HITRUST CSF Framework FAQs
Will v9.5.0 and v9.4 both be in MyCSF?
Yes, both v9.5.0 and v9.4 will be accessible in MyCSF.
What’s different between v9.4 and v9.5.0?
The v9.5.0 update incorporates modifications made to support the introduction of the MyCSF Compliance & Reporting Pack for HIPAA.
If an organization is in the process of starting an Assessment in v9.4, should they re-evaluate and move to v9.5.0?
The reason an organization would move to v9.5.0 would be to incorporate the modifications made to support the introduction of the MyCSF Compliance & Reporting Pack for HIPAA.
How will this impact existing v9.4 Assessments in process?
There will be no impact unless an organization and assessor firm determine the MyCSF Compliance & Reporting Pack for HIPAA in v9.5.0 is appropriate for the scope and requirements of the assessed entity. Assessments for v9.4 can still be generated despite the release of v9.5.0.
Why choose the HITRUST CSF over other frameworks (ISO, NIST, etc.)?
The HITRUST CSF integrates and harmonizes information protection requirements from many authoritative sources–including ISO, NIST, PCI, HIPAA–and tailors the requirements to an organization, based on specific organizational, system, and compliance risk factors. The level of integration and prescriptiveness provided by the framework, along with the quality and rigor of the HITRUST CSF Assurance Program and supporting HITRUST products and services, make the HITRUST CSF the easy choice for organizations in any industry.
How do I get started adopting the HITRUST CSF framework?
The decision to adopt the HITRUST CSF should be made at the organizational level; after which, the organization should perform an internal gap analysis of existing controls against the target controls in the HITRUST CSF. This analysis can be done manually or by utilizing HITRUST’s SaaS solution, MyCSF. Once the information protection posture of the organization is understood, a risk management strategy and implementation timeline can be developed and communicated throughout the organization
How can I obtain a copy of the HITRUST CSF?
The latest version of the HITRUST CSF framework is available on our website for qualified organizations. A qualified organization is defined as any organization employing a function or activity involving information protection, provided said organization does not offer security and/or privacy products or services. Additionally, any federal, state, or local agency or department may be considered a qualified organization.
References: CSF Framework Download
(Requires agreeing to the HITRUST CSF License Agreement)
If you are not sure whether your organization is qualified, please contact firstname.lastname@example.org or call 855-HITRUST. HITRUST has the right to verify eligibility.
What is the cost to download the HITRUST CSF?
The HITRUST CSF framework is FREE for qualified organizations.
How is the HITRUST CSF structured?
The HITRUST CSF’s core structure is based on ISO/IEC 27001:2005 and 27002:2005, published by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), and incorporates more than 40 other security and privacy-related regulations, standards, and frameworks providing comprehensive and prescriptive coverage.
The HITRUST CSF is structured along the lines of ISO 27001:2005 with the 11 control clauses (or categories); however, adds an additional control category to address implementation of an Information Security Management Program, similar to that of the ISMS of ISO 27001:2005, and another category to address risk management. HITRUST has also incorporated a 14th control category to address specific privacy practices, such as GDPR, that are otherwise not addressed in the previous 13 categories.
There are 156 security and privacy-related control specifications, with associated implementation requirements; of which, 21 specifically address privacy practices.
Because the HITRUST CSF is both risk- and compliance-based, organizations of varying risk profiles can customize the security and privacy control baselines through a variety of factors including an organization’s type, size, systems, regulatory, and compliance requirements.
HITRUST CSF’s risk-based approach applies security/privacy resources commensurate with the level of risk by defining multiple levels of implementation requirements–which increase in restrictiveness. Three levels of requirements are defined based on organizational and system risk factors. Level 1 provides the minimum baseline control requirements; each subsequent level encompasses the lower level and includes additional requirements, commensurate with increasing levels of risk.
To further tailor the control baseline, the compliance-based approach allows organizations to incorporate additional regulatory or compliance components which meet the organization’s needs and/or requirements.
Is the HITRUST CSF an industry standard for healthcare?
The HITRUST CSF is an information protection standard which can be effectively used by organizations across any industry–not just healthcare. The HITRUST CSF provides a consensus-driven standard of due care and due diligence for the protection of information–including electronic protected health information (ePHI), personally identifiable information (PII), payment card data, proprietary information, or other sensitive information.
Has the HITRUST CSF been adopted internationally?
Yes, organizations outside of the U.S. have implemented the HITRUST CSF. Moreover, additional countries have expressed an interest in HITRUST, and we expect this interest to grow as adoption continues to increase within the U.S.
For more information, refer to Understanding and Leveraging the CSF webpage.
How can my organization utilize the HITRUST CSF framework for a SOC 2 report?
HITRUST and AICPA collaborated on the mapping of the HITRUST CSF controls to the AICPA Trust Services Criteria for Security, Availability, Confidentiality, and Privacy. Subsequently, any AICPA firm can perform a SOC 2 examination leveraging the HITRUST CSF framework, which allows the client to receive, in a combined format, the HITRUST Certification and a SOC 2 report.
For more information, refer to the SOC 2: Leveraging the CSF webpage, the Deloitte article SOC 2 for HITRUST – A Complementary Reporting Option, and the HITRUST CSF to AICPA Trust Services Principles and Criteria mapping.
What is the relationship between the controls categories of the HITRUST CSF and the assessment domains found in MyCSF?
The simple answer is that there is no relationship between the HITRUST CSF control categories and the assessment domains. The HITRUST CSF control categories were derived from ISO and provide the structure for the framework. The assessment domains take the control requirements and group them into logical domains, based on common IT organizational structure. This is done to make performing an assessment more efficient as controls should be well- grouped around typical IT departments.