Preparing for HITRUST CSF v8


To ensure the HITRUST CSF stays relevant and current with the needs of today’s healthcare organizations, the HITRUST Alliance continually updates the CSF to incorporate the changing standards and regulations associated with its authoritative sources.

The updates within v8, which was release on July 1, 2016, incorporate feedback within the HITRUST community, as well as from changes from authoritative sources that include the following:

  • Incorporation of the NIST Framework for Improving Critical Infrastructure Cybersecurity (CsF).
  • Addition of HITRUST De-Identification Framework assessment.
  • Changes from the release of PCI DSS v3.1.
  • Updated mapping for the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) v3.0.1.
  • American Institute of Certified Public Accountants (AICPA)-approved mapping of the HITRUST CSF controls to its Trust Services Principles and Criteria, which support the CSF Assurance Program and Service Organization Control (SOC) 2 reporting.
  • Mappings to and minor content updates from the Center of Internet Security (CIS) Critical Security Controls (CSC).
  • Mappings to and minor content updates from Precision Medicine Initiative’s (PMI) Data Security Policy (DSP) Framework.

Organizations can expect additional updates to v8 to come in January 2017 followed by a v9 release that is planned for June 2017.


Any organization that began an assessment after July 1, 2016 will need to leverage the v8 framework.  Conversely, if an organization started an assessment before July 1, 2016, that assessment must be completed by December 31, 2016.  If that assessment is not submitted before the end of the year, a new assessment object must be created utilizing the v8 framework.  If your organization began an assessment before July 1, 2016, it would be in your best interest to complete the assessment prior to the December 31 deadline in order to avoid starting the assessment process all over again.


Previous versions of the CSF will be permitted by HITRUST under certain circumstances.  An organization working to close gaps from a self-assessment in myCSF may make a request to HITRUST to certify under the same version of the framework if that self-assessment was performed within the last six months.  Organizations working toward HITRUST certification should be mindful of these key dates and timelines to implement all necessary requirements.


Two new required controls were added for certification, bringing the total number of controls to 66.  The new controls are as follows:

01.e Review of User Access Right

This control adds that the organization reviews all system accounts and disables any account that cannot be associated with a business process and owner.

Additionally, the organization need to monitor for and notify the user or user’s manager of any accounts that are dormant in order to disable accounts when unneeded. Exceptions, such as vendor maintenance accounts for system recovery, need to be monitored as well. All accounts should match active employees and contractors – accounts that are not appropriately matched should be disabled.

Additional changes to 01.e incorporate CIS CSC and AICPA authoritative references.

01.t Session Time-out

HITRUST has added “bring your own device” (BYOD) rulings that require an automatic lockout screen configuration. This is required at control level 1.

Additional changes to 01.t incorporate CIS CSC, HIPAA, and AICPA authoritative references.

MyCSF tool

There have also been notable updates to the MyCSF tool:

  • Organizational factors are now dynamic within the tool and are updated according to the selected organizational type. The organization types were modified to include service provider options for both IT and non-IT services.
  • The inheritance program is also a new feature allowed within the tool. Service organizations can request inheritance to participate in the program by contacting HITRUST following successful certification. Once enrolled, entities that subscribe to their services will have the option to inherit controls and the testing performed in their reports.  This option will likely be attractive to potential customers that have HITRUST needs.


As with previous versions, organizations can still leverage the HITRUST CSF for SOC 2 reporting.  With v8, the CSF will have updated mapping to the updated SOC 2 Trust Services Principles (TSP) released in 2016 (currently in progress).  Auditors will also be able to opine directly on the 66 required controls rather than all 135 controls.  Finally, there are plans to map to the SOC 2 TSP’s Privacy Principle in the future.

In conclusion, v8 of the HITRUST CSF takes into account the ever-changing requirements and controls related to the sum of its parts.  There have been updates that will benefit both Assessors and the organizations being assessed. It is critical to observe the posted deadlines with creating an assessment through v8.

For more information on how the new version of the HITRUST CSF affects your organization, please reach out to [email protected] to speak with one of our HITRUST Practitioners.