HITRUST CSF v9 Designed to Strengthen, Simplify, and Enhance Healthcare Regulatory Compliance and Risk Management
<< All Blogs

Date: April 21, 2017

Written by HITRUST Independent Security Journalist Sean Martin. 

Get ready for more comprehensive compliance and risk management — with less work. HITRUST is putting the finishing touches on the HITRUST CSF v9 and corresponding updates to the HITRUST CSF Assurance Program, with this latest iteration of both expected in July 2017.

If there is one overarching message for the v9 release, it’s enabling healthcare organizations of all sizes and business models to do more with the HITRUST CSF by expanding the mappings of the CSF to additional protocols and frameworks.

HITRUST, in conjunction with its HITRUST CSF Advisory Council, has worked closely with the industry to make improvements to existing parts of the CSF. In addition, the new HITRUST CSF and HITRUST CSF Assurance Program releases integrate and harmonize other industry and regulatory standards, including:

HITRUST CSF Assurance:

  • National Institutes of Standards & Technology Cybersecurity Framework: HITRUST CSF Assessments will incorporate controls related to the NIST Cybersecurity Framework (NIST CsF) and the HITRUST CSF Assessment Report will include an appendix showing compliance with the NIST CsF. In addition, organizations obtaining HITRUST CSF Certification will also receive a NIST CsF Certification.


In addition, the v9 releases were influenced by the new HITRUST Threat Catalogue. This exciting HITRUST initiative aligns real-world cyber threats with CSF risk factors and controls.

CSFBASICs Coming Soon to a Small Practice Near You

While not officially part of the CSF and CSF Assurance Program updates, HITRUST is releasing a major iteration of its small business security program, renamed CSFBASICs, in the same timeframe. BASICs stands for “Basic Assurance and Simple Institution Cybersecurity.”

Currently being piloted, CSFBASICs will help small, low-risk organizations adopt a serious, HIPAA-compliant cybersecurity and assurance program. Although CSFBASICs is based on the HITRUST CSF, the requirements and assurance processes are streamlined to help smaller, lower-risk organizations demonstrate compliance and manage risk with less effort. HITRUST is in the final phase of piloting CSFBASICs and elements of its associated CSFBASICs Assurance Program, and estimates both will be generally available later this year.

“I really don’t know many small practices that can comply with all our regulatory obligations, including HIPAA,” said Dr. J. Stefan Walker with Corpus Christi Medical Associates (CCMA), a five-physician primary care practice in Texas. “We generally don’t have the staff or the expertise, nor can we hire consultants, to manage these programs on an ongoing basis. I honestly didn’t know how my practice could be secure or demonstrate HIPAA compliance, but that was before I had the opportunity to pilot CSFBASICs.”

Want to learn more? Be sure to read the blog Finding the Cure: HITRUST Simplifies Cybersecurity Compliance for Small Medical Practices.

A Standardized Approach

The HITRUST CSF is the most widely adopted information privacy and security framework for healthcare organizations, and provides them with a comprehensive, scalable and certifiable approach to regulatory compliance and risk management. The popular HITRUST CSF Assurance Program helps organizations streamline the compliance process by allowing them to assess once and report against multiple sets of requirements. The result: less time and money spent on assurance and demonstrating compliance.


<< All Blogs

Chat Now

This is where you can start a live chat with a member of our team