HITRUST released the HITRUST CSF v9 as more and more organizations look to the CSF as a way to ensure security and compliance with relevant laws. This new release displays HITRUST’s continuing “evolution of the HITRUST CSF in providing organizations with a comprehensive, common approach to managing information privacy and security risks, including cyber.” In an effort to ease the burden of overwhelming compliance demands with all of the requirements that are relevant to healthcare organizations, HITRUST prioritizes regular updates to the CSF in order to incorporate evolving regulations and standards. So, what’s new in HITRUST CSF v9? What do organizations need to know when preparing for HITRUST CSF v9 Certification? Here is a summary of the changes to HITRUST CSF v9.
What is HITRUST?
In case you are not yet familiar with the HITRUST CSF, it’s important to understand who HITRUST is and what they have set out to accomplish for entities in the healthcare industry. HITRUST, a not-for-profit organization, was “born out of the belief that information protection should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges.” HITRUST is also a leader in advocacy, awareness, and education relating to the protection of health information. The HITRUST CSF is a certifiable framework that gives organizations a comprehensive, flexible, scalable, and efficient approach to risk management and regulatory compliance.
What’s New in HITRUST CSF v9?
One thing to note is that the number of HITRUST CSF controls required for HITRUST CSF Certification has increased from 66 to 75 controls. This allows organizations to leverage one risk assessment to receive a standardized report against a common set of security and privacy controls for an “assess once, report many” approach.
One of the biggest updates to HITRUST CSF v9 is the incorporation of the NIST Cybersecurity Framework. Cyber threats are a major concern for organizations in the healthcare space, so with v9, a HITRUST CSF assessment will include all necessary controls to address NIST CSF requirements for cybersecurity.
The HITRUST CSF v9 release also incorporates the following:
- Federal Financial Institutions Examination Council (FFIEC) Information Security Handbook – This addition helps financial organizations, specifically those providing their own health benefits, to make use of the HITRUST CSF Assessment report easier.
- Federal Risk and Authorization Management Program (FedRAMP) – The addition of FedRAMP helps organizations reliant on cloud-based services to identify a common set of controls for both the provider and the consumer, and provide future guidance on the roles and responsibilities of each.
- Department of Homeland Security (DHS) Critical Resilience Review (CRR) cybersecurity criteria – This addition helps to enhance cybersecurity assurances.
- Office for Civil Rights’ (OCR) Audit Protocol v2 – As most organizations seeking HITRUST CSF Certification are also subject to HIPAA laws and regulations, this addition ensures that those organizations are prepared to demonstrate compliance with HIPAA laws.
- 21 CFR Part 11 – This addition better supports organizations required to demonstrate FDA compliance.