Release Notes

 

April 30, 2017

Overview: Applicable Controls Improvement

Reporting

  • The Applicable Controls Report has been refined to also return rationale for the factors contributing to the Control Levels of an Assessment. Available to all MyCSF Customers.
  • Devised from user feedback, A Related Documents Report was added to neatly organize the two-way relationship between HITRUST CSF Requirement Statements and their Related Documents. Available on the Reporting tab to Professional Subscribers and above.

MyCSF

  • All Assessments will now clearly state the CSF Version of which it was generated against. Available on the MyCSF Assessment tab to all MyCSF users.

March 26, 2017

Overview: Portal Enhancements

MyCSF Admin Tool

  • The MyCSF Admin Tool has been updated to provide an Access Control Report spliced by two separate views. Available in MyCSF for Account Administrators.
  • Account Administrators can now check the MyCSF Admin Tool for a concise expiration date. Available in MyCSF for Account Administrators.

MyCSF

  • Validated Assessments are now supported with the real-time Gap Identification capabilities allowing users to get a current look into their compliance standing. Available on the MyCSF Assessment tab to all MyCSF users.
  • A more clearly defined Refresh Assessment button has been added to the Administrative Details & Factors. Available on the MyCSF Assessment tab to all MyCSF users.
  • System and Facility records will now auto-save when clicking through them via the navigation arrows. Available on the MyCSF Assessment tab to all MyCSF users.

Assessors

  • Assessor Test Assessments have been transitioned to a new environment allowing for early exposure to upcoming HITRUST CSF and MyCSF updates.
  • From the Admin Tool, Assessors now possess the ability to delete their Test Objects instantly without Support’s assistance.

February 5, 2017

Overview: CSFv8.1

Global

  • The slated HITRUST CSFv8.1 has been integrated into MyCSF. This includes updated Authoritative Source mappings as well as improved language for both the Level Implementations and Assessments. Available in MyCSF for all users.

Reporting

  • The Assessment Requirement List with Related Control Report has been modified to allow sorting the Questionnaire by HITRUST CSF Control Category rather than only the Assessment Domains. Available on the Reporting tab to Professional Subscribers and above.

Corrective Actions

  • The tracking of Required CAPs for Validated Assessments has been significantly overhauled to offer better visibility into progress. Available on the MyCSF Assessment tab to all MyCSF users.

December 31, 2016

Overview: Rep Letter and Interim Changes

MyCSF Assessments

  • The Interim Assessment notification functionality has been improved to better communicate and track upcoming milestones for Validated Assessments. Available on the MyCSF Assessments tab for all MyCSF Customers.
  • MyCSF now incorporates a more user-friendly Rep Letter upload process for Assessments that need to be submitted to HITRUST. Click here for more information. Available on the MyCSF Assessments tab for all MyCSF Customers.

Reporting

  • Assessors will now only be permitted to run the MyCSF generated reports against Assessments where the Reporting Module has been purchased. As an Assessor, you are entitled to one export per Assessment, which can be requested by contacting HITRUST Support.

October 1, 2016

Overview: New Portal and Assessment Simulation

Global

  • The HITRUST MyCSF Portal has been enhanced and optimized to support a more secure and simpler authentication process. Available to all MyCSF Customers.

MyCSF Assessments

  • Users can now predetermine the number of HITRUST CSF Requirement Statements in their Assessment prior to generating/refreshing. Available on the MyCSF Assessments tab for all MyCSF Customers.
  • For Validated Assessments only, Assessor organizations are now required to record the personnel that worked on the review portion of the Assessment. Available on the MyCSF Assessments tab for all MyCSF Customers.
  • Assessors can now log up to 10 documents. Available on the MyCSF Assessments tab for all MyCSF Customers.
  • The Requirement-specific Unique ID has been added to the Domain View of an Assessment. Available on the MyCSF Assessments tab for all MyCSF Customers.
  • The Diary tab has been improved to support both Rich Text and HTML entries. Available on the MyCSF Assessments tab for all MyCSF Customers.

