On September 11, 2019 HITRUST released updated guidance regarding the reliance of others as part of the HITRUST certification process. This includes a more defined scope for reliance on the results of audits, assessments, and inspections that have been completed in the past. “HITRUST Releases Guidance for Reliance on the Work of Others”
Since 2007, the HITRUST Common Security Framework (CSF) has been recognized as a well-rounded and certifiable security framework for any organizations of all sizes and industries. With the upcoming CSF v9.3 update, HITRUST continues to demonstrate its value for any organization by expanding to incorporate new frameworks, legislation and standards.
What is the HITRUST CSF?
The HITRUST CSF is a scalable and extensive security framework used to efficiently manage the regulatory compliance and risk management of organizations. By unifying regulatory requirements and recognized frameworks from ISO 27001, NIST 800-171, HIPAA/HITECH, PCI DSS, GDPR and more into one comprehensive system, the HITRUST CSF saves time and energy by assessing once and reporting many.
Thanks to its ability to combine several assessments and frameworks into one framework, the HITRUST CSF allows clients to decide what they want to test against and get controls based on that level of risk. This “assess once, report many” approach means that assessors are performing several different audits, but the organization feels like they’re only undergoing one. Because of this benefit and its exhaustive focus on security, the HITRUST CSF has been adopted by organizations across different industries.
Originally designed specifically for the healthcare industry, the recent HITRUST CSF v9.2 grew the framework to make it useful for any organization around the globe.
CSF v9.3 will be released Q3 of 2019 and the HITRUST organization has detailed the additional regulatory factors that will be added to the framework.
Incorporation with the California Consumer Privacy Act
One of the most notable updates in CSF v9.3 is the incorporation of new standards and regulations, including requirements placed on organizations by the California Consumer Privacy Act (CCPA).
Passed in 2018, the CCPA was built to be similar to the European Union’s General Data Protection Regulation (GDPR) and takes a stronger stance to protect the sharing, transmission and storage of consumer data. The CCPA legislation goes into effect on January 1, 2020, with the enforcement of the law starting on July 1, 2020.
Not only does the HITRUST CSF v9.3 incorporate standards and regulations from the CCPA, it reflects key differences between the CCPA and GDPR, including requirements for data access, applicability and requirements for opt-out methods.
Other Important Updates to CSF v9.3
Aligning the HITRUST CSF with the CCPA is only one of the updates to the HITRUST framework. CSF v9.3 also updates the framework to incorporate other authoritative sources, including:
- The Federal Risk and Authorization Management Program (FedRAMP)
- The National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity: Framework Core – Subcategories, v1.1
- Centers for Medicare & Medicaid Services’ (CMS) Information Security ARS: CMS Minimum Security Requirements for High Impact Data, version 3.1
- IRS Publication 1075: Tax Information Security Guidelines for Federal, State and Local Agencies: Safeguards for Protecting Federal Tax Returns and Return Information
- South Carolina’s Bill 4655, the Insurance Data Security Act
Who Should Migrate to CSF v9.3
If your entity wants to add any of the six regulatory factors outlined above to your HITRUST assessment, you will need to undergo CSF v9.3. If you are not interested in adding these factors, you can instead opt to undergo CSF v9.1 or CSF v9.2.
By giving organizations more choice to better fit their needs, the HITRUST CSF continues to position itself as a valuable, powerful and flexible framework for organizations of all sizes across all industries.
The A-LIGN Difference
A-LIGN’s experience and commitment to quality helped over 130 clients successfully achieve HITRUST certification. Our vigorous process outlined above helps you prepare for the HITRUST assessment, and our team of HITRUST experts are here to answer any question you might have through every step of the process by answering all inquiries within twenty-four hours. With A-LIGN, you’re on the right path to HITRUST certification success.
Interested in pursuing the HITRUST CSF for your organization? Contact A-LIGN at 1-888-702-5446 to speak with one of our cybersecurity and compliance professionals.
