These new standards include the addition of the California Consumer Privacy Act (CCPA) 1798, the South Carolina Insurance Data Security Act 2018 (SCIDSA) 4655, and NIST SP 800-171 as authoritative sources. In addition, updates have been made to six existing HITRUST authoritative sources.
HITRUST CSF v9.3 Updates
As a result of the HITRUST CSF v9.3 release there will now be 44 authoritative sources for HITRUST with the addition of one new privacy-related source (CCPA), and the two security-focused sources (SCIDSA and NIST SP 800-171).
- CCPA: Designed to enhance privacy rights and consumer protection for residents of California. This bill which was signed in June 2018 will go into effect January 1, 2020. CCPA gives consumers the right to access, delete, and prohibit sharing of their personal information that is collected by businesses.
- SCIDSA: Effective January 1, 2019 and established standards for data security, and standards for the notification and investigation of any cybersecurity event applicable to licensees of the South Carolina Department of Insurance.
- NIST SP 800-171: Introduced by the National Institute of Standards and Technology and applies to nonfederal contracts and subcontractors that handle, transmit, or store controlled unclassified information (CUI) or covered defense information (CDI).
An additional component of HITRUST CSF v9.3 are updates to six existing authoritative sources:
- AICPA 2017: Updated to map HITRUST CSF v9.3 to the 2017 SOC 2 Trust Services Criteria
- CIS CSC v7.1: Introduced implantation groups (IGs) to the CIS Controls™
- ISO 27799:2016: Provides guidelines for information security management and standards
- CMS/ARS v3.1: Protects and ensures the confidentiality, integrity, and availability for all of CMS’ information and information systems
- IRS Publication 1075 2016: Added “On-Site Review Process” and “Computer Security Review” section among other changes
- NIST Cybersecurity Framework v1.1: Added a new section on self-assessment among other changes
Additional enhancements in CSF v9.3 include updated authoritative source mappings to communicate requirements across industries and sectors, adjusted risk and regulatory factors that streamline required questions for each assessment and clarified terminology.
HITRUST CSF v9.3 Impact to Organizations
The changes included in HITRUST CSF v9.3 will only impact organizations that are currently testing against these regulatory assessments, or if they have been requested to test against these new authoritative sources by their clients. For companies located in, or housing data, in California and South Carolina there may be an increased need to include the CCPA or the SCIDSA respectively in their future HITRUST assessment. Other organizations may choose to proactively include these regulatory sources in their next assessment.
If an organization is currently undergoing a HITRUST assessment using CSF v9.0 – 9.2 there is no requirement to shift to CSF v9.3 unless, or until, a stakeholder requests this change. For organizations that have yet to conduct a HITRUST assessment, it is recommended that CSF v9.3 be utilized to ensure the latest assessment option is being completed.
How Organizations Can Prepare
To ensure organizations have the right controls, policies and procedures in place for existing or future assessments A-LIGN can conduct a HITRUST Gap Assessment to help organizations benchmark the implementation of their controls to the new CSF v9.3 additions. In addition, for organizations who are still utilizing HITRUST CSF v8.x A-LIGN can help identify any gaps and recommend new controls that will need to be implemented for HITRUST CSF v9.3.
A-LIGN is one of only a few globally recognized cybersecurity and privacy compliance providers that offer a single-provider approach for organizations. A-LIGN is a HITRUST CSF Assessor firm, Qualified Security Assessor Company, Accredited ISO 27001 and ISO 22301 Certification Body, Accredited FedRAMP 3PAO and licensed CPA firm.