Reporting

  • Using the most popular dashboards in MyCSF, the Dashboards Report has been added to give a consolidated extract for better visualization. Available on the Reporting tab to Professional Subscribers and above.
  • Preexisting Assessment reports can be filtered on the Type of HITRUST CSF Requirement Statements. Available on the Reporting tab to Professional Subscribers and above.

July 1, 2016

Overview: HITRUST CSF and MyCSF Version 8

Global

  • The User Interface has been enhanced to complement a more intuitive user experience. Available to all MyCSF Customers.

MyCSF Library

  • The MyCSF Library has been refreshed to account for the changes outlined in the recently released HITRUST CSFv8. Available to all MyCSF Customers on the MyCSF Library tab.

MyCSF Assessments

  • The Administrative Details & Factors component has been modernized to include the newly devised Risk Factors. Available on the MyCSF Assessments tab for all MyCSF Customers.
  • An Inheritance Model has been introduced to MyCSFv8 that allows HITRUST CSF Requirements to be transferred from completed HITRUST CSF Certified Vendors. More information about Inheritance can be found Here. Available on the MyCSF Assessments tab for all MyCSF Customers.
  • A thorough Assessment Tracking feature was implemented to keep users updated on the progress as it is made to a HITRUST CSF Validated Assessment. More information about the Detailed Assessment Tracking can be found Here. Available on the MyCSF Assessments tab for all MyCSF Customers.
  • The Requirement-specific Unique ID has been added to the Domain View of an Assessment. Available on the MyCSF Assessments tab for all MyCSF Customers.

Benchmarking

  • A Premium Benchmarking feature has been enabled that allows for Industry Segementation and Benchmark Comparisons with your own Assessments. Available on the Benchmarking tab to Professional Subscribers and above.
  • A Report combining the HITRUST CSF Level Implementations with your Assessment’s corresponding Requirement Statements has been added to MyCSFv8. Available on the Reporting tab to Professional Subscribers and above.

November 1, 2015

Overview: Document linking and CSV Reports

MyCSF Assessments

  • A No longer in scope response status has been added to the Requirement Statements to better help user’s identify those meeting this criteria. Available on the MyCSF Assessments tab for all subscribers.
  • Promoting a more fluid association between uploaded documents and the Assessments, a document linking element has been created to clearly track the relevant artifacts on a Requirement Statement level. Available on the MyCSF Assessments tab for all subscribers. More information can be found here.

Reporting

  • For our Professional and above subscribers, MyCSF now supports the extraction of all available reporting templates in a Comma Separated Value (CSV) format.

September 27, 2015

Overview: Navigation Help and Assessment tweaks

General

  • A Navigation Menu has been added to the MyCSF Getting Started tab, which will assist new users in locating the main components of the application.

Reporting

  • A listing of all possible HITRUST CSF Requirement Statements, filterable by Assessment, is now included on the Reporting tab. Available for our Professional and greater subscribers.
  • The CSF Library by Level Grouping Reports, found on the MyCSF Library Exports tab, allow users to generate a version of the HITRUST CSF with only user-defined control levels. Available for our Professional and greater subscribers.

MyCSF Assessments

  • The No longer in scope Requirements are now more noticeably labeled with instructions on how to remove these types of statements. Available on the MyCSF Assessments tab.
  • The Assessor tab has been updated to display a “Not Applicable” designation for those meeting this criteria. Available on the MyCSF Assessments tab.

August 23, 2015

Overview: Reporting and MyCSF Library Enhancements

Reporting

  • The Assessment Report with Scores and Assessment with CAPs Report have been merged into the existing Assessment Report. Dynamic parameters permit for the inclusion of elements from all three reports. Available on the Reporting tab for our Professional and greater subscribers.
  • The updated Assessment Report has been truncated to considerably shorten the presentation of the auto-generated template. Available on the Reporting tab for our Professional and greater subscribers.
  • Manufactured for our customers preferring the Excel format, the Assessment Report (Column) has been added to support a much more spreadsheet friendly view. Available on the Reporting tab for our Professional and greater subscribers.
  • The Illustrative Procedures Report now includes the user-entered “In Scope” report criteria. Available on the Reporting tab for our Professional and greater subscribers.

