HITRUST Update: HITRUST CSF® v9.3 Release

by Sarah Harvey / October 29th, 2019

HITRUST®, a the leader in information security and privacy risk management and compliance programs, has announced a much-anticipated update to the HITRUST CSF in an effort to remain one of the leading data protection standards. HITRUST CSF v9.3 adds new privacy and security standards and updates six others existing within the certifiable framework. These changes were made in response to the ever-shifting information security landscape that is consistently updated with new laws and regulations.

As expected, the most significant updates in the CSF v9.3 are the inclusions of The California Consumer Privacy Act (CCPA) 1798 and The South Carolina Insurance Data Security Act 2018 (SCIDSA) 4655. As these laws are enacted and amended, HITRUST is working to enhance its own framework and continuing to stay up to date on all information security advancements. How do these laws affect HITRUST assessments? Let’s take a look at the basics of CCPA and SCIDSA.

Inclusion of CCPA

CCPA was enacted in 2018 in an effort to provide legal protection of consumers’ personal data and rights to access information about how personal data is shared and stored. The law goes into effect on January 1, 2020 and will affect businesses in and out of California. If an organization conducts business and handles the personal data of California consumers, it may be subject to CCPA. The main legal requirements, as of now, include consumer rights to access, deletion, non-discrimination, and opt-out of selling, privacy disclosure related to data collection and use and disclosure, vendor contract requirements, and implement and maintain reasonable security measures.

HITRUST CSF v9.3 includes information and mapping related to CCPA to provide a holistic framework that meets organizational security needs. As the law is amended and adjusted, HITRUST will continue to update its information to reflect any changes to the law.

Inclusion of SCIDSA

SCIDSA was enacted to establish better standards for data security, investigation, and notification of cybersecurity events. The law requires qualifying organizations to have a comprehensive information security program and proper reporting procedures in place for cybersecurity events. The act was signed into law in 2018 and went into effect January 1, 2019. The main components of SCIDSA requirements include a risk assessment, establishment and monitoring of an information security program, risk management, training, and due diligence, investigation of cybersecurity events, notification of cybersecurity events, and reporting, notices, and certification of compliance.

As more states write and enact their own data security and cybersecurity law, the HITRUST CSF adapts; the inclusion of SCIDSA in v9.3 is a testament to that.

What to Expect From HITRUST CSF v9.3

Other changes in this updated version of the CSF include:

NIST SP 800-171 R2 (DFARS)
AICPA 2017
CIS CSC v7.1
ISO 27799:2016
CMS/ARS v3.1
IRS Publication 1075 2016
NIST Cybersecurity Framework v1.1

Updates for information security laws and policies, plus the enhancements of an updated glossary, source mappings, and streamlined questioning help the HITRUST CSF to become a more well-rounded framework for your organization. If your organization is currently in an existing v9.2 assessment, you won’t see an impact unless you see fit to adjust your assessment to the scope and requirements of v9.3. As 2020 quickly approaches, you can expect to see the major release of HITRUST CSF v10 towards Q4, according to HITRUST. To learn more about HITRUST CSF v9.3 or to talk with an expert, contact KirkpatrickPrice today.