HITRUST CSF v9.2 Opens Up the Framework for All Organizations

With HITRUST v9.2, the Common Security Framework (CSF) continues to be a very powerful and useful security framework for any organization – both inside and outside the healthcare industry.

The HITRUST CSF is a scalable and extensive security framework used to efficiently manage the regulatory compliance and risk management of organizations. By unifying regulatory requirements and recognized frameworks from ISO 27001/27002, NIST, HIPAA/HITECH, PCI DDS, GDPR, and more into one comprehensive system, the HITRUST CSF saves massive amounts of time and energy by assessing once and reporting many.

Thanks to its ability to combine several assessments and frameworks into one framework, the HITRUST CSF allows clients to decide what they want to test against and get controls based on that level of risk. This “assess once, report many” approach means that assessors are performing several different audits, but the organization feels like they’re only undergoing one. Because of this benefit and its exhaustive focus on security, the HITRUST CSF has been widely praised and adopted by organizations.

Now, with the latest 9.2 update, the HITRUST CSF is positioned to expand beyond the confines of the healthcare industry and help shape the future of security frameworks for organizations in any industry globally.

Any Organization Can Now Pursue HITRUST

Previously, the HITRUST CSF was specifically designed for any entity in healthcare. While the HITRUST framework was robust and effective, there was no use for it if your organization was not handling Protected Health Information (PHI). Thankfully for organizations outside of healthcare that are committed to security, this is now changing.

HITRUST CSF v9.2 goes beyond healthcare by moving to an agnostic framework in which you can toggle across HIPAA as a baseline. The toggling of HIPAA doesn’t impact healthcare organizations, but it does impact organizations looking for a scalable framework that is meaningful beyond the healthcare industry. By widening its scope, the scalable HITRUST framework is now accessible to millions of additional organizations globally that could benefit from its comprehensive security focus.

Implementation with the Singapore Personal Data Protection Act

Similar to how the European Union has adopted the General Data Protection Regulation (GDPR), the country of Singapore has its own form of data protection regulation, known as the Personal Data Protection Act (PDPA). With CSF v9.2, the HITRUST framework has grown to adopt the PDPA, allowing any organization that handles the private or personal data of Singapore residents to use the HITRUST framework for attestation.

Updated GDPR Implementation

In March of 2018, the GDPR examination incorporated the HITRUST language for the first time. Unfortunately, its inclusion was found ambiguous at best and left many organizations feeling confused or unsure with how to proceed. With HITRUST CSF v9.2, the existing GDPR requirement language has now been updated and refined to make its implementation easier to understand thanks to simpler language.

Choosing Between 9.1 and 9.2

Despite the version number change, organizations still have the option to choose between HITRUST CSF 9.1 or HITRUST CSF 9.2. While you may think the newer 9.2 model is the preferred method, that may not always be the case based on your organization’s industry or the type of data that it handles. Below is an easy to understand breakdown:

Use CSF 9.1. if your organization needs the HIPAA regulations and has already created an assessment object and started testing. The organization could still decide to move to v9.2, but there will be no benefit of doing this and the difference in controls will be very minimal.

Use CSF 9.2. if you do not need to have HIPAA regulation language in your assessment. If you do not handle any healthcare data or do not want to test against HIPAA.

The Future of HITRUST

Now that the prerequisite of handling PHI has been removed from HITRUST CSF 9.2, anyone can remove unnecessary healthcare-specific checkboxes and customize the framework for their specific needs.

HITRUST has filed a formal application with the European Union’s Data Protection Board and the Irish Data Protection Commission to have the HITRUST CSF officially recognized as a standard for GDPR certification as well as working with Irish authorities regarding an application to be an accredited certification body for GDPR.

HITRUST is also evaluating the process to be an Accountability Agent under the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules and Procedures for Processing programs.

Finally, HITRUST is planning on releasing CSF v10 later in 2019 to support a more agnostic approach to HITRUST CSF Assessments and add additional authoritative sources.

Since its inception in 2007 as a healthcare-focused framework, the HITRUST has continually evolved and grown over the years.  Thanks to the 9.2 update, organizations across all industries will now get to benefit from the framework’s robust features and discover the benefits that organizations in the healthcare industry have known all along.

Interested in pursuing the HITRUST CSF 9.1 or 9.2. for your organization? Contact A-LIGN at 1-888-702-5446 to speak with one of our cybersecurity and compliance professionals.