HITRUST® CSF Version 11 Addresses Emerging Cyber Threats While Reducing Certification Efforts by up to 45%

On January 18, 2023, HITRUST announced the release of HITRUST CSF version 11 (v11) to “improve mitigations against evolving cyber threats, broaden the coverage of authoritative sources, and streamline the journey to higher levels of assurance.” In addition to addressing emerging threats, this major update to HITRUST CSF reduces redundancies and streamlines processes allowing organizations to achieve the same level of assurance with less effort. The HITRUST v11 changes can reduce certification efforts by up to 45%. 

In this blog post, we’ll provide background on HITRUST CSF and an overview of the significant changes being introduced with v11.

 

What is HITRUST CSF?

The HITRUST organization provides a framework that safeguards sensitive information and can help manage information risk for organizations across all industries. Its programs have been widely adopted in the healthcare industry. 

HITRUST CSF addresses the multitude of security, privacy, and regulatory challenges facing healthcare organizations today. With a comprehensive framework of security requirements, HITRUST incorporates a risk-based approach to federal and state regulations and common standards and frameworks to help organizations address these challenges. 

What’s Changing with HITRUST CSF Version 11?

The changes being introduced with HITRUST CSF v11 represent a substantial upgrade to the previous version (v9). The most significant changes are highlighted below.

Threat-Adaptive Controls

HITRUST CSF v11 protects against new and emerging threats by enabling the entire HITRUST assessment portfolio to leverage cyber threat-adaptive controls that are appropriate for each level of assurance. 

Improved Control Mappings and Precision of Specifications

Improved control mappings and precision of specifications afforded through v11 enable a reduced level of effort towards a HITRUST certification. Notable examples of these improvements include:

• Evaluative Elements Moved to Requirements Statement. The HITRUST maturity level scoring methodology requires measuring your environment against Evaluative Elements. In HITRUST v9, these elements were embedded in Illustrative Procedures definitions. To determine a maturity level score, evaluative elements had to be located and parsed within the Illustrative Procedures, which was cumbersome and time-consuming. With HITRUST v11, the Evaluative Elements have been lifted and shifted from the Illustrative Procedures to the Requirements Statement, where they are individually enumerated and formatted. This significantly streamlines the maturity level scoring process.
• Illustrative Procedures Improvements. HITRUST v11 introduces significant improvements to the Illustrative Procedures (IP), including:
  • IP Policy statements are now standardized because Evaluative Elements have been moved to the Requirements Statement.
  • IP Procedures and IP Managed standard text has been updated for clarity.
  • IP Implemented and IP Measured section formatting has been changed to enhance usability.

Threat-Adaptive and Traversable Assessment Portfolio

The HITRUST CSF assessment portfolio has been consolidated and aligned so that a single approach covers broad assurance needs for different risk levels and compliance requirements with greater assurance reliability than other assessment options. All HITRUST assessments are now subsets (or supersets) of each other, which allows organizations to reuse the work in lower-level HITRUST assessments to progressively achieve higher assurances by sharing common control requirements and inheritance. 

The assessment portfolio changes introduced with v11 are summarized below.

Overview of HITRUST CSF Version 11 Assessment Portfolio Changes

• The r2 baseline will move from the level 1 requirements on the 75 controls required for certification to the i1 requirements
• Inclusion of the i1 requirements as “Core” on an r2 assessment allows r2 to become threat-adaptive
• Overlap of requirements between assessments allows organizations to use the e1 and i1 as stepping stones to a more robust assessment

Source: HITRUST

Below is a summary-level comparison of the three assessment types that will be available with HITRUST CSF v11:

Comparison of HITRUST CSF v11 Assessment Types

HITRUST Assessment	# of HITRUST CSF Requirements	Subject Matter / Focus	Control Maturity Levels	Level of Assurance	Level of Effort
HITRUST Essentials, 1-year (e1) Validated Assessment	Less than 50	Foundational Cybersecurity Hygienefor lower-risk organizations validating the most critical cybersecurity controls. Provides a starting point for all organizations including those in the early stages of implementing their program.	Implemented only(But: Some requirements areP&P focused)	Low	Low
HITRUST Implemented, 1-year (i1) Validated Assessment	Approximately 180	Leading Security Practices for organizations with robust information security programs ready to demonstrate controls that protect against current and emerging threats.​	Implemented only(But: Some requirements areP&P focused)	Medium	Medium
HITRUST Risk-Based, 2-Year (r2) Validated Assessment	Varied based on risk and compliance factors (average 400+)	Expanded Capabilities for organizations to demonstrate regulatory compliance against authoritative sources such as HIPAA and the NIST Cybersecurity Framework or expanded tailoring of controls based on identified risk factors.	Must: Policy, Procedure, ImplementedOptional: Measured & Managed	High	High

