Avertium Blog

Strengthening Cybersecurity: HITRUST CSF v11 2023 Updates

Written by Marketing | Mar 17, 2023 3:34:20 PM

In January 2023, the HITRUST Alliance released the latest version of its HITRUST CSF, version 11, which is designed to enhance the efficiency of the framework and improve cyber threat adaptive assurances.  

The updates to the framework include:  
  • The consolidation of security and privacy controls  
  • The incorporation of the latest industry and regulatory requirements
  • The inclusion of enhanced risk management provisions
  • The optimization of third-party assurance
  • Updates to cloud security requirements, reflecting the increasing use of cloud technology in healthcare along with many other industries

HITRUST CSF v11 introduces some big changes as it makes it easier for organizations to use previous assessments to upgrade to higher levels of HITRUST assurance with less effort. In other words, it’s a building block approach. It also enables adaptive assessments that evolve to address emerging threats. On top of that, v11 includes new and improved Authoritative Sources powered by AI and changes to Evaluative Elements and Illustrative Procedures for easier parsing and scoring of Requirement Statements by MyCSF users. 

HITRUST v11 Overall Benefits:  

  • Flexible + adaptive: HITRUST v11 is designed to address new and emerging threats to healthcare information security by providing a flexible and adaptive framework that can be tailored to an organization's specific risk profile.  
  • Nested assessments: Streamline organizational efforts for successful HITRUST adoption and certification starting with e1 which is nested within the i1 nested inside the r2.
  • Integrates with Microsoft systems: HITRUST v11 is integrated across Microsoft Azure, Microsoft 365, Dynamics 365, and Power Platform
  • Saves time + money: Organizations can re-use the work completed during lower-level HITRUST assessments to accumulate higher assurances.
  • AI-based development tool: HITRUST introduced artificial intelligence-based standards development capabilities to assist its assurance experts in mapping and maintaining authoritative sources – this AI-based toolkit will reduce maintenance and mapping efforts by up to 70 percent. 

 

 

Introducing the Updates to HITRUST CSF v11 

There are three assessment changes seen in v11:

  1. A brand new offer called e1 assessment >>  
  2. Changes to the existing i1 assessment >>
  3. Changes to the existing r2 assessment  >>

HITRUST streamlined the selection of requirement statements for v11, aligning the e1, i1, and r2 assessments so that each assessment is a building block that stacks on the core requirement statements included in the e1 assessment.

  1. The e1 assessment includes a selection of 44 requirement statements that address a set of cybersecurity controls (aka fundamental essential cybersecurity practices or essential cybersecurity hygiene)
  2. Building off of e1 – the i1 assessment includes an additional 138 requirement statements that address a broader range of current and emerging cyber threats beyond foundational cybersecurity practices
  3. Building off of e1 and i1 – the r2 assessment includes requirement statements that are included through the r2 assessment tailoring process to provide the highest level of assurance for organizations with the greatest risk exposure 

Through these nesting requirements, organizations can start with the e1 or i1 assessment and move through the assessment portfolio to demonstrate increased levels of information protection assurance without losing their investment in previous assessments. 

 

HITRUST Essentials, e1 Assessment – Entry Level 

HITRUST introduced a new certification program, the HITRUST Essentials, 1-year (e1) Assessment, which aims to provide a faster and more efficient approach to cybersecurity assessment and certification.  

e1 is designed to align with the fast-paced business environment and involves a rigorous evaluation of an organization's information security and privacy program against a set of requirements derived from the HITECH Act, HIPAA, and other applicable regulations and standards. Here are several noteworthy aspects of the e1 Assessment:

  • Focused on a curated set of cybersecurity controls that are fundamental practices
  • Leaner depth of control consideration
  • Designed to be an evolving, threat-adaptive certification
  • e1 work can be reused and nested into i1 and r2  
  • Changes to e1 requirement selection included in major and minor releases of HITRUST CSF
  • Can be performed as a readiness or validated assessment

Overall, the e1 assessment is a shorter, comprehensive and certified evaluation that offers organizations a thorough and meticulous appraisal of their information security and privacy program.  

e1 Assessment Use Cases  

The e1 assessment is designed for organizations in search of a stronger cybersecurity assurance than questionnaires or self-assessments like the HITRUST bC. It is useful in the following situations:

  • When your vendors have lower inherent risk and need a simple / less demanding assurance
  • When assurance is needed for basic controls expected for almost all entities
  • When a quick evaluation of security maturity is required for essential cybersecurity controls, such as for a new vendor or entity

For more information and use case details on e1 Assessment → Link

For the e1 Assessment downloadable PDF view HAA 2023-004 → Visit this advisory page 

 

HITRUST Implemented, i1 Assessment – Moderate Level 

HITRUST introduced a new option for obtaining i1 certification called Rapid Recertification.  

