From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

HITRUST is a privately held company located in Frisco, Texas, United States that, in collaboration with healthcare, technology and information security organizations, established the HITRUST CSF. The company claims CSF is a comprehensive, prescriptive, and certifiable framework, that can be used by all organizations that create, access, store or exchange sensitive and/or regulated data.

HITRUST originally served as an acronym for "Health Information Trust Alliance", but the company has since rebranded as simply HITRUST. HITRUST includes a for-profit division (HITRUST Services Corp) and a not-for-profit division (HITRUST Alliance).


The HITRUST CSF (created to stand for "Common Security Framework", since rebranded as simply the HITRUST CSF) is a prescriptive set of controls that meet the requirements of multiple regulations and standards.[1][2] The framework provides a way to comply with standards such as ISO/IEC 27000-series and HIPAA.[3][4] Since the HITRUST CSF incorporates various security, privacy, and other regulatory requirements from existing frameworks and standards, some organizations utilize this framework to demonstrate their security and compliance in a consistent and streamlined manner.[5] Organizations can complete a self-assessment using the HITRUST framework, or they can engage with a HITRUST assessor for an external, third-party engagement.

HITRUST CSF has garnered criticism for being "cumbersome, expensive, arbitrary, unnecessarily complex", and using "outdated data".[6][4]

Executive Council[edit]

HITRUST is led by a management team and governed by an Executive Council made up of leaders from across a variety of industry. These leaders represent the governance of the organization, but other founders also comprise the leadership to ensure the framework meets the short- and long-term needs of the entire industry.

Executive Council members represent the following organizations:


  1. ^ Bosworth, Seymour; Kabay, M. E.; Whyne, Eric (2014). Computer Security Handbook, Set. John Wiley & Sons. ISBN 9781118851746. Retrieved 16 May 2019.
  2. ^ Snedaker, Susan (2013). Business Continuity and Disaster Recovery Planning for IT Professionals. Newnes. ISBN 9780124114517. Retrieved 17 May 2019.
  3. ^ "What is HITRUST CSF Certification?". Datica Health. Retrieved 17 May 2019.
  4. ^ a b Schreider, Tari (2017). Building Effective Cybersecurity Programs: A Security Manager’s Handbook. Rothstein Publishing. ISBN 9781944480509. Retrieved 16 May 2019.
  5. ^ "Microsoft Compliance. Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) (2019)".
  6. ^ "Delaware Health Information Network Pursues HITRUST Certification". www.govtech.com. Retrieved 20 August 2019. In an open letter to the HITRUST Alliance written and posted to LinkedIn last year, a network security professional named Kamal Govindaswamy questioned the usefulness of the HITRUST CSF, describing it as “cumbersome, expensive, arbitrary, unnecessarily complex” and using “outdated data.”

External links[edit]