Mac McMillan, CEO of health IT consultancy CynergisTek and current chair of the HIMSS Privacy and Security Policy Task Force, has long warned that health care organizations are too focused on regulatory compliance rather than effective security practices.

"There’s no reason you can’t address protecting PHI from a security perspective with compliance a byproduct of doing that," he said.

He sees the CSF program as just another framework, and one of the key issues is adoption.

"This HITRUST thing will help the industry only if the industry adopts it across the board. If some people use it and others don’t, you’re back where you started. If they’re all using it, are they all applying it in the same way? Are they applying it with the same basic level of understanding of what the control ought to be? Or is it still loosely open to interpretation?" he said.

"It’s not that you have a framework; it’s how you apply the framework. You can follow HITRUST, you can follow NIST or ISO, you can address every single requirement and do a poor job of it and still be just as insecure as you would be without doing it," he said, adding that several of the recent big breaches involved organizations that were CSF certified.

In a survey, Information Security Media found that 53 percent of health care organizations rely on the NIST framework as the basis of their information security programs, while 32 percent use a hybrid approach. Some 25 percent said they use HITRUST CSF and 25 percent use ITIL (Information Technology Infrastructure Library). Respondents could select more than one answer.

"One of the things we’ve been talking about at CHIME (College of Healthcare Information Management Executives) and its security group AEHIS (Association for Executives in Healthcare Information Security), is that what’s needed are a basic set of requirements for what’s acceptable in handling protected health information and connecting to systems that have protected health information," he said. "HIPAA doesn’t provide that, and even most of the standards, whether it’s CFS or NIST or ISO, don’t provide that. They provide guidance – a set of controls you should evaluate. But there’s nothing that says, 'The minimum you should do is XYZ.' And that’s what would probably be most helpful to the industry overall."

Encryption Example

McMillan points to the encryption language in the HIPAA rule as an example of when OCR got it right. Yet, so far, encryption isn’t mandatory if you can make a case for why an alternate control would be more appropriate. After the cyberattack against Anthem, however, lawmakers said they plan to review whether HIPAA should make encryption mandatory.

Biondo maintains that the government has already laid out the minimum requirements through the NIST framework, though he concedes that they really are guidance.

"To pull that information into your organization and to map those requirements to controls that mean something to your organization, is very doable, but it’s not very easy. It’s actually quite expensive," he said. He initially was a naysayer to the CSF program, he said, thinking it would find a lot of gaps that would be expensive to fix. That wasn’t his organization’s experience, however, and he said he found the process relatively painless.

He praised the program for helping organizations prioritize the controls on which they need to focus.

"HITRUST has already done the mapping across multiple frameworks, not just NIST. It’s a broader framework, it’s a flexible framework. It allows you to develop your own custom controls and it will allow you to do that very quickly. Plus it’s constantly updated," he said.

Susan Hall has been a journalist for more than 20 years at news outlets including the the Seattle Post-Intelligencer, Dallas Times Herald and She writes for and FierceHealthIT.