The HITRUST Third Party Assurance Summit Recap

On February 20-21, A-LIGN sponsored and attended the 2018 HITRUST Third Party Assurance Summit in Chicago, Illinois. The summit focused on third-party risk management, providing information on best practices and effective third-party risk management strategies leveraging the HITRUST CSF Assurance Program. As third-party assurance remains a crucial component of an organization’s risk management program, it’s important that organizations implement an effective program that manages the risk imposed throughout the entire supply chain. The summit included facilitated discussions, educational sessions, and networking opportunities. Additionally, the HITRUST Alliance made announcements surrounding its Threat Catalogue, HITRUST CSF, and the MyCSF tool.

HITRUST Threat Catalogue

The HITRUST Threat Catalogue will allow organizations to have greater visibility of their risk exposure by aligning cyber threats with HITRUST CSF risk factors and controls; a combination not found in other information security frameworks. The goal of the Threat Catalogue is to assist organizations in improving their information security posture through the simplification of the risk analysis process. The catalogue will be used by the HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3) to help healthcare organizations react to threat intelligence; and to help satisfy their obligations under the HIPAA Security Rule to identify all reasonably anticipated threats to electronic protected health information (ePHI).

The HITRUST Threat Catalogue Working Group, will be developing and maintaining the catalogue on a continual basis focusing on four principle tasks:

  1. Identifying and leveraging an existing threat taxonomy for common adversarial and non-adversarial threats to ePHI
  2. Enumerating all reasonably anticipated threats to covered information for an organization
  3. Mapping HITRUST CSF control requirements to the enumerated threats
  4. Identifying additional information needed in future iterations of the HITRUST Threat Catalogue to help meet its objectives

The initial version of the catalogue will be available in March 2018.

HITRUST CSF v9.1 and v10.0

The latest release of HITRUST CSF v9.1, addresses the European Union’s General Data Protection Regulation (GDPR), and New York State Cybersecurity for Financial Services Companies (NYCRR). Organizations being assessed under the prior version, HITRUST CSF v9.0, will have a six-month grace period from the release date to submit their assessment to HITRUST. Organizations being assessed under HITRUST CSF v8.1 only have until early March 2018 to submit their assessment.

If you have already submitted an assessment under v8.1 or v9.0 to HITRUST, you will not be immediately affected by v9.1 until your organization is due for re-certification. However, A-LIGN recommends organizations perform an internal risk assessment to address GDPR and NYCRR requirements, and to determine whether it applies to you.

Furthermore, HITRUST announced the planned release of HITRUST CSF v10.0 in the fall. The planned version will make the assessment applicable beyond healthcare and across a variety of industries. A set of core requirements will be the baseline for every assessment. Organizations looking to achieve HIPAA compliance will need to select HIPAA as part of the additional regulatory factors in all v10 and later assessments.

MyCSF Tool 2.0

Lastly, HITRUST announced that an updated version of the MyCSF Tool will be released this year. MyCSF 2.0 will begin the beta phase in April, which will incorporate ad hoc reports, default scoring functionality, enhanced navigation, and linking of evidence to multiple requirements.

Organizations who utilize MyCSF 2.0 and conduct their assessment within the updated version, will also have their interim assessments conducted in the tool as well. If you are using the current version of the MyCSF tool, you will continue conducting the assessment the same way.

As a HITRUST CSF Assessor firm, A-LIGN helps provide compliance solutions for healthcare organizations and their business associates. Our certified practitioners are members of both the HITRUST CSF Assessor Council and Quality Subcommittee and have extensive experience providing information security auditing and advisory services to organizations in the healthcare industry.

For more information on HITRUST Certifications, please contact us to speak with one of our HITRUST Practitioners.