MyCSF Library

  • The HITRUST CSF, in both the Library and Exportable Reports, has been cosmetically tweaked to more neatly display the implementation levels outlined in the Framework. Note: The HITRUST CSF itself has not been updated . Available on the MyCSF Library tab.

July 26, 2015

Overview: Dashboard Optimization and Assessment Enhancements

General

  • The MyCSF User Guide has been linked to the Menu Bar. It is now reachable from every page within the application. Available to all MyCSF users.

MyCSF Assessments

  • An Object Button has been added that allows for all “No longer in scope” Requirement Statements for any given Assessment to be deleted. Please note that the Requirement Statements cannot be restored as this action is permanent. Available to all MyCSF users on the MyCSF Assessments tab.
  • The Corrective Action Plan (CAP) email template has been both enhanced and reformatted. Available to all MyCSF users on the MyCSF Assessments tab.

Dashboards

  • The render time for the Dashboards has been optimized. Available to all MyCSF users.

May 15, 2015

Overview: NIST Cyber Security Framework and Reporting

NIST CSF Assessment

  • New to MyCSF, a NIST Cyber Security Framework Assessment will be offered for all customers to evaluate themselves on the 95 sub-categories within the NIST Cyber Security Framework. Available on the MyCSF Assessments Tab.
  • Complementing the newly presented NIST Cyber Security Framework Assessment, an auto-generated scorecard will be included that permits both existing and newly created Assessments the ability to view their NIST Cyber Security position. Available on the Reporting Tab in MyCSF to our Professional subscribers and above.

Interim Assessment

  • Certified Assessments will now be alerted about impending interim reviews as the mandated yearly deadline looms. Available to all MyCSF customers.

Reporting

  • A Dynamic Report employing the factors recorded in the Administrative Details & Factors has been added which will display a more comprehensive listing of all HITRUST CSF Controls and Levels for the Assessment option chosen by the user. Available on the Reporting Tab in MyCSF to our Professional subscribers and above.
  • Utilizing only the answered requirements, a report has been created that will average the Maturity Scores under a domain and convert the numerical value into the corresponding Maturity Rating. It is identical in representation to the Information Security Risk Management Benchmarks for the Healthcare Industry chart. Available on the Benchmarking Tab.

March 29, 2015

Overview: Assessment Changes and Fix

HITRUST CSF Assessments

  • Requested by a current MyCSF customer, the Comments field included on the HITRUST CSF Requirement tab has been expanded to allow easier readability for comments exceeding eight lines. Available on the MyCSF Assessments tab for all MyCSF subscribers.
  • The Factor Status column on the MyCSF Assessments tab has been removed. Available to all MyCSF subscribers.
  • A bug has been corrected which was causing the attributes Is this Control Applicable? and Enter CAPs? to be reverted back to Yes when the HITRUST CSF Assessment was refreshed.

HITRUST CSF

  • The Related Detail Controls are no longer visible in the MyCSF Library.

February 15, 2015

Overview: New Assessments and Baseline Rebrand

Baseline Assessment

  • The Baseline Assessment has been renamed as the CSF Security Assessment. Available on the MyCSF Assessments tab to all MyCSF Customers.

Assessment Options

  • In addition to the CSF Security Assessment, MyCSF now supports three additional CSF Assessments which provides each customer an even more organizational-specific questionnaire. All are available on the MyCSF Assessments tab to all MyCSF Customers.
  • The Assessment Options are:

 

  1. CSF Security Assessment: Questionnaire created utilizing ONLY the Required CSF Controls for Certification.
  2. CSF Security & Privacy Assessment: Questionnaire created utilizing the Required CSF Controls for Certification as well as the Privacy Controls.
  3. CSF Comprehensive Security Assessment: Questionnaire created utilizing ALL the CSF Security Controls.
  4. CSF Comprehensive Security & Privacy Assessment: Questionnaire created utilizing ALL CSF Controls.