Since its inception in 2007, the HITRUST Common Security Framework (CSF) has been used by organizations of all sizes around the globe. Originally designed specifically for the healthcare industry, today the HITRUST CSF enjoys success across all industries thanks to its robust and scalable systems that unify multiple recognized frameworks.
Since its inception in 2007, the HITRUST framework has become very popular with organizations globally – including businesses of all types in the HITRUST XChange program. As a certified HITRUST accessor firm and licensed CPA firm, A-LIGN has helped companies and organizations of all sizes prepare for HITRUST certification.
Organizations around the world, especially ones in the HITRUST XChange program, are moving to quickly implement the HITRUST Common Security Framework (CSF) for their organization. With the recent HITRUST CSF v9.2 update, organizations across all industries – not just healthcare – can benefit greatly from the HITRUST framework.
As the data breach landscape in the healthcare industry evolves, so do organizations and their compliance with regulatory requirements. Doing ‘nothing’ to protect healthcare data is no longer an acceptable approach for small healthcare entities. “HITRUST CSFBASICs: A New Framework Designed for Smaller Healthcare Organizations”
HITRUST CSF v8
To ensure the HITRUST CSF stays relevant and current with the needs of today’s healthcare organizations, the HITRUST Alliance continually updates the CSF to incorporate the changing standards and regulations associated with its authoritative sources.
The updates within v8, which was release on July 1, 2016, incorporate feedback within the HITRUST community, as well as from changes from authoritative sources that include the following:
- Incorporation of the NIST Framework for Improving Critical Infrastructure Cybersecurity (CsF).
- Addition of HITRUST De-Identification Framework assessment.
- Changes from the release of PCI DSS v3.1.
- Updated mapping for the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) v3.0.1.
- American Institute of Certified Public Accountants (AICPA)-approved mapping of the HITRUST CSF controls to its Trust Services Principles and Criteria, which support the CSF Assurance Program and Service Organization Control (SOC) 2 reporting.
- Mappings to and minor content updates from the Center of Internet Security (CIS) Critical Security Controls (CSC).
- Mappings to and minor content updates from Precision Medicine Initiative’s (PMI) Data Security Policy (DSP) Framework.
Organizations can expect additional updates to v8 to come in January 2017 followed by a v9 release that is planned for June 2017.
Any organization that began an assessment after July 1, 2016 will need to leverage the v8 framework. Conversely, if an organization started an assessment before July 1, 2016, that assessment must be completed by December 31, 2016. If that assessment is not submitted before the end of the year, a new assessment object must be created utilizing the v8 framework. If your organization began an assessment before July 1, 2016, it would be in your best interest to complete the assessment prior to the December 31 deadline in order to avoid starting the assessment process all over again.
Previous versions of the CSF will be permitted by HITRUST under certain circumstances. An organization working to close gaps from a self-assessment in myCSF may make a request to HITRUST to certify under the same version of the framework if that self-assessment was performed within the last six months. Organizations working toward HITRUST certification should be mindful of these key dates and timelines to implement all necessary requirements.
Two new required controls were added for certification, bringing the total number of controls to 66. The new controls are as follows:
01.e Review of User Access Right
This control adds that the organization reviews all system accounts and disables any account that cannot be associated with a business process and owner.
Additionally, the organization need to monitor for and notify the user or user’s manager of any accounts that are dormant in order to disable accounts when unneeded. Exceptions, such as vendor maintenance accounts for system recovery, need to be monitored as well. All accounts should match active employees and contractors – accounts that are not appropriately matched should be disabled.
Additional changes to 01.e incorporate CIS CSC and AICPA authoritative references.
01.t Session Time-out
HITRUST has added “bring your own device” (BYOD) rulings that require an automatic lockout screen configuration. This is required at control level 1.
Additional changes to 01.t incorporate CIS CSC, HIPAA, and AICPA authoritative references.
