Expanded Framework Enables NIST Cybersecurity Certification and More

HITRUST is pleased to announce the official release of version 9 (v9) of the CSF framework. This release demonstrates the continued evolution of the HITRUST CSF in providing organizations with a comprehensive, common approach to managing information privacy and security risks, including those from cyber.

HITRUST CSF v9 incorporates updates stemming from integration of the FFIEC Information System Examination – Information Security, FedRAMP, the DHS Critical Resilience Review and EHNAC Accreditation requirements, as well as additional content based on a review of the OCR Audit Protocol v2 for compliance with the HIPAA Security Rule, more comprehensive coverage of 21 CFR Part 11, and changes to password requirements based on NIST SP 800-63B.

By addressing this broad collection of regulatory requirements within the single, widely-accepted framework, the HITRUST CSF reduces the resources required to define, implement, and measure risk assessment programs across each of the regulations and standards that apply to an organization’s specific needs.

Assess Once, Report Many

Additionally, HITRUST CSF v9 increases the number of controls required for HITRUST CSF Certification from 66 to 75, enabling organizations to leverage a single risk assessment to obtain a standardized report against a common set of security and privacy controls for an “assess once, report many” approach for multiple industries beyond healthcare, such as financial services and European markets.

With the updates to HITRUST CSF v9, a single CSF assessment includes the controls necessary to address the NIST CsF requirements and an addendum to the HITRUST CSF Assessment report has been added to display the HITRUST CSF controls through the lens of the NIST CsF Core Subcategories.

The HITRUST CSF is the most widely adopted controls framework in the healthcare industry. It is quickly developing as a standard in other industries and is gaining broader adoption internationally. The framework is also recognized as ‘suitable criteria’ for producing an AICPA SOC 2 report.

Integration of the FFIEC information security requirements into the HITRUST CSF and CSF Assurance Program, for instance, expands the framework’s applicability and allows broader adoption in the financial services sector, and provides better context for those reviewing HITRUST CSF Assurance reports from third parties. These enhancements evolve the HITRUST CSF into a more broadly and globally accepted framework that provides value for all types of industry.

Download HITRUST CSF v9

Certification Reminder

Any organizations that wish to certify against the 66 controls required for HITRUST CSF v8.1 certification will need to have an assessment object already in MyCSF prior to the v9 release. The assessment will then have to be submitted for processing within six months. Be advised, there will be no exceptions to this policy.

Helpful Links

Coming Soon – v9.1

HITRUST will be increasing its level of support for global organizational privacy programs in an interim v9.1 release of the HITRUST CSF by incorporating the European Union (EU) Regulation 2016/679, General Data Protection Regulation (GDPR), and mapping the HITRUST CSF’s privacy and security requirements to the AICPA Trust Services Criteria for Privacy. These changes will increase applicability of the HITRUST CSF for privacy programs across multiple industries, both nationally and internationally. HITRUST anticipates v9.1 becoming available in spring, 2018.

If you have questions about the HITRUST CSF v9 updates, please feel free to contact HITRUST at info@hitrustalliance.net.