As evident in the name, it’s a more accelerated approach. The Rapid Recertification allows organizations to evaluate a section of i1 requirement statements to confirm that the control environment has not significantly deteriorated since the previous i1 certification was obtained. If successful, the organization can carry forward scores from their prior certified i1 Assessment to reduce the amount of testing required for completion. Rapid Recertification offers the same i1 Assessment Reports and Certification as a full i1 Assessment and is available to both Assessed Entities and External Assessors.

Important i1 Assessment Dates: 

  • January 18, 2023 to April 30, 2023, i1 Assessments will still be available in v9.6 or v11 
  • April 30, 2023, the ability to create a new v9.6.2 i1 Assessment will be disabled 
  • July 31, 2023, the ability to submit v9.6 i1 Assessments and earlier assessment objects will be disabled 

For more information on the i1 Validated Assessment → Link

For the i1 Rapid Recertification downloadable PDF view HAA 2023-005 → Visit this advisory page 

 

HITRUST Risk-Based, r2 Assessment – High Level 

The r2 assessment is designed to provide a more comprehensive evaluation of an organization's security controls and risk management processes, and is valid for two years. Reducing the number of controls and ensuring a more clarified scope, the r2 will require i1 as the baseline assessment.  

Important r2 Assessment Dates:  

  • September 30, 2023, the ability to create new v9.1 to v9.4 assessment objects in MyCSF will be disabled 
  • December 31, 2024, the ability to submit a v9.1 or v9.4 assessment will also be disabled 
  • March 31, 2026, v9.1 and 9.4 libraries will be removed from the MyCSF 
  • v9.5 and v9.6 will continue to be available for r2 Assessments 

For more information and use cases for r2 Assessment → Link  

For the r2 Assessment downloadable PDF view HAA 2021-012 → Visit this advisory page 

 

 

Why Organizations Should Consider Being HITRUST Certified 

For high-risk data-holding organizations, HITRUST certification demonstrates that an organization complies with the HITRUST CSF. So, why should you consider being HITRUST certified?

  • Multi-Regulation Coverage → Organizations must comply with multiple regulations and security frameworks, which can cause confusion and non-compliance if not approached comprehensively. For example, healthcare providers accepting credit/debit cards must protect that information under PCI-DSS. HITRUST certification can help design a security strategy that ensures compliance with multiple regulations. The HITRUST certification can be configured to comply with HIPAA, ISO, PCI-DSS, NIST, GDPR, and other standards, minimizing oversights or errors. 

  • Provable HIPAA Compliance → HIPAA regulations require organizations to protect sensitive healthcare data using "reasonable and appropriate" methods. However, there is no governing body that certifies compliance, leaving organizations unsure of how to implement a compliant system. Vendors have developed their own testing methods and certifications, but without clearly defined requirements, it's hard for organizations to prove compliance. HITRUST certification can help by providing a reputable certification framework that can be tailored to meet an organization's needs, covering various regulations and allowing for proof of compliance. 

  • Third-Party Verification → Protecting sensitive data is crucial across all industries, including personal, business, legal, payroll, and human resources data. By achieving a third-party attestation of regulatory compliance, an organization can demonstrate appropriate due diligence for a legal investigation caused by a breach or official complaint which can benefit both the organization and its customers.  

 

 

How Avertium Can Help

HITRUST CSF v11 is a crucial update that helps organizations in industries such as Healthcare enhance their cybersecurity posture and protect sensitive data from security breaches. It adapts to the need for a streamlined assessment process to address new and emerging cyber threats. With expanded authoritative sources, nested assessments, and improved AI-based standards development, HITRUST CSF v11 makes certification more achievable for organizations.  

To prepare for HITRUST certification, organizations can plan ahead or seek assistance from a trusted external accessor. For all three assessments, HITRUST certification requires that your organization’s security controls be assessed by a HITRUST CSF assessor firm that provides HITRUST Certified CSF Practitioners (CCSFP).  

Avertium is here to help you with that by… 

  • Simplifying the HITRUST experience to minimize the burden on your staff 
  • Providing insight into what you can expect throughout the HITRUST validation and certification process 
  • Incorporating existing recognized security and compliance frameworks such as HIPAA, NIST, ISO, SOC 2, and PCI DSS 
  • Assessing how your controls program is or is not meeting requirements 
  • Working with you to advise a clear and actionable plan to fulfill them (as well as help implement recommendations) 

Keep in mind that many organizations will need at least the i1 Assessment. To find out which HITRUST Assessment is best for your organization and how you can start preparing for it now, contact an Avertium HITRUST expert

If you are experiencing a security incident and need immediate assistance, call (833) 624-3368 or email incident@avertium.com.