January 27, 2015

Overview: CSF and Reporting Upgrades

Common Security Framework (CSF) v7

  • Incorporates the HIPAA Privacy Rule; NIST SP 800-53 r4 FINAL Appendix J – Privacy Control Catalog; MARS-E – Exchange Reference Supplement for HIXs and supporting requirements for FTI specified in IRS Pub 1075, Tax Information Security Guidelines for Federal, State and Local Agencies; and updates from CMS IS ARS Appendix A, v2.
  • Fundamental to HITRUST’s mission is the availability of a Common Security Framework (CSF) that provides the needed structure, clarity, functionality and cross-references to authoritative sources. The initial development of the CSF leveraged nationally and internationally accepted standards including ISO, NIST, PCI, HIPAA, and COBIT to ensure a comprehensive set of baseline security controls. The CSF normalizes these security requirements and provides clarity and consistency, reducing the burden of compliance with these requirements that apply to healthcare organizations.
  • HITRUST ensures the CSF stays relevant and current to the needs of organizations by regularly updating the CSF to incorporate new standards and regulations as authoritative sources.
  • The 2015 CSF (v7) release includes changes based on feedback from the community and an updated set of cross-references and security requirements for the Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification’s Privacy Rule, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 revision 4 (r4) FINAL Appendix J – Privacy Control Catalog and updates to Control Category 13 – Privacy Practices, previously used exclusively by the Texas Covered Entity Privacy and Security Certification program, based on recommendations from the industry Privacy Working Group. This release also integrates security requirements specified in the Catalog of Minimum Acceptable Risk Controls for Exchanges (MARS-E) – Exchange Reference Supplement for Health Insurance Exchanges (HIXs) and supporting requirements for Federal Tax Information (FTI) specified in Internal Revenue Service (IRS) Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies; and incorporates changes from the continuing harmonization of CSF requirements; and also incorporates changes in the Centers for Medicaid and Medicare (CMS) Information System (IS) Acceptable Risk Safeguards (ARS), Appendix A – CMSR High Impact Level Data, version 2 (v2).
  • The previous version of the CSF cross-referenced all the controls from NIST SP 800-53 r4 Final and incorporated many of its control requirements. However, extensive changes were made to the CSF to support the Texas Covered Entity Privacy and Security Certification program. Texas certification of a covered entity’s compliance with the HIPAA Privacy Rule—one of the many legislative and regulatory requirements called out in Title 1 Texas Administrative Code Section 390.2 (1 TAC § 390.2)—was initially provided by an interim set of requirements in control category 13.0, Privacy Practices, which was not considered a formal part of the 2014 CSF for the purpose of HITRUST CSF certification. However, the HITRUST industry-led Privacy Working Group provided a final set of recommendations, which are now formally incorporated into the CSF and supports HITRUST CSF certification of any covered entity or business associate’s compliance with the HIPAA Privacy Rule. The privacy updates also include requirements specified in NIST SP 800-53 r4 Appendix J – Privacy Control Catalog, much of which is placed in implementation levels required for FISMA compliance or segments devoted to federal agencies and contractors.
  • Another major update to the CSF is the inclusion of CMS’ MARS-E – Exchange Reference Supplement for HIXs and supporting requirements for FTI specified in IRS Pub 1075, Tax Information Security Guidelines for Federal, State and Local Agencies. Given (1) the two documents are based on different versions of the Centers for Medicaid and Medicare Services (CMS) Information Security (IS) Acceptable Risk Safeguards (ARS), v1.5 and v2 respectively, and (2) the specificity of some of the requirements, many of these requirements are contained in their associated industry segments: HIXs and FTI Custodians.
  • This release also incorporates changes to the CMS IS ARS in the v2 release of its high-level baseline. This normalizes all requirements stemming from the CMS IS ARS and IRS Pub 1075 with NIST SP 800-53 r4; however, MARS-E requirements will not be normalized in the CSF until the Exchange Reference Supplement is also updated to reflect the new NIST control catalog.

