Preparing for HITRUST CSF v9 Enhancements

Ahead of its late August/early September 2017 release, HITRUST has released details around HITRUST CSF v9. To address the evolving information security landscape to include new threat profiles and updates in standards, HITRUST has expanded its framework and enabled NIST Cybersecurity Certification.

HITRUST removed 10 controls required for CSF v8.1 certification and added 19 controls for CSF v9 certification. Controls removed are 01.a, 01.f, 01.i, 01.r, 03.a, 05.b, 09.g,,, and 10.g.  Controls added are 01.c, 01.l, 03.d, 05.h, 05.j, 06.c, 06.h, 09.b, 09.k, 09.l, 09.v, 09.x, 09.y,, 10.a, 10.k, 11.d, 12.b, and 12.d. HITRUST CSF v9 will see an increase in the controls required for HITRUST CSF Certification from 66 to 75. Below, we will address the major changes to see.


NIST Cybersecurity Framework (NIST CSF)

The NIST CSF provides a framework for organizations to assess and improve their ability to prevent, detect, and respond to cyber-attacks. The main cybersecurity activity categories are:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

With HITRUST CSF v9, a single CSF assessment will address the NIST CSF and organizations will not be able to see the HITRUST CSF controls through the lens of the NIST CSF Core Subcategories. This incorporation provides an efficient manner to report on an organization’s cybersecurity posture by utilizing the NIST framework.

Federal Financial Institutions Examination Council (FFIEC) Information Security Examination Handbook

The FFIEC Information Security Handbook is used for financial organizations to better understand the security risks that put financial institutions’ information security systems at risk.

As it relates to HITRUST, incorporating the Handbook will provide guidance relevant to organizations who are outside of the healthcare industry, specifically for an organization in the financial industry.

Federal Risk and Authorization Management Program (FedRAMP)

FedRAMP is a security assessment used to assess the security of cloud solutions used by the federal government. The main goals of FedRAMP are to provide a standard approach to security assessment, authorization, and continuous monitoring for cloud products and services.

Because the healthcare industry continues to rely more heavily on cloud-based services, the HITRUST CSF aims to use a common set of controls for the providers and consumers of these services.

Department of Homeland Security (DHS) Critical Resilience Review (CRR) Cybersecurity Criteria

The CRR is an assessment that evaluates an organization’s operational resilience and cybersecurity practices across ten domains:

  1. Asset Management
  2. Controls Management
  3. Configuration and Change Management
  4. Vulnerability Management
  5. Incident Management
  6. Service Continuity Management
  7. Risk Management
  8. External Dependency Management
  9. Training and Awareness
  10. Situational Awareness

This incorporation will allow for organizations to use their existing HITRUST CSF-based information protection programs to provide assurances around the state of their cybersecurity programs, and level of organizational reliance based upon the DHS CRR.

Office of Civil Rights (OCR) Audit Protocol v2

The OCR Audit Protocol reviews the policies and procedures in place by covered entities and business associates to meet the Privacy, Security, and Breach Notification Rules.

This minor update ensures that healthcare organizations can demonstrate compliance with the HIPAA Security Rule in the context of the Protocol as it relates to an OCR audit or a post-breach investigation.

Title 21 Code of Federal Regulations Part 11 (21 CFR Part 11)

21 CFR Part 11 was expanded to address the Food and Drug Administration (FDA) requirements for electronic records and signatures, which supports organizations that must demonstrate FDA-compliance based upon their HITRUST CSF-based information protection program.


HITRUST provides organizations with an “assess once, report many” system that provides a comprehensive framework for organizations in many industries such as the financial industry and European markets.

This includes assurances for how well an organization is meeting the objectives specified by the NIST Cybersecurity Framework Core Subcategories, Federal Financial Institutions Examination Council (FFIEC) Information Security Examination Handbook and the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria for Security, Confidentiality, and Availability (including for SOC 2 reporting), or support attestations of compliance with the HIPAA Security Rule.

In addition, organizations can expect to see an interim release of v9.1 in February of 2018, which will increase the level of support for global programs by incorporating the EU Privacy Shield Regulation, the General Data Protection Regulation (GDPR), and mapping the HITRUST CSF’s privacy and security requirements to the AICPA Trust Services Criteria for Privacy.

These regular updates help to incorporate many of the standards that organizations need to achieve compliance, in order to meet regulatory and contractual agreements to strengthen relationships with clients.

Unsure of how HITRUST CSF v9 could affect your organization? A-LIGN’s professionals have experience with healthcare organizations and their business associates. Contact us today for more information and to have your questions answered at [email protected] or call (888) 702-5446.