HITRUST Update: HITRUST CSF v9.1 Release

by Sarah Harvey / March 8th, 2018

HITRUST’s Continual Effort to Evolve

As more and more organizations look to the HITRUST CSF® as a way to ensure security and compliance, HITRUST continually updates the framework to incorporate evolving regulations and standards. What’s new in HITRUST CSF v9.1, HITRUST’s latest release? HITRUST CSF v9.1 includes changes based on community feedback as well as two major updates: support of GDPR and 23 NY CRR 500 requirements. The incorporation of these regulations support HITRUST’s initiative to make the framework more comprehensive and facilitate the application of the HITRUST CSF across multiple industries in order to internationalize the framework.

Jessie Skibbe, VP of Strategic Development and Chief Compliance Officer at KirkpatrickPrice and member of the 2018 HITRUST CSF Assessor Council, states, “HITRUST is paying attention to recent cyber threat activity and breach data, as well as working closely with regulators and industry leaders to create a comprehensive framework that will self-regulate and provide due diligence. It’s something that you can feel good about implementing. Whether a HITRUST CSF assessment is something that clients require of you or whether it’s something that you’re choosing on your own accord, you can be assured that HITRUST is committed to their users and will continue to update the framework.”

So, what’s new in HITRUST CSF v9.1 and what do organizations need to know when preparing for HITRUST CSF v9.1?

23 NY CRR 500 Overview

23 NY CRR 500 OverviewEffective March 1, 2017, the New York (NY) State Department of Financial Services Cybersecurity Requirements Regulation (CRR) for Financial Services Companies Part 500 (NY CRR 500) established cybersecurity requirements for financial services companies. The regulation requires that companies develop a cybersecurity program, based on internal and external risk, that protects sensitive customer information and the confidentiality, integrity, and availability of companies’ information technology systems. Some key elements of this cybersecurity program, as outlined in 23 NY CRR 500, include:

  • Management’s involvement and approval
  • Developing and implementing cybersecurity policies and procedures
  • Appointing a Chief Information Security Officer
  • Performing penetration testing and vulnerability assessments
  • Conducting a thorough risk assessment
  • Employing access privileges, application security, multi-factor authentication, and encryption methods
  • Training your employees
  • Developing an Incident Response Plan

When preparing for HITRUST CSF v9.1, HITRUST encourages organizations to note, “Integrating 23 NY CRR 500 into the HITRUST CSF will enable the financial industry to leverage the framework to achieve better cybersecurity resilience and protection. The requirements for Financial Services Companies not only affects financial institutions but also healthcare organizations such as health insurers and their business associates, including those outside of New York.”

GDPR Overview

GDPR OverviewBorn out of cybercrime threats, technology advances, and concerns about data misuse, the EU’s General Data Protection Regulation (GDPR) is one of the top regulatory focuses of 2018, even among US companies, and is considered to be one of the most significant information security and privacy laws of our time. GDPR will require all data controllers and data processors that handle personal data of EU residents to “implement appropriate technical and organizational measures…to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.” The applicability of the law follows the data, rather than a person or location. The scope is big and the sanctions are bigger; non-compliance can lead to fines of up to €20 million or 4% of annual global turnover, whichever is greatest.

When preparing for HITRUST CSF v9.1 and GDPR compliance, HITRUST encourages organizations to understand the globalization efforts being made. HITRUST states, “Incorporation of GDPR is part of HITRUST’s initiative towards internationalization of the HITRUST CSF and increased support for global organizational privacy programs. The updated framework now allows organizations to easily manage and report on the controls intended to address GDPR requirements.”

Preparing for HITRUST CSF v9.1

If you aren’t wondering what’s new in HITRUST CSF v9.1 because your organization is currently being assessed under HITRUST CSF v9.0, remember that you have a six-month grace period from the release date (February 26, 2018) to submit your assessment to HITRUST. If you’re under HITRUST CSF v9.0, it’s also important to note that an assessment objective must be created to avoid being rolled over to v9.1.

If you have already submitted an assessment under previous versions, your organization will not be immediately affected by this new release of HITRUST CSF v9.1. As your organization prepares for re-certification, though, we recommend that you continue to perform risk assessments and review 23 NY CRR 500 and GDPR requirements that may impact you. Even if your organization is not subject to GDPR or 23 NY CRR 500, you can utilize the control requirements to improve your security and privacy initiatives.

More HITRUST CSF Resources


Defining HITRUST CSF Compliance Webinar

Navigating HITRUST CSF Compliance Webinar

The HITRUST CSF Assessment Process and Beyond Webinar

Navigating HITRUST CSF Compliance Video Series

For more information on what’s new in HITRUST CSF v9.1 or how to get started with your HITRUST CSF certification process, contact us to speak to a HITRUST CSF expert.