In January 2023, the HITRUST Alliance released the latest version of its HITRUST CSF, version 11, which is designed to enhance the efficiency of the framework and improve cyber threat adaptive assurances.
The updates to the framework include:HITRUST CSF v11 introduces some big changes as it makes it easier for organizations to use previous assessments to upgrade to higher levels of HITRUST assurance with less effort. In other words, it’s a building block approach. It also enables adaptive assessments that evolve to address emerging threats. On top of that, v11 includes new and improved Authoritative Sources powered by AI and changes to Evaluative Elements and Illustrative Procedures for easier parsing and scoring of Requirement Statements by MyCSF users.
HITRUST v11 Overall Benefits:
There are three assessment changes seen in v11:
HITRUST streamlined the selection of requirement statements for v11, aligning the e1, i1, and r2 assessments so that each assessment is a building block that stacks on the core requirement statements included in the e1 assessment.
Through these nesting requirements, organizations can start with the e1 or i1 assessment and move through the assessment portfolio to demonstrate increased levels of information protection assurance without losing their investment in previous assessments.
HITRUST introduced a new certification program, the HITRUST Essentials, 1-year (e1) Assessment, which aims to provide a faster and more efficient approach to cybersecurity assessment and certification.
e1 is designed to align with the fast-paced business environment and involves a rigorous evaluation of an organization's information security and privacy program against a set of requirements derived from the HITECH Act, HIPAA, and other applicable regulations and standards. Here are several noteworthy aspects of the e1 Assessment:
Overall, the e1 assessment is a shorter, comprehensive and certified evaluation that offers organizations a thorough and meticulous appraisal of their information security and privacy program.
The e1 assessment is designed for organizations in search of a stronger cybersecurity assurance than questionnaires or self-assessments like the HITRUST bC. It is useful in the following situations:
For more information and use case details on e1 Assessment → Link
For the e1 Assessment downloadable PDF view HAA 2023-004 → Visit this advisory page
HITRUST introduced a new option for obtaining i1 certification called Rapid Recertification.
As evident in the name, it’s a more accelerated approach. The Rapid Recertification allows organizations to evaluate a section of i1 requirement statements to confirm that the control environment has not significantly deteriorated since the previous i1 certification was obtained. If successful, the organization can carry forward scores from their prior certified i1 Assessment to reduce the amount of testing required for completion. Rapid Recertification offers the same i1 Assessment Reports and Certification as a full i1 Assessment and is available to both Assessed Entities and External Assessors.
For more information on the i1 Validated Assessment → Link
For the i1 Rapid Recertification downloadable PDF view HAA 2023-005 → Visit this advisory page
The r2 assessment is designed to provide a more comprehensive evaluation of an organization's security controls and risk management processes, and is valid for two years. Reducing the number of controls and ensuring a more clarified scope, the r2 will require i1 as the baseline assessment.
For more information and use cases for r2 Assessment → Link
For the r2 Assessment downloadable PDF view HAA 2021-012 → Visit this advisory page
For high-risk data-holding organizations, HITRUST certification demonstrates that an organization complies with the HITRUST CSF. So, why should you consider being HITRUST certified?
Multi-Regulation Coverage → Organizations must comply with multiple regulations and security frameworks, which can cause confusion and non-compliance if not approached comprehensively. For example, healthcare providers accepting credit/debit cards must protect that information under PCI-DSS. HITRUST certification can help design a security strategy that ensures compliance with multiple regulations. The HITRUST certification can be configured to comply with HIPAA, ISO, PCI-DSS, NIST, GDPR, and other standards, minimizing oversights or errors.
Provable HIPAA Compliance → HIPAA regulations require organizations to protect sensitive healthcare data using "reasonable and appropriate" methods. However, there is no governing body that certifies compliance, leaving organizations unsure of how to implement a compliant system. Vendors have developed their own testing methods and certifications, but without clearly defined requirements, it's hard for organizations to prove compliance. HITRUST certification can help by providing a reputable certification framework that can be tailored to meet an organization's needs, covering various regulations and allowing for proof of compliance.
Third-Party Verification → Protecting sensitive data is crucial across all industries, including personal, business, legal, payroll, and human resources data. By achieving a third-party attestation of regulatory compliance, an organization can demonstrate appropriate due diligence for a legal investigation caused by a breach or official complaint which can benefit both the organization and its customers.
HITRUST CSF v11 is a crucial update that helps organizations in industries such as Healthcare enhance their cybersecurity posture and protect sensitive data from security breaches. It adapts to the need for a streamlined assessment process to address new and emerging cyber threats. With expanded authoritative sources, nested assessments, and improved AI-based standards development, HITRUST CSF v11 makes certification more achievable for organizations.
To prepare for HITRUST certification, organizations can plan ahead or seek assistance from a trusted external accessor. For all three assessments, HITRUST certification requires that your organization’s security controls be assessed by a HITRUST CSF assessor firm that provides HITRUST Certified CSF Practitioners (CCSFP).
Avertium is here to help you with that by…
Keep in mind that many organizations will need at least the i1 Assessment. To find out which HITRUST Assessment is best for your organization and how you can start preparing for it now, contact an Avertium HITRUST expert.
If you are experiencing a security incident and need immediate assistance, call (833) 624-3368 or email incident@avertium.com.