HITRUST CSF Framework FAQs
Should my organization pause or delay the process of starting a HITRUST CSF Assessment due to these upcoming changes?
No. There is no advantage in waiting to begin your HITRUST journey. The HITRUST MyCSF SaaS platform can be leveraged at any point after changes are introduced to compare the delta in requirement statements between different framework versions, helping customers determine whether switching from v9.x of the framework to v10 (future) makes sense for your organization. Whichever you decide, beginning a HITRUST CSF Assessment utilizing v9.x now will not cause delays or derail the assessment process, but rather give your organization a head start.
What level of implementation will the HITRUST CSF incorporate for NIST SP 800-53r5 (Low, Moderate, High, and/or Privacy)?
HITRUST will integrate all controls available in NIST SP 800-53r5. The HITRUST MyCSF SaaS platform will provide the ability to sub-select one or all of the NIST 800-53r5 baselines that work for your situation – Low, Moderate, High, and/or Privacy.
Will NIST SP 800-53r5 impact the structure of the HITRUST CSF?
The enhancements planned for Q1 2021 will structurally change the HITRUST CSF; however, it will not be impacted by the inclusion of NIST SP 800-53r5 nor will it require “relearning” of the framework. Upon release in Q1 2021, customers will have the ability to sort requirement statements by specific criteria such as NIST SP 800-53r5 within the HITRUST MyCSF SaaS platform.
Will HITRUST be incorporating NIST SP 800-53r5 into the HITRUST CSF and when?
Yes. HITRUST will soon announce more details on scheduled enhancements aimed at reducing complexity while maintaining comprehensive, best-in-class risk management strategies via the HITRUST Approach. These changes are planned for Q1 2021 and include incorporating 800-53r5 in the HITRUST CSF.
Will v9.4 and v9.3 both be in MyCSF?
Yes, both v9.3 and v9.4 will be accessible in MyCSF.
What’s different between v9.3 and v9.4?
v9.4 integrates the Department of Defense (DoD) Cybersecurity Maturity Model (CMMC) Framework version 1.0 and NY DOH Office of Health Insurance Programs SSP v3.1.
If an organization is in the process of starting an Assessment in v9.3, should they re-evaluate and move to v9.4?
The reason an organization would move to v9.4 would be to incorporate the Department of Defense (DoD) Cybersecurity Maturity Model (CMMC) Framework version 1.0 and/or NY DOH Office of Health Insurance Programs SSP v3.1.
How will this impact existing v9.3 Assessments in process?
There will be no impact, unless an organization and assessor firm determine the changes in v9.4 are more appropriate to the scope and requirements for the assessed entity. Assessments for v9.3 can still be generated despite the release of v9.4.
Why choose the HITRUST CSF over other frameworks (NIST, ISO, etc.)?
The HITRUST CSF integrates and harmonizes data protection requirements from many authoritative sources–such as ISO, NIST, PCI, HIPAA–and tailors the requirements to an organization based on specific organizational, system, and regulatory risk factors. The level of integration and prescription provided by the framework, along with the quality and rigor of the HITRUST CSF Assurance Program and supporting HITRUST products and services makes the HITRUST CSF the easy choice for organizations in all sectors.
How do I get started adopting the HITRUST CSF framework?
The decision to adopt the HITRUST CSF should be made at the organizational level, after which, the organization should perform an internal gap analysis of existing controls against the target controls in the HITRUST CSF. This analysis can be done manually or by utilizing HITRUST’s online GRC-based assessment support tool, MyCSF. Once the data protection posture of the organization is understood, a risk management strategy and implementation timeline can be developed and communicated throughout the organization.
How can I obtain a copy of the HITRUST CSF?
The latest version of the HITRUST CSF framework is available on our website for qualified organizations. A qualified organization is defined as any organization employing a function or activity involving data protection, provided said organization does not offer security and/or privacy products or services. Additionally, any federal, state, or local agency or department may be considered a qualified organization. HITRUST has the right to verify eligibility.
