HITRUST is continuously updating the HITRUST CSF to respond to relevant and timely information security and privacy issues. With the growing threat to security and privacy to all industries, HITRUST has seen an increase in adoption of the HITRUST CSF outside of the healthcare and public health sector – and internationally. To meet the demands for increased cybersecurity, HITRUST is making the HITRUST CSF – the most widely used information privacy and security framework for healthcare organizations – more open and comprehensive, so that it can be applied more effectively across a variety of global industries.

HITRUST CSF Version 9.1, scheduled for interim release in January of 2018, will incorporate both the EU General Data Protection Regulation (GDPR) and New York State Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500).  Incorporation of the EU General Data Protection Regulation (GDPR) is part HITRUST’s initiative towards internationalization of the CSF and increased support for global organizational privacy programs.

With the EU classifying personal data from names, addresses and telephone numbers to credit card information, social media posts and health information, incorporation of the General Data Protection Regulation (GDPR) will have important implications for a vast number of businesses in the United States.

Integrating the New York State Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) into the HITRUST CSF will enable the financial industry to leverage the framework to achieve better cybersecurity resilience and protection.

Part 500 of Title 23 NYCRR requires organizations to implement cybersecurity best practices, such as encrypting data both in-transit and at-rest. It also requires them to have a cybersecurity policy addressing areas such as:

  • Protection of information systems and nonpublic information
  • Disclosure of cyber events to state regulators
  • Satisfactory assurances from vendors and suppliers on how they protect covered information

The New York State Cybersecurity Requirements for Financial Services Companies not only affects financial institutions but also healthcare organizations such as health insurers and their business associates, including those outside of New York.

The integration of 23 NYCRR 500 into the HITRUST CSF helps organizations that use the framework increase the protection of their personal information, a concern addressed by the state of New York after several high-profile breaches within the healthcare and financial industry.

For more information on the HITRUST CSF v9.1 release, contact us at info@hitrustalliance.net.