What to Expect in the HITRUST CSF v9.1 Release

HITRUST confirmed the HITRUST CSF Version 9.1 would be scheduled to release to the assessor community this month, January 2018 for review and to provide feedback. The assessors will have 30 days to provide feedback after which the CSF v9.1 final version will be released to the public in February.

HITRUST has seen an increased use of the HITRUST CSF outside of healthcare to meet the demands for increased cybersecurity in other industries. Therefore, the anticipated changes in CSF v9.1 aim to aid in the wider adoption of the HITRUST framework to improve security programs in various industries. The new requirements incorporated improves the security controls for additional industries.

For continuous expansion and increased support of privacy programs, CSF v9.1 will incorporate the European Union’s General Data Protection Regulation (GDPR), and New York State Cybersecurity for Financial Services Companies (NYCRR). It’s important to recognize that organizations not subject to either GDPR or NYCRR, can utilize the control requirements to improve their security and privacy initiatives.

General Data Protection Regulation

The European Union data privacy regulation, GDPR, will be enforced in May 2018. This regulation aims to protect European consumers through some of the following key requirements:

  • Classifying personal data
  • Requiring consent when collecting information
  • Appointing a Data Protection Officer (DPO) while monitoring individuals through targeted online advertisements or company loyalty programs
  • Notifying both privacy regulators and consumers of a breach within 72 hours of discovery
  • Allocating the individual’s right over the use of their personal data

By integrating GDPR with HITRUST, the CSF will improve protection of personal data as well as raise the standards for consumer privacy, effecting a variety of industries and organizations within the United States.

New York State Cybersecurity for Financial Services Companies

Due to numerous data breaches in both the financial and healthcare industries, the state of New York released a cybersecurity management program. Effective March 2017 for all institutions regulated by the New York State Department of Financial Services (DFS), the regulation is designed to better protect consumer information and better manage the threat landscape through key requirements including, but not limited to:

  • Implementing a cybersecurity program
  • Designing a cybersecurity policy
  • Appointing a Chief Information Security Officer
  • Conducting a risk assessment
  • Employing multi-factor authentication

By adding the requirements of NYCRR to HITRUST CSF v9.1, both the healthcare and financial industry can utilize CSF v9.1 to develop and enhance cybersecurity resilience and protection.

Are You Ready for HITRUST CSF v9.1

The frequent HITRUST CSF updates continuously improve the framework to include new standards that better equip organizations in various industries to achieve compliance with regulatory, and contractual requirements, and to strengthen the overall security and privacy of their data.

Although the updated CSF v9.1 has not been officially released, organizations can prepare for the release by reviewing the GDPR and NYCRR requirements to determine how it can affect their organization.

Organizations being assessed under the prior version, HITRUST CSF v9.0, will have a six-month grace period from the release date to submit their assessment to HITRUST. It is also important to note that organizations being assessed under the prior version will need to purchase the MyCSF portal and create an assessment object before v9.1 is released. Having purchased the portal without creating an assessment object under v9.0 is not sufficient to be eligible for the six-month grace period; an assessment object will have to be created to avoid being rolled over to v9.1. Organizations being assessed under HITRUST CSF v8.1 only have until early March 2018 to submit their assessment.

If you have already submitted an assessment under v8.1 or v9.0 to HITRUST, you will not be immediately affected by v9.1 until your organization is due for re-certification. Recertification will be two years from your original certification date, however, A-LIGN recommends organizations perform an internal risk assessment to address GDPR and NYCRR requirements, and to determine whether it applies to you.

Want to learn more about preparing for HITRUST CSF v9.1? A-LIGN’s professionals have experience with healthcare organizations and their business associates. Contact us today for more information and to have your questions answered at [email protected] or call (888) 702-5446.