Adoption of HITRUST CSF continues to grow as a global privacy and security framework with recognition by NIST and GAO

Frisco, TX – March 1, 2018 – HITRUST announced today the release of version 9.1 of the HITRUST CSF®. This version incorporates both the EU General Data Protection Regulation (GDPR) and New York State Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500). With this expanded version, HITRUST continues to build on its initiative to make the HITRUST CSF – a widely used information privacy and security framework – more open and comprehensive so that it can be applied more effectively across a variety of global industries.

Incorporation of GDPR is a key step towards the internationalization of the HITRUST CSF and increased support for global organizational privacy programs. The updated framework now maps the GDPR requirements (consisting of 99 Articles and 173 Recitals), allowing organizations to easily manage and report on the controls intended to address GDPR in order to lower the overall complexity, level of effort and cost of compliance.

Further, HITRUST is working with the Data Protection Authorities to pursue accreditation as an approved and accredited certification body for GDPR. This approach will allow organizations to perform one assessment to cover multiple regulations, frameworks or standards, such as HIPAA, GDPR and NIST Cybersecurity.

With the looming enforcement date of May 25, GDPR affects organizations outside the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. This classifying personal data ranges from names, addresses and telephone numbers to credit card information, social media posts and health information and has important implications for a vast number of businesses in the United States.

“GDPR signals a move towards a more international standard for information privacy. With this new version, we have modified the HITRUST CSF controls to meet the requirements for a comprehensive assessment of GDPR risk posture. This is critical given that GDPR is one of the key compliance issues currently facing privacy officers worldwide,” said Anne Kimbol, Associate General Counsel and Chief Privacy Officer, HITRUST.

“GDPR takes several leaps forward from where the US regulations are today and provides organizations with an opportunity to manage privacy and risk in a meaningful way,” said Kirk Nahra, partner, Washington DC-based Wiley Rein and member, CSF Advisory Council. “With the inclusion of GDPR in the next release of the HITRUST CSF, organizations can begin to obtain a holistic view of their compliance posture; bringing them that much closer to meeting the major regulations they face, regardless of the industry in which they operate.”

In another important step toward increased support for organizational privacy programs, v9.1 of the HITRUST CSF incorporates the New York State Cybersecurity Requirements for Financial Services Companies, now enabling the financial industry to leverage the framework to increase the protection of personal information – a concern addressed by the state after several high-profile breaches. This state requirement not only affects financial institutions but also healthcare organizations such as health insurers and their business associates, including those outside of New York.

With the growing threat to the security and privacy of all organizations, many industries are turning to the HITRUST CSF, which is already broadly adopted within the healthcare and public health (HPH) sector. This cross-industry adoption is further validated by two new reports: the NIST Interagency Report on the Status of International Cybersecurity Standardization for the Internet of Things (IoT) recognizes the HITRUST CSF as an industry-led security standard that addresses multiple areas of concern; and the Government Accountability Office (GAO) Report to Congressional Committees on Critical Infrastructure Protection cites the HITRUST CSF as a means of demonstrating compliance with the NIST Framework for Improving Critical Infrastructure Cybersecurity in the HPH sector.

HITRUST CSF v9.1 and updates to the CSF Assurance program stay true to HITRUST’s commitment to address security and privacy risk management, streamline the assessment process, and extend the “assess once, report many” approach. HITRUST, in consultation with the HITRUST CSF Advisory Council, regularly updates the CSF to respond to relevant and timely information security and privacy issues.

“HITRUST continues to agnosticize the CSF to support multiple industries and expand its use abroad. This latest release demonstrates our commitment to ensure the HITRUST CSF stays relevant to the information risk management, data protection, and regulatory compliance needs of domestic and global organizations through incorporation of new standards and regulations,” said Bryan Cline, Vice President, Standards & Analysis, HITRUST.

HITRUST will be available to discuss the HITRUST CSF v9.1 at the Healthcare Information and Management Systems Society (HIMSS) Conference, held March 5-9 in Las Vegas, Cybersecurity Command Center booth 8500-29.

To download the HITRUST CSF v9.1 visit:


Founded in 2007, HITRUST Alliance is a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain. In collaboration with privacy, information security and risk management leaders from both the public and private sectors, HITRUST develops, maintains and provides broad access to its widely adopted common risk and compliance management and de-identification frameworks; related assessment and assurance methodologies; and initiatives advancing cyber sharing, analysis, and resilience.

HITRUST actively participates in many efforts in government advocacy, community building, and cybersecurity education. For more information, visit

View the official press release here.