There’s Something About Frameworks: A Look at HITRUST’s CSF

Repeat after me: frameworks are not standards. They are instead often used as a guide to navigate through the underlying standards. There are lots of frameworks cropping up in the...
Michael Buckbee
2 min read
Last updated August 11, 2022

Repeat after me: frameworks are not standards. They are instead often used as a guide to navigate through the underlying standards.

There are lots of frameworks cropping up in the cybersecurity world. If you’re completely new to the idea of, let’s say protecting critical infrastructure and not sure even how to begin working out the right controls, then you take a trip to NIST’s own Critical Infrastructure Security Framework.

Is there anything similar in the world of healthcare to navigate its complex security and privacy regulations?

The folks at the Health Information Trust Alliance or HITRUST have, after working with healthcare and IT experts, come up with their own Common Security Framework (CSF).

Nitty Gritty of Common Security Framework

A healthcare security framework has to take into account the entire scope of healthcare security, including not just the actual health data, but other data as well, for example, financial and transactional information.

So it’s not surprising that HITRUST’s sprawling CSF — over 400 pages of guidance goodness covering 13 different areas — has controls that map into HIPAA’s safeguards for protected health information, PCI’s DSS for credit card, and COBIT controls related to financial information—to name just a few!

The overall idea is you dive into CSF to refer to an area in healthcare you’re interested in safeguarding, say access control, and then find the actual compliance and regulatory mappings. CSF provides several levels of these mappings — that would be Level 1, Level 2, and Level 3 — so that you have increasing granularity in your implementation.

For example, in the case of CSF’s information access control policy (Control 1.1a), CSF directs you to HIPAA 164.308 a(4). Remember that HIPAA requirement? It’s where HIPAA tells you to implement a policy so that authorized users access the minimal information for employees to do their jobs.

Keep in mind that HIPAA is technology neutral and not overly prescriptive. So if you want a more specific requirement for getting this done, the Level 2 mapping then directs you to ISO 27002 A.9.1.1. To jog your memory, this is where the ISO folks get into the weeds on prescribing specific controls for apps and information.

Varonis Can Help

Yes, we can!  CSF is a giant meta-standard and a good resource for those planning comprehensive solutions for every aspect of healthcare security, down to the level of electrical equipment safety — see CSF Control 0.8.d and it’s NIST Cybersecurity Framework mapping!

Varonis already provides support for many of the key compliance standards — especially the aforementioned HIPAA and PCI—which form the basis of many of the Level I and Level II mappings.

If you’re looking for an overall map — yes, another map !— that shows some of the key areas where Varonis can help in CSF, please review the table below.


01: Access Control


(.02) Authorized Access to Information System

(.06) Application and Information Access Control

  • HIPAA 164.308(a)
  • PCI DSS 8.1, 8.2
02: Human Resources Security


(.04i) Termination of Employment/removal of access rights

  • HIPAA 164.308(a)
  • PCI DSS 8.1.3
03: Risk Management


(.01b) Performing Risk Assessments

(.01c) Risk Mitigation

  • HIPAA 164.308a
  • PCI DSS 1.2
06: Compliance


(c) Protection of organizational records (retention)

(d) Data protection and privacy of covered information (retention)

  •  PCI DSS 3.1
07: Asset Management


(.02d) Classification Guidelines

  • HIPAA 164.308a


09: Communication and Operating Management


(.10aa) Monitoring/audit logging

  • HIPAA 164.308,164.312
  • PCI DSS 10.1
10: Information Systems Acquisition, Development, and Maintenance


(.04) Security of System Files

  • PCI  DSS 2.2
11: Information Security Incident Management


(01a) Reporting Information Security Events

  • HIPAA 163.308a
  • HIPAA 164.404
  • PCI DSS 12

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:


Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.


See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.


Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

data-security-compliance-and-datadvantage,-part-ii:- more-on-risk-assessment
Data Security Compliance and DatAdvantage, Part II:  More on Risk Assessment
I can’t really overstate the importance of risk assessments in data security standards. It’s really at the core of everything you subsequently do in a security program. In this post...
data-security-compliance-and-datadvantage,-part-i:- essential-reports-for-risk-assessment
Data Security Compliance and DatAdvantage, Part I:  Essential Reports for Risk Assessment
Over the last few years, I’ve written about many different data security standards, data laws, and regulations. So I feel comfortable in saying there are some similarities in the EU’s...
NIST 800-53: Definition and Tips for Compliance
Learn best practices for adopting and implementing the NIST 800-53 framework, a compliance standard for federal agencies and partners.
data-security-compliance-and-datadvantage,-part-iii:- protect-and-monitor
Data Security Compliance and DatAdvantage, Part III:  Protect and Monitor
At the end of the previous post, we took up the nuts-and-bolts issues of protecting sensitive data in an organization’s file system. One popular approach, least-privileged access model, is often...