Policy/Program Change Details
Organizational risk factors were revised as follows:
Note the CSF implementation level that would be selected for an applicable CSF control is determined by one and only one of the multiple risk factors listed in the table for each healthcare vertical in the order of preference indicated. System risk factors generally only impact implementation level selection for system controls; however, regulatory factors can force selection of a higher implementation level for either organizational or system controls as previously discussed. Geographic scope (e.g., multi-state) is also retained.
Rationale
In August of 2014, as part of this ongoing maintenance of the CSF, HITRUST chartered an industry working group to examine the current risk factors and make recommendations for improvement if needed. Upon review, the working group determined that modifications to the volume of business in the organizational factors were needed.
The consensus of working group members was that a significant determinant of relative risk amongst organizations is the number of individual records that they hold and/or process, regardless of the class (or vertical) in which the organization resides. The rationale is based primarily on common use of the average cost of a breach per individual record compromised to estimate the costs of a specific breach. Further, the total number of individual records that could potentially be compromised then provides an estimate of the organization’s maximum exposure in the event of such a catastrophic breach.
However, since in HITRUST’s experience not all healthcare organizations can provide a precise estimate of the total number of individual records they hold, the working group decided to provide an alternative risk factor based on the number of individual records processed annually.
Timetable for Implementation
Effective Date: July 1, 2016 (when used with the CSF v8 Release or later)