HAA 2016-003: HITRUST CSF Assurance Program Change Related To The Addition Of A Required Control For Certification In HITRUST CSF V8.
<< All Blogs

Date: March 11, 2016

Impacted Policy/Program Name
CSF Assurance Program Requirements
Date
January 12, 2016
From
Ken Vander Wal, Chief Compliance Officer, HITRUST
Advisory Type
Requirement Change

Policy/Program Change Details
This change adds CSF control 01.t Session Time-out to the CSF controls REQUIRED for certification with the 2016 CSF version 8 release. Failure to include CSF control 01.t after the 2016 release will prevent organizations from submitting their assessments for HITRUST validation and certification. This addition increases the total number of CSF controls required for HITRUST CSF certification from 64 to 65.
Rationale
HIPAA § 164.312(a)(2)(iii), an addressable implementation specification that requires organizations to “implement electronic procedures that terminate an electronic session after a pre-determined time of inactivity,” is currently supported by CSF control 01.h, Clear Desk and Clear Screen Policy, for the purpose of HITRUST CSF certification. Although CSF control 01.h requires the use of a protected screen and keyboard locking mechanism if a user is logged into a computer or terminal, CSF control 01.t more specifically addresses the intent of the language in the HIPAA specification.
Timetable for Implementation
Effective Date: Assessments generated with Version 8 of the HITRUST CSF
Enforcement Date: Assessments generated with Version 8 of the HITRUST CSF

<< All Blogs

Chat Now

This is where you can start a live chat with a member of our team