HITRUST CSF® v9.1 Summary of Changes

Incorporates changes stemming from 23 NYCRR 500 and GDPR

Fundamental to HITRUST’s mission is the availability of a common information protection framework, the CSF, that provides the needed structure, clarity, functionality and cross-references to authoritative sources. The initial development of the CSF leveraged nationally and internationally accepted standards including ISO, NIST, PCI, HIPAA, and COBIT to ensure a comprehensive set of baseline security controls. The CSF normalizes these security requirements and provides clarity and consistency, reducing the burden of compliance with these requirements that apply to healthcare organizations.

HITRUST ensures the CSF stays relevant and current to the needs of organizations by regularly updating the CSF to incorporate new standards and regulations as authoritative sources.

The HITRUST CSF v9.1 release includes changes based on feedback from the HITRUST community; miscellaneous corrections; and incorporation of regulatory requirements from the New York (NY) State Department of Financial Services Cybersecurity Requirements Regulation (CRR) for Financial Services Companies Part 500 (NY CRR 500) and the European Union (EU) General Data Protection Regulation (GDPR), which replaces the EU Data Protection Directive. These updates reflect HITRUST’s commitment to facilitate application of the CSF across multiple industries, both nationally and internationally, which will continue in the next major release of the framework.

Minor administrative updates, such as the correction of grammar or formatting errors, are generally not reflected in the Summary of Changes. Simple mapping updates from one version of a source to a newer version, which do not impact existing content, are also generally not reflected.

Other Updates


Download the HITRUST CSF v9.1 free of charge.