Updates include more granular support for cybersecurity, AICPA SOC2 reporting, contextual data de-identification, cloud services, and expanded requirement details.

The Health Information Trust Alliance (HITRUST) announced today the general availability of the HITRUST CSF Version 8 (v8).  The new release formally integrates the American Institute of Certified Public Accountants’ (AICPA) mapping of the HITRUST CSF to its Trust Principles and Criteria for security, confidentiality and availability, as well as incorporation of the HITRUST De-Identification Framework’s assessment protocol for contextual data de-identification.  The addition of the Center for Internet Security Critical Security Controls (CIS CSC) v6, formerly known as the “SANS Top 20,” and recent cybersecurity guidance from the President’s Precision Medicine Initiative (PMI) provide additional prescription for the safeguards healthcare entities should implement to address extant and emerging threats to patient information.  The v8 release updates existing authoritative sources such as the Payment Card Industry (PCI) Digital Security Standard (DSS) v3 to v3.1 and the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) v1 to v3.0.1.

A section of helpful links with further information is provided at the bottom of this news alert.

“Although the mappings were already available from AICPA, their formal incorporation into the HITRUST CSF provides an organization the ability to produce scorecards against the Trust Principles and Criteria using virtually any self or validated assessment,” said Ken Vander Wal, chief compliance officer, HITRUST.  Mr. Vander Wal added, “The mappings also help facilitate the efficient production of combined CSF and Service Organization Control (SOC 2) reports, which can provide healthcare organizations significant savings when both reports are required.”

The HITRUST CSF v8 release also integrates an essential element of the HITRUST De-Identification Framework.  “De-identification is a key method for protecting privacy by preventing a patient’s identity from being connected with health information and is a key mechanism for allowing the sharing of health information for secondary purposes under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule,” said Dr. Bryan Cline, Vice President, HITRUST.  Incorporation of the HITRUST De-Identification Framework’s contextual assessment model for a de-identified data set’s intended environment helps organizations minimally perturb the data while ensuring a small risk of re-identification.

The addition of the Center for Internet Security (CIS) Critical Security Controls (CSC) v6, formerly known as the “SANS Top 20,” enhances current guidance by providing additional prescription around key controls healthcare entities should implement to better address extant and emerging cyber threats to patient information.

The HITRUST CSF fully addresses the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CsF) subcategories, and the new release incorporates additional recommendations for NIST CsF implementation from the President’s Precision Medicine Initiative (PMI) specific to PMI data.

Integration of the PMI recommendations further supports the role of the HITRUST CSF and CSF Assurance Program as the basis for new sector-specific guidance from the Joint Healthcare and Public Health (HPH) Cybersecurity Working Group on implementation of the NIST CsF by healthcare organizations.

Another major component of the HITRUST CSF v8 release is the availability of granular mappings from the requirement statements used in the HITRUST CSF Assurance Program to the CSF’s underlying authoritative sources.  This level of detail allows healthcare organizations to better evaluate their level of compliance with frameworks and standards such as HIPAA, PCI DSS, and the NIST CsF, as well as help facilitate various risk analyses, such as those used to evaluate alternate controls or accept additional residual risk, by better understanding the intent of the underlying requirements.  The HITRUST CSF v8 release also incorporates two new controls required for HITRUST CSF certification.

This release of the HITRUST CSF updates the organizational risk factors to focus on the amount of sensitive information the organization holds, typically defined as the number of records stored or processed by a healthcare entity. Member consensus of a 2015 Risk Factors working group was that a significant determinant of relative risk amongst organizations is the number of individual records that they hold and/or process, regardless of the type of entity.  The rationale is based primarily on common use of the average cost of a breach per individual record compromised to estimate the costs of a specific breach.  Further, the total number of individual records that could potentially be compromised then provides an estimate of the organization’s maximum exposure in the event of such a catastrophic breach. Alternatively, organizations may determine risk based on the number of individual records processed annually, as the measure is reasonably correlated with the total number of records held.  More information on how HITRUST uses and updates risk factors to help healthcare organizations dynamically tailor HITRUST CSF controls and create a targeted, common baseline to meet their information protection needs can be found in the HITRUST CSF Risk Factors white paper. A link to the document is provided below.

The ever evolving cyber threat landscape coupled with ongoing changes in legislative and regulatory requirements make implementing a comprehensive controls framework more crucial than ever. HITRUST is committed to continuously improve the HITRUST CSF to help organizations meet those challenges. These regular updates ensure organizations have a single, comprehensive information privacy and security framework that incorporates the standards, regulations and best practices relevant to their organization that can be leveraged as part of an overall risk and compliance program.

Along with the HITRUST CSF v8 release, HITRUST is making enhancements to its SaaS assessment and reporting tool, MyCSF, such as detailed assessment tracking, response inheritance capabilities, new benchmarking, and easier navigation.

Helpful Links

• The HITRUST CSF v8 Summary of Changes (included as part of the complete HITRUST CSF download)
• Guidance on Implementing Cybersecurity in Precision Medicine
• The HITRUST De-Identification Framework
• The latest version of the Healthcare Sector NIST Cybersecurity Framework Implementation Guide from the Department of Homeland Security – Cybersecurity Framework Website
• The HITRUST CSF Risk Factors guide
• Information on the MyCSF Release Features – Summer 2016

If you have questions about the HITRUST CSF v8 updates or Summer 2016 MyCSF enhancements, please feel free to contact HITRUST at info@hitrustalliance.net.