’ HIPAA and other mandates are kept up-to-date as requirements change.

Health plans, providers and business associates that require their technology vendors to be HITRUST certified can rest easier knowing that a common toolkit is being used to secure sensitive data across the enterprise ecosystem. In choosing vendors that have obtained the HITRUST CSF certification, organizations mitigate risk and protect their brands. They can assure their customers that their information technology meets the latest, most comprehensive security standards.

All of these benefits make choosing a HITRUST CSF-certified vendor the smart choice for health plans, providers and business associates.

Medecision’s Aerial™ application and supporting infrastructure has earned HITRUST Certified status for information security. This designation assures our customers that the Aerial platform leverages the most rigorous standards and protocols available to secure their data. For more information, click here.

Subscribe to our blog

Don't forget to share this post!