October 18, 2017

HITRUST Version 9 Released

With the latest version released in August 2017, HITRUST has expanded its framework and increased requirements for healthcare organizations.

HITRUST CSF, the most widely adopted security framework in the healthcare industry, has been recently updated to version 9 as of mid-August 2017 to improve information protection through enhanced cybersecurity protocols and an expanded framework.

HITRUST CSF provides organizations with a comprehensive and efficient way to meet regulatory compliance requirements and manage security risks. Let’s take a closer look at the updates in Version 9.

Expanded Framework
Version 9 of HITRUST CSF has expanded to integrate broader regulatory requirements and industry frameworks. Version 9 retains strong ties to NIST frameworks.

Addition of NIST CSF and Cybersecurity Certification

The addition of the NIST Cybersecurity (CsF) Framework in version 9 is by far the most significant change. This allows organizations to assess against a total of 185 control requirements that align with HITRUST CSF. This step moves organizations closer to achieving NIST Cybersecurity Certification efficiently and effectively.

Increased HITRUST CSF Security Controls from 66 to 75

Version 9 increases the number of required security controls for certification. Requirements have increased from 66 to 75. The latest version is now applicable for industries beyond healthcare.

The new 19 security controls introduced in version 9 include the following:

  • Establishing standard requirements for evaluating risks for the organization
  • Controls for remote diagnostic and configuration access
  • Processes for managing user privileges to systems and applications
  • Developing procedures for an independent review of information security controls
  • Requirements for addressing security when interacting with customers
  • Protection of organizational records
  • Technical compliance checking for systems and networking devices
  • Change management and change control procedures
  • Controls for mobile code execution such as Java, JavaScript, Shockwave, Flash and more
  • Data backup requirements
  • Electronic messaging controls
  • Electronic commerce and on-line transaction protections
  • Administrator and operator logging
  • Processes for documenting security requirements for information systems
  • Establishing processes for learning from past information security incidents
  • Defining business continuity planning processes

Adoption of Multiple New Protocols
HITRUST Version 9 also incorporates multiple new protocols including FFIEC (Federal Financial Institutions Examination Council), FedRAMP (Federal Risk and Authorization Management Program), DHS CRR (Department of Homeland Security (DHS) Critical Resilience Review), OCR (Office of Civil Rights) Audit Protocol v2 and CFR (Code of Federal Regulations) part 11. These new protocols help to manage an organization’s compliance needs regarding financial transactions, use of cloud-based services, meeting critical cybersecurity requirements by DHS, civil rights and electronic signature requirements by the FDA. HITRUST CSF version 9 builds upon the Healthcare sector cybersecurity framework from the Department of Homeland Security.

The release of the latest version of HITRUST CSF demonstrates an ongoing refinement of the widely used security framework to address and adapt to emerging security risks. In this latest version of HITRUST CSF, numerous regulatory requirements have been addressed within a single framework. This reduces the number of resources required to assess risk programs, enabling an ‘assess once and report many’ approach.

What to Expect
Our initial analysis shows that organizations can expect a substantial increase by as much as 75% in the number of requirements relevant to their HITRUST environments. HITRUST assesses the security landscape annually and reviews existing CSF controls to ensure compliance and security risk for certified organizations. Required certification controls change as security threats change. You can expect an increase and change in certification controls in the future.

Organizations should leverage a trusted senior assessor organization with significant experience in both HITRUST framework and cybersecurity controls to help you navigate version 9. A gap analysis that assesses your organization’s current security risk profile, policies and procedures can help you implement any necessary changes and new updates.

About the Author

John Huckeby is the managing director of healthcare and life sciences at Tevora