Expanded Authoritative Sources

With CSF v11, HITRUST has added two new authoritative sources: NIST SP 800-53, Rev 5, and Health Industry Cybersecurity Practices (HICP) standards. In addition, the v9 mapping from HIPAA, NIST CSF, and NIST 800-171 has been refreshed to address changes in the authoritative source or to refine the mapping according to the NIST OLIR methodology. All mapping was subject to a minimum of three levels of human review prior to publication to ensure accuracy.

New e1 Assessment 

HITRUST CSF v11 introduces a new e1 assessment, which replaces the bC assessment included in v9. The new, lower-effort e1 assessment helps manage the risk of vendors that:

• Are too risky to warrant an information security questionnaire only.
• Are not risky enough to warrant an i1 or r2 assessment.
• May need a demonstrable milestone towards achievement of a more robust HITRUST assessment (i.e., i1 or r2) in the future.

Streamlined i1 Assessment 

The number of requirements statements included in i1 assessments has been reduced from 219 in v9 to approximately 180 in v11. Factors contributing to this reduction include:

• Refreshing authoritative source mappings. 
• Continual threat adaptive control analysis.

A new i1 rapid recertification approach has been introduced with v11. This provides an accelerated way to get to your next certification by demonstrating that your control environment has not materially changed since the previous assessment was performed. Organizations will be required to perform a full i1 assessment in the first year. In year 2 they will be allowed to perform a rapid recertification assessment involving a significantly-reduced number of requirements if certain criteria are met. We anticipate that for most organizations, the rapid recertification will require a much smaller effort than is required for the full assessment.

In year 3 and beyond, a full assessment will be required every other year with rapid recertifications required in the years between full assessments.

AI-Based Standards Development Toolkit 

HITRUST has developed AI-based standards development capabilities to aid its assurance experts in mapping and maintaining authoritative sources. CSF v11 is the first version developed with this enhanced function. It will reduce mapping and maintenance efforts by up to 70% while improving the quality of mappings to authoritative sources and allowing for more authoritative sources in future releases.

Sunsetting Legacy HITRUST CSF Versions

For r2 assessments, HITRUST CSF versions 9.1 through 9.4 will transition to an end-of-life process, while versions 9.5 and 9.6 will continue to be available. I1 assessments will transition to v11. Here’s a summary of the transition timing:

HITRUST v9 to v11 Transition Timeline

HITRUST CSF Version 11 Benefits

Here’s a recap of the key benefits associated with HITRUST CSF v11:

• Streamlines Certification. Significantly reduces the effort required for organizations to certify. For example, the level of effort to achieve and maintain HITRUST Implemented, 1-year (i1) certification over two years can be reduced by up to 45%.
• Addresses New and Emerging Cyber Threats. Protects against new and emerging threats by incorporating additional authoritative sources and enabling the entire HITRUST assessment portfolio to leverage cyber threat-adaptive controls that are appropriate for each level of assurance.
• Enables Traversable Assessment Journey Through Expanded and Aligned Portfolio. Updated assessment portfolio provides a single approach that covers broad assurance needs for different risk levels and compliance requirements with greater assurance reliability than other assessment options. All HITRUST assessments are now subsets (or supersets) of each other, which allows organizations to reuse the work in lower-level HITRUST assessments to progressively achieve higher assurances by sharing common control requirements and inheritance.

Additional Resources

Below are additional resources that provide a deeper dive into the topics covered in this blog post:

• HITRUST CSF v11 Announcement
• Tevora Selected for the 2022 HITRUST Assessor Council

Contact Us

If you have questions about HITRUST CSF v11, or would like help bringing your organization into compliance, our team of experienced HITRUST and healthcare security experts can help. Just give us a call at (833) 292-1609 or email us at sales@tevora.com.