HITRUST CSF v9.6 Framework FAQs
Will v9.6.0 and v9.5.2 both be in the HITRUST MyCSF platform?
Yes. Both v9.6.0 and v9.5.2 will be accessible in MyCSF.
What’s different between HITRUST CSF v9.6.0 and v9.5.2?
v9.6.0 incorporates modifications of certain requirement statements and illustrative procedures in anticipation of the HITRUST Implemented, 1-year (i1) Validated Assessment release, as well as a refreshed NIST SP 800-53 revision 4 mapping and the inclusion of NIST SP 800-53 revision 4 as a selectable compliance factor.
If an organization is in the process of starting an assessment in v9.5.2, should they re-evaluate and move to v9.6.0?
The reason an organization would move to v9.6.0 would be to incorporate the modifications made to support the introduction of the i1 Assessment type or to select NIST SP 800-53 revision 4 as a compliance factor.
How will this impact existing v9.5.2 assessments in process?
There will be no impact unless an organization and assessor firm determine the modifications to certain requirement statements and illustrative procedures in v9.6.0 is appropriate for the scope and requirements of the assessed entity. Assessments for v9.5.2 can still be generated despite the release of v9.6.0.
Why choose the HITRUST CSF over other frameworks (ISO, NIST, etc.)?
The HITRUST CSF integrates and harmonizes information protection requirements from many authoritative sources – including ISO, NIST, PCI, and HIPPA, and tailors the requirements to an organization, based on specific organizational, system, and compliance risk factors. The level of integration and prescriptiveness provided by the framework, along with the quality and rigor of the HITRUST Assurance Program and supporting HITRUST products and services, make the HITRUST CSF the easy choice for organizations in any industry.
How do I get started adopting the HITRUST CSF framework?
The decision to adopt the HITRUST CSF should be made at the organizational level; after which, the organization should perform an internal gap analysis of existing controls against the target controls in the HITRUST CSF. This analysis can be done manually or by utilizing HITRUST’s SaaS solution, MyCSF. Once the information protection posture of the organization is understood, a risk management strategy and implementation timeline can be developed and communicated throughout the organization
How can I obtain a copy of the HITRUST CSF?
The latest version of the HITRUST CSF framework is available to download for FREE on the HITRUST website for qualified organizations. A qualified organization is defined as any organization employing a function or activity involving information protection, provided said organization does not offer security and/or privacy products or services. In addition, any federal, state, or local agency or department may be considered a qualified organization.
If you are not sure whether your organization is qualified, please contact firstname.lastname@example.org or call 855-HITRUST. HITRUST has the right to verify eligibility.
Download the HITRUST CSF v9.6.0 free of charge for qualified organizations.
How is the HITRUST CSF structured?
The core structure of the HITRUST CSF is based on ISO/IEC 27001:2005 and 27002:2005, published by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), and incorporates more than 40 other security and privacy related regulations, standards, and frameworks providing comprehensive and prescriptive coverage.
The HITRUST CSF is structured along the lines of ISO 27001:2005 with the 11 control clauses (or categories); however, adds an additional control category to address implementation of an Information Security Management Program, similar to that of the ISMS of ISO 27001:2005, and another category to address risk management. HITRUST has also incorporated a 14th control category to address specific privacy practices, such as GDPR, that are otherwise not addressed in the previous 13 categories.
There are 156 security and privacy-related control specifications, with associated implementation requirements; of which, 21 specifically address privacy practices.
Because the HITRUST CSF is both risk- and compliance-based, organizations of varying risk profiles can customize the security and privacy control baselines through a variety of factors including an organization’s type, size, systems, regulatory, and compliance requirements.
The HITRUST CSF risk-based approach applies security/privacy resources commensurate with the level of risk by defining multiple levels of implementation requirements – which increase in restrictiveness. Three levels of requirements are defined based on organizational and system risk factors. Level 1 provides the minimum baseline control requirements; each subsequent level encompasses the lower level and includes additional requirements, commensurate with increasing levels of risk.
To further tailor the control baseline, the compliance-based approach allows organizations to incorporate additional regulatory or compliance components which meet the organization’s needs and/or requirements.
Is the HITRUST CSF an industry standard for healthcare?
The HITRUST CSF is an information protection standard which can be effectively used by organizations across any industry–not just healthcare. The HITRUST CSF provides a consensus-driven standard of due care and due diligence for the protection of information–including electronic protected health information (ePHI), personally identifiable information (PII), payment card data, proprietary information, or other sensitive information.
Has the HITRUST CSF been adopted internationally?
Yes, organizations outside of the U.S. have implemented the HITRUST CSF. Moreover, additional countries have expressed an interest in HITRUST, and we expect this interest to grow as adoption continues to increase within the U.S.
For more information, refer to Understanding and Leveraging the CSF webpage.
What is the relationship between the controls categories of the HITRUST CSF and the assessment domains found in MyCSF?
The simple answer is that there is no relationship between the HITRUST CSF control categories and the assessment domains. The HITRUST CSF control categories were derived from ISO and provide the structure for the framework. The assessment domains take the control requirements and group them into logical domains, based on common IT organizational structure. This is done to make performing an assessment more efficient as controls should be well- grouped around typical IT departments.