Inside Out Security Blog   /  

There’s Something About Frameworks: A Look at HITRUST’s CSF

There’s Something About Frameworks: A Look at HITRUST’s CSF


    Repeat after me: frameworks are not standards. They are instead often used as a guide to navigate through the underlying standards.

    There are lots of frameworks cropping up in the cybersecurity world. If you’re completely new to the idea of, let’s say protecting critical infrastructure and not sure even how to begin working out the right controls, then you take a trip to NIST’s own Critical Infrastructure Security Framework.

    Is there anything similar in the world of healthcare to navigate its complex security and privacy regulations?

    The folks at the Health Information Trust Alliance or HITRUST have, after working with healthcare and IT experts, come up with their own Common Security Framework (CSF).

    Nitty Gritty of Common Security Framework

    A healthcare security framework has to take into account the entire scope of healthcare security, including not just the actual health data, but other data as well, for example, financial and transactional information.

    So it’s not surprising that HITRUST’s sprawling CSF — over 400 pages of guidance goodness covering 13 different areas — has controls that map into HIPAA’s safeguards for protected health information, PCI’s DSS for credit card, and COBIT controls related to financial information—to name just a few!

    The overall idea is you dive into CSF to refer to an area in healthcare you’re interested in safeguarding, say access control, and then find the actual compliance and regulatory mappings. CSF provides several levels of these mappings — that would be Level 1, Level 2, and Level 3 — so that you have increasing granularity in your implementation.

    For example, in the case of CSF’s information access control policy (Control 1.1a), CSF directs you to HIPAA 164.308 a(4). Remember that HIPAA requirement? It’s where HIPAA tells you to implement a policy so that authorized users access the minimal information for employees to do their jobs.

    Keep in mind that HIPAA is technology neutral and not overly prescriptive. So if you want a more specific requirement for getting this done, the Level 2 mapping then directs you to ISO 27002 A.9.1.1. To jog your memory, this is where the ISO folks get into the weeds on prescribing specific controls for apps and information.

    Varonis Can Help

    Yes, we can!  CSF is a giant meta-standard and a good resource for those planning comprehensive solutions for every aspect of healthcare security, down to the level of electrical equipment safety — see CSF Control 0.8.d and it’s NIST Cybersecurity Framework mapping!

    Varonis already provides support for many of the key compliance standards — especially the aforementioned HIPAA and PCI—which form the basis of many of the Level I and Level II mappings.

    If you’re looking for an overall map — yes, another map !— that shows some of the key areas where Varonis can help in CSF, please review the table below.


    01: Access Control


    (.02) Authorized Access to Information System

    (.06) Application and Information Access Control

    • HIPAA 164.308(a)
    • PCI DSS 8.1, 8.2
    02: Human Resources Security


    (.04i) Termination of Employment/removal of access rights

    • HIPAA 164.308(a)
    • PCI DSS 8.1.3
    03: Risk Management


    (.01b) Performing Risk Assessments

    (.01c) Risk Mitigation

    • HIPAA 164.308a
    • PCI DSS 1.2
    06: Compliance


    (c) Protection of organizational records (retention)

    (d) Data protection and privacy of covered information (retention)

    •  PCI DSS 3.1
    07: Asset Management


    (.02d) Classification Guidelines

    • HIPAA 164.308a


    09: Communication and Operating Management


    (.10aa) Monitoring/audit logging

    • HIPAA 164.308,164.312
    • PCI DSS 10.1
    10: Information Systems Acquisition, Development, and Maintenance


    (.04) Security of System Files

    • PCI  DSS 2.2
    11: Information Security Incident Management


    (01a) Reporting Information Security Events

    • HIPAA 163.308a
    • HIPAA 164.404
    • PCI DSS 12

    What you should do now

    Below are three ways we can help you begin your journey to reducing data risk at your company:

    1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
    2. Download our free report and learn the risks associated with SaaS data exposure.
    3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Twitter, Reddit, or Facebook.

    Get a free Risk Assessment

    You can't protect what you don't know is vulnerable.

    Give us 90-minutes of your time, and we'll create a Free Risk Assessment that will open your eyes to your unknown weak spots—fast, and without adding work to your plate.

    Start Your Risk Assessment