HITRUST CSF v9 Designed to Strengthen, Simplify, and Enhance Healthcare Regulatory Compliance and Risk Management

April 24, 2017
1893 Views

Written by HITRUST Independent Security Journalist Sean Martin. 

Get ready for more comprehensive compliance and risk management — with less work. HITRUST is putting the finishing touches on the HITRUST CSF v9 and corresponding updates to the HITRUST CSF Assurance Program, with this latest iteration of both expected in July 2017.

If there is one overarching message for the v9 release, it’s enabling healthcare organizations of all sizes and business models to do more with the HITRUST CSF by expanding the mappings of the CSF to additional protocols and frameworks.

HITRUST, in conjunction with its HITRUST CSF Advisory Council, has worked closely with the industry to make improvements to existing parts of the CSF. In addition, the new HITRUST CSF and HITRUST CSF Assurance Program releases integrate and harmonize other industry and regulatory standards, including:

HITRUST CSF Assurance:

  • National Institutes of Standards & Technology Cybersecurity Framework: HITRUST CSF Assessments will incorporate controls related to the NIST Cybersecurity Framework (NIST CsF) and the HITRUST CSF Assessment Report will include an appendix showing compliance with the NIST CsF. In addition, organizations obtaining HITRUST CSF Certification will also receive a NIST CsF Certification.

HITRUST CSF:

In addition, the v9 releases were influenced by the new HITRUST Threat Catalogue. This exciting HITRUST initiative aligns real-world cyber threats with CSF risk factors and controls. The HITRUST Threat Catalogue will begin impacting the HITRUST CSF with the v9 release, and will be more fully integrated with HITRUST CSF v10, due to be released in 2018.

CSFBASICs Coming Soon to a Small Practice Near You

While not officially part of the CSF and CSF Assurance Program updates, HITRUST is releasing a major iteration of its small business security program, renamed CSFBASICs, in the same timeframe. BASICs stands for “Basic Assurance and Simple Institution Cybersecurity.”

Currently being piloted, CSFBASICs will help small, low-risk organizations adopt a serious, HIPAA-compliant cybersecurity and assurance program. Although CSFBASICs is based on the HITRUST CSF, the requirements and assurance processes are streamlined to help smaller, lower-risk organizations demonstrate compliance and manage risk with less effort. HITRUST is in the final phase of piloting CSFBASICs and elements of its associated CSFBASICs Assurance Program, and estimates both will be generally available later this year.

“I really don’t know many small practices that can comply with all our regulatory obligations, including HIPAA,” said Dr. J. Stefan Walker with Corpus Christi Medical Associates (CCMA), a five-physician primary care practice in Texas. “We generally don’t have the staff or the expertise, nor can we hire consultants, to manage these programs on an ongoing basis. I honestly didn’t know how my practice could be secure or demonstrate HIPAA compliance, but that was before I had the opportunity to pilot CSFBASICs.”

Want to learn more? Be sure to read the blog Finding the Cure: HITRUST Simplifies Cybersecurity Compliance for Small Medical Practices.

A Standardized Approach

The HITRUST CSF is the most widely adopted information privacy and security framework for healthcare organizations, and provides them with a comprehensive, scalable and certifiable approach to regulatory compliance and risk management. The popular HITRUST CSF Assurance Program helps organizations streamline the compliance process by allowing them to assess once and report against multiple sets of requirements. The result: less time and money spent on assurance and demonstrating compliance.

 

You may be interested

Understanding and Improving the Role of Self-assessments in Third-Party Risk Management
Risk Management
shares291 views
Risk Management
shares291 views

Understanding and Improving the Role of Self-assessments in Third-Party Risk Management

Lacy Deatrich - Nov 11, 2019

By Dr. Bryan S. Cline, Chief Research Officer, HITRUST Information risk assessments are an integral component of the third-party risk…

Improving the Throughput and Transparency of the HITRUST Assurance Program
Assurance
shares307 views
Assurance
shares307 views

Improving the Throughput and Transparency of the HITRUST Assurance Program

Lacy Deatrich - Oct 25, 2019

By Bimal Sheth, Vice President — Assurance Services The HITRUST brand has always been synonymous with quality and it is…

“Using Work of Others” Initiative from HITRUST Streamlines IT Security Control Assessments to Promote a Culture of Risk Management Collaboration
Compliance & Risk Management
shares620 views
Compliance & Risk Management
shares620 views

“Using Work of Others” Initiative from HITRUST Streamlines IT Security Control Assessments to Promote a Culture of Risk Management Collaboration

Lacy Deatrich - Sep 11, 2019

By Jeremy Huval, Vice President, Compliance & Internal Audit Completing HITRUST CSF Assessments will now require less time and fewer…