HITRUST® Across Industries: Where the HITRUST CSF® v9.2 is Headed

by Sarah Harvey / January 21st, 2019

Today, HITRUST released the much-anticipated HITRUST CSF v9.2. The changes reflect HITRUST’s effort to leverage international standards and expand adoption into new industries, such as financial services, travel and hospitality, media and entertainment, telecommunications, and startups.

Changes in HITRUST CSF v9.2

The two major changes in the HITRUST CSF v9.2 surround its shift to an agnostic framework and the incorporation of international regulatory requirements. The HITRUST CSF v9.2 extracts healthcare-specific requirements from the three implementation levels and places them in a separate industry control segment, which ensures non-healthcare entities do not see these in their assessment. Healthcare language has always been updated as a part of the agnosticizing effort. For example, terms like “business associates” have been updated to “vendors” and “PHI” has been updated to “covered information.” To expand its international reach, the HITRUST CSF v9.2 includes plain-language versions of the EU’s General Data Protection Regulation (GDPR) requirements and Singapore’s Personal Data Protection Act (PDPA).

Per HITRUST, the other notable changes in this version include changes based on feedback from the HITRUST community, miscellaneous corrections, and the restructuring of category 13.

HITRUST’s Adaptability to New Industries

The CSF began with incorporating standards from ISO, NIST, PCI, HIPAA, and COBIT to set baseline security controls with the goal of normalizing security requirements, providing clarity and consistency, and reducing the burden of compliance with these requirements for healthcare organizations. Now, HITRUST is expanding the CSF beyond healthcare.

Even as an assessor firm, we’re having to adapt how we think about the HITRUST CSF, a historically healthcare-focused framework. Industries like manufacturing, travel and hospitality, media and entertainment, or restaurants don’t have a defined, industry-accepted information security framework; HITRUST is aiming to be that catch-all information security, privacy, and risk management framework so that no organization is left unprotected. If your organization is in an industry that doesn’t have a standard controls framework, the HITRUST CSF may be exactly what you need to help your organization protect its information. By pursuing HITRUST compliance, you’re putting yourself in a better position for the future and making your organization more competitive.

Jeff Pochily, Director of Audit Operations and CCSFP, comments, “The HITRUST CSF has always been the premier framework for information security in the healthcare industry, but that’s never been the limit of its usefulness. It has always been a framework with the potential to drive a mature compliance program in any industry. With increasing frequency I find myself recommending the HITRUST CSF to my clients across industries as a reference and roadmap to building a better compliance program.”

The HITRUST CSF v9.2 is now available within the HITRUST MyCSF. If you are currently in an existing v9.1 assessment, there is no immediate impact to you unless you or your assessor firm decides that v9.2 is more appropriate to the scope and requirements for your organization.

For more information on how you can leverage a HITRUST assessment, especially in industries outside of healthcare, contact us today to start your compliance journey.

More HITRUST Resources

What is a HITRUST CSF Audit?

Preparing for a HITRUST CSF Assessment

How to Scope a HITRUST Engagement

The HITRUST CSF Assessment Process and Beyond