Written by HITRUST Independent Security Journalist Sean Martin.
The evolution continues! From its humble beginnings as a common security framework for the healthcare industry, the HITRUST CSF has broken new ground in providing organizations with a comprehensive approach toward regulatory compliance and security and privacy risk management. The eighth version of the HITRUST CSFwas released to member organizations and the public at large in 2016, formally integrating mappings for the American Institute of Certified Public Accountants (AICPA) Trust Services Principles and Criteria, as well as providing content updates for the HITRUST De-Identification Framework, the Center for Internet Security Critical Security Controls (CIS CSC) v6, the Payment Card Industry Digital Security Standard (PCI DSS) v3.1, and more.
Next year will see the release of the HITRUST CSF v9 — but first, there will be an intermediate release, v8.1, which will be finalized before the end of 2016 and rolled out in January 2017. As explained by Bryan Cline, Ph.D, Vice President of Standards and Analytics for HITRUST, CSF v8.1 will provide additional timely updates, such as bringing the CSF framework up-to-date with PCI DSS v3.2 and MARS-E v2.
A major focus for CSF v8.1 is to improve some of the framework’s documentation supporting assessment. For example, v8.1 simplifies some of the existing language in MyCSF assessment statements, which is intended to make the requirements more understandable – and subsequently more consumable by industry organizations. It will also update some of the existing illustrative procedures to ensure consistent rigor and specificity across control requirements.
Also in CSF v8.1 will be preliminary mappings to CSF BASICs, or “Basic Assurance and Simple [as opposed to complex] Institutional Cybersecurity” – a new HITRUST program to help smaller, relatively low-risk organizations successfully adopt a cybersecurity and assurance program. The program went through an initial pilot with a small physician practice in early 2016 and is expected to undergo a second pilot with more small practices later this year.
Dr. Cline said that BASICs really goes back to the basics by focusing on good security hygiene for smaller organizations. “It will eventually be supported by a separate environment from the existing MyCSF assessment support tool, and specifically designed to help implement and assess the CSF in smaller organizations,” he said. “A preliminary ‘manual’ or paper-based version of BASICs will come out with v8.1; and we anticipate the BASICs online support environment will be rolled out with the v9 release.”
This next annual update, HITRUST CSF v9, is expected to include these changes and content updates:
- The Cyber Resilience Review (CRR). The CRR, from the US-CERT team, is a no-cost, voluntary, non-technical assessment to evaluate an organization’s operational resilience and cybersecurity practices. The CRR may be conducted as a self-assessment or as an on-site assessment facilitated by Department of Homeland Security cybersecurity professionals. “The CRR helps organizations get a consistent view across critical infrastructure industries of how well they are prepared for cyber threats,” said Dr. Cline. “By mapping to the CRR, we provide yet another view of an organization’s cyber resilience.”
- The Federal Risk and Authorization Management Program (FedRAMP). FedRAMP is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Dr. Cline said, “HITRUST members will really like our focus on cloud service providers. We are starting off this release with Infrastructure-as-a-Service (IaaS). In this area, there’s a lot of confusion about what cloud providers are responsible for, what the user is responsible for, and what is a joint responsibility. The FedRAMP mappings will help organizations with that.”
- The Federal Financial Institutions Examination Council (FFIEC) uniform principals and reports. The FFIEC is an interagency council that prescribes standards for financial bodies such as the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA) and the Consumer Financial Protection Bureau (CFPB). “Many businesses and organizations that support the healthcare industry also support the financial community, so they care about FFIEC,” Dr. Cline explained, “We anticipate there will be some minor changes in content as well as some new content in addition to the mappings. Some of that content may be incorporated into existing standard levels but we may need to incorporate finance industry-specific content into a separate industry segment, which we use for certain data and organization types,” he added.
HITRUST CSF v9 is slated for release in mid-2017.