Written by HITRUST Independent Security Journalist Sean Martin.
Laws in New York and in the European Union are increasingly relevant for many organizations and vendors, and HITRUST has responded. Version 9.1 of the HITRUST CSF®, released to the community on Feb. 27, 2018, incorporates both the New York State Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) and the EU’s General Data Protection Regulation (GDPR) — making the HITRUST CSF more open, more comprehensive, and more relevant than ever before.
In addition, HITRUST CSF v9.1 extends the utility of the framework beyond its traditional healthcare domain into other industries, including the financial sector.
Embracing 23 NYCRR 500
HITRUST CSF v9.1 incorporates the New York State Cybersecurity Requirements for Financial Services Companies, also known as 23 NYCRR 500. This helps the financial industry use the standards-based framework to improve protection of its clients’ personal information. Not only are organizations demanding this type of protection after several high-profile data breaches, but the New York State requirement also affects healthcare organizations such as health insurers and their business associates, including those based outside of New York but who do business inside the state.
Title 23 NYCRR 500 took effect in March 2017, with a phased two-year transition period. In February 2018, covered entities were required to submit their first certification under this law; in March 2018, covered entities are required to be in compliance with certain sections of the regulation. Additional compliance requirements kick in during September 2018, and the transition period ends in March 2019, when covered entities are required to be in full compliance with 23 NYCRR 500.
Covering the EU GDPR
The EU’s GDPR is much broader in scope than U.S. regulations. The GDPR, which goes into effect in May of this year, essentially covers every industry and every individual in the Europe Union – and also applies to companies outside the EU who offer goods and services to or monitor the behavior of EU data subjects. The regulation applies to a broad array of businesses, though each company must choose how to respond to the regulation and handle GDPR-regulated data.
GDPR is less about the systems and more about the methods with which the information is being collected and stored, the business processes surrounding the use of the information, and the data flows with which the data is accessed and shared. The regulation covers the data itself; the context in which the data is collected, stored, used and destroyed; the controls used to enforce access control and use policies; and the evidence required to prove compliance.
Incorporation of GDPR in HITRUST CSF v9.1 is a key step towards globalization of the framework, through its increased support for global organizational privacy programs. The updated framework now maps to relevant GDPR requirements, allowing organizations to easily manage and report on the controls required to address GDPR, thereby lowering the complexity and cost of compliance.
Deeper into Cybersecurity with NIST CsF
The HITRUST CSF v9.1 is making significant additions into cybersecurity and privacy through its incorporation of the GDPR and 23 NYCRR 500 — but that is not all.
The HITRUST CSF has long supported the NIST Cybersecurity Framework (NIST CsF), which is a framework for reporting on the maturity and effectiveness of an organization’s cybersecurity-related capabilities. The NIST CsF and HITRUST CSF are extremely complementary to each other and can be used together to satisfy many needs within and across organizations, extending far beyond healthcare to cover everything the organization is doing around information security.
The HITRUST CSF provides the details needed to implement each of the NIST CsF’s cybersecurity objectives in the most efficient way possible. Meanwhile, the HITRUST Assurance Program provides a standards-driven process to help organizations monitor, assess, and maintain compliance with the NIST CsF. Because NIST doesn’t provide an assessment tool, without the HITRUST CSF, practitioners using the NIST CsF must create these controls themselves.
There is also new recognition by the U.S. GAO of HITRUST CSF v9.1 as a model implementation of the NIST CsF for the healthcare industry – a major step forward for healthcare organizations subject to NIST CsF reporting requirements.
Join the HITRUST March By Adopting the HITRUST CSF v9.1
The new capabilities found in HITRUST CSF v9.1 are making a difference beyond its traditional healthcare domain into other industries, including the financial sector, as well as deeper into privacy and cybersecurity, and healthcare information exchanges. The new framework is available today and can be downloaded from here.