There have also been notable updates to the MyCSF tool:
- Organizational factors are now dynamic within the tool and are updated according to the selected organizational type. The organization types were modified to include service provider options for both IT and non-IT services.
- The inheritance program is also a new feature allowed within the tool. Service organizations can request inheritance to participate in the program by contacting HITRUST following successful certification. Once enrolled, entities that subscribe to their services will have the option to inherit controls and the testing performed in their reports. This option will likely be attractive to potential customers that have HITRUST needs.
HITRUST and SOC 2
As with previous versions, organizations can still leverage the HITRUST CSF for SOC 2 reporting. With v8, the CSF will have updated mapping to the updated SOC 2 Trust Services Principles (TSP) released in 2016 (currently in progress). Auditors will also be able to opine directly on the 66 required controls rather than all 135 controls. Finally, there are plans to map to the SOC 2 TSP’s Privacy Principle in the future.
In conclusion, v8 of the HITRUST CSF takes into account the ever-changing requirements and controls related to the sum of its parts. There have been updates that will benefit both Assessors and the organizations being assessed. It is critical to observe the posted deadlines with creating an assessment through v8.
For more information on how the new version of the HITRUST CSF affects your organization, please reach out to email@example.com to speak with one of our HITRUST Practitioners.
The HITRUST CSF provides an integrated, prescriptive framework that works with the needs of the healthcare industry in order to comply with the necessary standards. This framework is able to be scaled for the various sizes and types of organizations and their control systems. It also allows for the tailoring and scaling of controls with HITRUST oversight to ensure that the integrity of the systems remain in-tact and application remains consistent.
The HITRUST CSF and ISO 27001
HITRUST recognizes the complex, global nature of healthcare industry and the need for an industry-specific approach to information protection. Because of this, ISO/IEC 27001 was chosen as the foundation from which the HITRUST CSF was built upon due to its place as an international standard for information security that could be modified and implemented for any organization.
ISO 27001 differs greatly from the HITRUST CSF, as ISO 27001 is not control-compliance based, but is instead a management/process model for the Information Management System that is assessed. One of the major benefits of the HITRUST CSF over ISO 27001 is the ability to select and create practical controls. While ISO 27001 does have the ability to tailor controls in order to better-fit organizations who cannot implement a specific control, but it is not as complete in its ability to be tailored or scaled.
The HITRUST CSF and NIST 800-53
The HITRUST CSF also pulls from NIST SP 800-53, which was designed for United States government agencies. However, the standards are applicable to many different types of organizations. One of the key differences between NIST 800-53 and the HITRUST CSF is that NIST 800-53 does not address the specific needs within the healthcare industry.
Both NIST 800-53 and HITRUST CSF are compliance solutions that assess a set of controls through gap analysis of any controls considered within the scope for the organization or system.
One of the issues with NIST 800-53 that the HITRUST CSF takes care of is the ability to scale controls to the specific organization. NIST 800-53 has no formal mechanism for an organization to do so. NIST 800-53 does have the ability to tailor controls in certain situations when an organization is unable to implement a specific control, though it is more limited than the HITRUST CSF. However, this is limited because NIST 800-53 defines control parameters based on the highest potential impact, regardless of the size or type of organization.
The HITRUST CSF and PCI DSS
PCI DSS is a payment card industry standard used to protect payment card data. Founded by the five major card brands, Visa, MasterCard, American Express, Discover and JCB, PCI DSS defines controls to enhance credit and debit card security.
In many ways, HITRUST has used this type of methodology in the creation of the HITRUST healthcare standard. HITRUST receives input from their board of directors, who are industry experts from major healthcare organizations, to tailor the framework to the industry’s needs.
While there are a variety of different audit options for any organization, the HITRUST CSF provides scalable, prescriptive solutions for organizations of any type. By pulling from major pre-existing frameworks and working with healthcare organizations to better-understand their needs, the HITRUST CSF provides a complete, certifiable security standard.