Other Updates

  • No new controls have been added for HITRUST CSF certification.
  • The table below provides a summary of the changes to the CSF broken down by Control Specification and Implementation Requirement Level. (NOTE: Although not reflected in the table, all CMS references were updated from CMSRs 2012v1.5 to CMSRs 2013v2 throughout the CSF. In addition, changes in CSF Category 13.0 – Privacy Practices are based on the original content used to support the Texas Covered Entity Privacy and Security Certification Program.)

January 25, 2015

Overview: HITRUST CSF and Reporting Upgrades

HITRUST CSF

  • Added in Version Seven, the HITRUST CSF has been enhanced to include the requirements of both MARS-E and the IRS Publication 1075. Available on the MyCSF Library tab to all MyCSF Customers.
  • Also introduced in Version Seven, the CSF has elaborated on the Control Implementations found in the Privacy Domain. Available on the MyCSF Library tab to all MyCSF Customers.
  • The existing Baseline Requirement Statements and Illustrative Procedures have been modified to pose more clearly defined directives. Available on the MyCSF Assessments tab to all MyCSF Customers.

Reporting

  • The Baseline Comparison Report has been attached to the Reporting tab fostering simple evaluations between two CSF Assessments. Available on the Reporting tab in MyCSF to Professional subscribers and above.
  • A Report classifying an Assessment by its relational CSF Control has been added to MyCSF. Available on the Reporting tab in MyCSF to Professional subscribers and above.

December 6, 2014

Overview: Reporting Enhancements and Baseline Update

Reporting

  • A Baseline Report displaying all the user defined corrective action plans (CAPs) grouped on their appropriate Baseline Requirement Statements has been implemented into MyCSF. Available on the Reporting tab in MyCSF to Professional subscribers and above.
  • The two existing Baseline Assessment Reports have been amended to include more detail and filtering capabilities. Available on the Reporting tab in MyCSF to Professional subscribers and above.
  • A new Diary Report has been added to consolidate all diary entries entered amidst the Baseline Assessment. Available on the Reporting tab in MyCSF to Professional subscribers and above.
  • Added to MyCSF, an Illustrative Procedures Report grants users the ability to download a list of all their Baseline Requirement Statements and the associated Illustrative Procedures. Available on the Reporting tab in MyCSF to Professional subscribers and above.
  • By request, an Administrative Details and Factors report has been created to properly list all assessment scoping information. Available on the Reporting tab in MyCSF to Professional subscribers and above.

Baseline Assessment

  • The Illustrative Procedures tab now includes its corresponding Baseline Requirement Statement. Available to all MyCSF customers.

November 2, 2014

Overview: CAP and Incident Updates

Baseline Assessment

  • The Baseline Assessment has been integrated with the Corrective Action Plan (CAP) module to permit the addition of CAP steps while proceeding through an assessment. Available to all MyCSF customers on the Baseline Requirement tab.
  • The Diary tab now includes a logged answer history of all previously saved maturity inputs. Available to all MyCSF customers on the Diary tab.

Incident Response

  • An analysis pertaining to PHI related incidents has been added to the Incident Response module that can help project necessary remedial steps. Available on the PHI Analysis tab to our Incident Response subscribers.
  • Six customizable fields have been added to each incident which provide a better identification and reporting dynamic. Available on the Incidents tab to our Incident Response subscribers.
  • Thirteen exportable reports, offered in both excel and PDF formats, have been added to supplement the incident findings. Available in the Incident Exports tab to our Incident Response subscribers.
  • Incidents now include a notification component which promotes the tracking of external communications. Available in the Incidents tab to our Incident Response subscribers.