References: CSF Framework Download
(Requires agreeing to the HITRUST CSF License Agreement)
If you are not sure whether your organization is qualified, please contact firstname.lastname@example.org or call 855-HITRUST. HITRUST has the right to verify eligibility.
What is the cost to download the HITRUST CSF?
The HITRUST CSF framework is FREE for qualified organizations.
How is the HITRUST CSF structured?
The HITRUST CSF’s core structure is based on ISO/IEC 27001:2005 and 27002:2005, published by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), and incorporates more than 40 other security and privacy related regulations, standards, and frameworks providing comprehensive and prescriptive coverage.
Because the HITRUST CSF is both risk- and compliance-based, organizations of varying risk profiles can customize the security and privacy control baselines through a variety of factors including organization type, size, systems, and regulatory requirements.
HITRUST CSF’s risk-based approach applies security/privacy resources commensurate with level of risk, or as required by applicable regulations or standards, by defining multiple levels of implementation requirements–which increase in restrictiveness. Three levels of requirements are defined based on organizational, regulatory, or system risk factors. Level 1 provides the minimum baseline control requirements; each subsequent level encompasses the lower level and includes additional requirements, commensurate with increasing levels of risk.
The HITRUST CSF is structured along the lines of ISO 27001:2005 with the 11 control clauses (or categories); however, adds an additional control category to address implementation of an Information Security Management Program, similar to that of the ISMS of ISO 27001:2005, and another category to address risk management. HITRUST has also incorporated a 14th control category to address specific privacy practices, such as GDPR, that are otherwise not addressed in the previous 13 categories.
There are 156 security and privacy-related control specifications, with associated implementation requirements; of which, 21 specifically address privacy practices.
Is the HITRUST CSF an industry standard for healthcare?
The HITRUST CSF is a data protection standard not only for healthcare, but can effectively be used by organizations across all sectors. The HITRUST CSF provides a consensus-driven standard of due care and due diligence for the protection of electronic protected health information (ePHI), personally identifiable information (PII), payment card data, proprietary information, and other sensitive information.
Is the HITRUST CSF a compliance-based or risk-based framework?
The HITRUST CSF is a risk-based framework. To understand why, one must understand the intent of selecting and implementing any specified set of controls, whether it is a custom set developed from a traditional risk analysis or one tailored from a pre-defined control baseline developed from such a risk analysis (e.g., ISO/IEC 27001 or NIST SP 800- 53, both of which HITRUST leverages in the CSF). Regardless of the method used, an organization must implement all the selected controls to manage risk at a level deemed acceptable by its leadership. Failure to fully implement all the specified controls necessarily results in excessive residual risk, which then implies that an organization would take a compliance-oriented approach to implementing and maintaining the selected controls, which were of course selected based on an analysis of risk.
Has the HITRUST CSF been adopted internationally?
Yes, organizations outside of the U.S. have implemented the HITRUST CSF. Moreover, additional countries have expressed an interest in HITRUST and we expect this interest to grow as adoption continues to increase within the U.S.
For more information, refer to Understanding and Leveraging the CSF webpage.
How can my organization utilize the HITRUST CSF framework for a SOC 2 report?
HITRUST and AICPA collaborated on the mapping of the HITRUST CSF controls to the AICPA Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Subsequently, any AICPA firm can perform a SOC 2 examination, leveraging the HITRUST CSF framework, which allows the client to receive, in a combined format, the HITRUST Certification and a SOC 2 report.
For more information, refer to the SOC 2: Leveraging the CSF webpage, the Deloitte article SOC 2 for HITRUST – A Complementary Reporting Option and the HITRUST CSF to AICPA Trust Services Principles and Criteria mapping.
What is the relationship between the controls categories of the HITRUST CSF and the assessment domains found in MyCSF?
The simple answer is that there is no relationship between the HITRUST CSF control categories and the assessment domains. The HITRUST CSF control categories were derived from ISO and provide the structure for the framework. The assessment domains take the control requirements and group them into logical domains, based on common IT organizational structure. This is done to make performing an assessment more efficient as controls should be well-grouped around typical IT departments.