HITRUST CSF v9 Summary of Changes

Fundamental to HITRUST’s mission is the availability of a common information protection framework, the CSF, that provides the needed structure, clarity, functionality and cross-references to authoritative sources. The initial development of the CSF leveraged nationally and internationally accepted standards including ISO, NIST, PCI, HIPAA, and COBIT to ensure a comprehensive set of baseline security controls. The CSF normalizes these security requirements and provides clarity and consistency, reducing the burden of compliance with these requirements that apply to healthcare organizations.

HITRUST ensures the CSF stays relevant and current to the needs of organizations by regularly updating the CSF to incorporate new standards and regulations as authoritative sources.

The HITRUST CSF v9 release includes changes based on feedback from the HITRUST community and specific updates based on the incorporation of the FFIEC Information Systems Examination Handbook, Information Security, FedRAMP, the DHS Critical Resilience Review and EHNAC accreditation requirements, as well as additional content based on a review of the OCR Audit Protocol for compliance with the HIPAA Security Rule and more comprehensive coverage of 21 CFR Part 11 for electronic records and signatures. The v9 release also makes significant changes to password requirements based on the release of NIST SP 800-63B, which will be reflected in NIST SP 800-53 revision 5. Minor administrative updates, such as the correction of grammar or formatting errors, are not reflected in the Summary of Changes. Simple mapping updates based on a change in an Authoritative Source’s version number that do not have an impact on existing content are also not reflected.

Note: EHNAC has fully incorporated the HITRUST CSF into their various accreditation programs; subsequently, mappings to legacy EHNAC accreditation requirements are not reflected in the Summary nor in the CSF. Note also that changes to HIPAA Security Rule-related requirements based on the OCR Audit Protocol v2 are reflected in the Summary by way of justification, but these changes are not reflected in the CSF given they merely provide clarity on what HHS intended by the Rule’s standards and implementation specifications.

Other Updates

Ten (10) controls required for certification under CSF v8.1 were removed and nineteen (19) new controls were added to those required for certification under CSF v9, for a total of 75 of the 135 controls an organization is required to implement to reduce risk to a minimally acceptable level.

Download the HITRUST CSF v9 free of charge.