August 17, 2014

Overview: More Reports and Changes to Not Applicable Requirements

Reporting

  • Two Baseline Assessment reports have been added which permit an interactive assortment of Control Level Compliance and Residual Risk Ratings. Available on the Reporting tab in MyCSF to Professional subscribers and above.
  • The Real Time Gap List Report has been updated to now include the maturity inputs entered while completing the Baseline Assessment. Available on the Reporting tab in MyCSF to Professional subscribers and above.
  • Two existing CSF Library reports have been reformatted to present the CSF ordered by columns rather than rows. The Excel export option is highly recommended when downloading these reports. Available on the MyCSF Library Exports tab in MyCSF to Professional subscribers and above.
  • Two CSF Library reports have been added which allow for the CSF to be filtered by its associated authoritative sources. Available on the MyCSF Library Exports tab in MyCSF to Professional subscribers and above.

Baseline Assessment

  • It is now required to provide comments if marking a Baseline Requirement as Not Applicable. Available on the Baseline Requirement tab inside the Baseline Assessment.
  • The maturity values Not Applicable have been removed from the five maturity fields of the Baseline Requirement. The requirement can still be set as such. Available on the Baseline Requirement tab inside the Baseline Assessment.

July 6, 2014

Overview: New Reports and Improved User Assignment

Reporting

  • The two preexisting Baseline Assessment Reports have been updated to include the Requirement Type and Level attributes. Available on the Reporting tab in MyCSF to Professional subscribers and above.
  • A Report, created exclusively for CSF assessors, has been added to consolidate the contents of the Baseline Requirement and Assessor tabs into an easily readable and exportable format. Available on the Reporting tab in MyCSF to Professional subscribers and above.
  • A Report has been added that allows standard users the ability to track baseline question assignment. This report is generated from input into the new user assignment attribute. Available on the Reporting tab in MyCSF to Professional subscribers and above.
  • A Report has been added that displays the related CSF control and level to each respective baseline requirement in an assessment. Available on the Reporting tab in MyCSF to Professional subscribers and above.

Baseline Assessment

  • A User Assignment attribute has been applied to the baseline assessment which allows for easier management and reporting of customer respondents. Available on the Baseline Requirement tab inside the Baseline Assessment.

Detailed Assessment

  • The Detailed Assessment has been removed from MyCSF. This Assessment can no longer be created nor can existing ones be updated. Its replacement is expected out later this year.

June 8, 2014

Overview: Additional Reports and Dashboards

Reporting

  • A CSF Library Report has been added to the MyCSF Library tab allowing for a PDF extract of the Common Security Framework.
  • A CSF Library by Level Report has been added to the MyCSF Library tab allowing for a PDF extract of the Common Security Framework sortable by user-selected Control Reference levels.
  • A Baseline Response Status Report has been added to the Reporting tab that facilitates more flexible tracking of the baseline assessment that is complemented with PDF export capabilities.

Dashboards

  • Six charts have been included on the Dashboards tab that present the Process, Measured, and Managed maturity inputs from the baseline assessment ordered by domain.
  • The GAP and Risk Dashboards have been relocated to the Dashboards tab.

May 18, 2014

Overview: Introducing Policy Management and Industry Benchmarking

Policy Management

  • Policy Management is a new application developed to centralize policy governance while promoting collaboration through clearly defined workflows. Augmented with exportable reports, drafting and tracking policies is now easier than ever.

Benchmarking

  • Only available in MyCSF, CSF Validated Assessment domain maturity ratings have been implemented on the Benchmarking tab accessible to all MyCSF subscribers. In addition, organizational information for all CSF assessments have been included as well.

Baseline Assessment

  • For Validated CSF Assessments, specific domains are now capable of being submitted for review prior to the assessment’s completion.

Comments? Suggestions? Send them to HITRUST at feedback@hitrustalliance.net