April 5, 2018

HITRUST Version 9.1 Release

Release adds GDPR and NY State CyberSecurity

HITRUST has expanded its framework to meet global privacy and security requirements.

With its latest version 9.1, HITRUST CSF expands upon its existing security framework to include GDPR and New York State Cybersecurity requirements..
The HITRUST CSF provides organizations with a comprehensive and efficient way to meet regulatory compliance and manage security risks. Let’s take a closer look at the updates in Version 9.1.

Expanded Framework
Version 9.1 of HITRUST CSF expanded the information privacy and security framework to make it more comprehensive and meet two important regulatory requirements, the EU General Data Protection Regulation or GDPR and the New York State Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500).

Addition of GDPR and New York State CyberSecurity 23 NYCRR 500
Adding EU General Data Protection Regulation (GDPR) into HITRUST helps establish HITRUST CSF as an international security framework that supports the privacy requirements and needs of global organizations. GDPR, one of the most significant changes in privacy laws in the last 20 years, represents a substantial change in terms of data collection, usage and storage. By updating the HITRUST framework to include GDPR, the HITRUST CSF framework can now be used more widely to report on security controls used to meet GDPR requirements.

The addition of the New York State Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) ensures greater protection and resilience in the financial industry. These new requirements are not restricted to only financial institutions now but also affect healthcare organizations and their partners who may be outside the state of New York. By adding this regulatory requirement, HITRUST seeks to enhance cybersecurity consistently in all organizations handling sensitive personal information shared via healthcare and/or financial institutions.

Benefits of Adopting HITRUST Version 9.1
The benefits of adopting HITRUST Version 9.1 include:
• Increasing the protection of personal information in both the healthcare and financial industries
• Meeting GDPR requirements for privacy regarding data of EU citizens
• Proactively meeting GDPR requirements prepares organizations for the changes in collecting, storing and using personal data such as names, addresses, telephone numbers, credit card information, social media posts, health information and other personally identifying information.
• Demonstrating your organization’s commitment to individual privacy and security
• Meeting the New York State cybersecurity requirement for financial organizations, 23 NYCRR 500 to protect personal information
• Reassuring stakeholders and customers concerned about data privacy in the aftermath of recent, high-profile security breaches
• Offering better, consistent cybersecurity resilience and protection for both healthcare and financial institutions
• Internationalizing the HITRUST CSF cybersecurity framework
• Implementing cybersecurity best practices, such as encrypting data both in-transit and at-rest as per 23 NYCRR 500 requirements
• Implementing a cybersecurity policy that addresses both information systems and nonpublic information
• Transparency of cyber events to state regulators
• Ensuring third-party vendors and suppliers you work with also follow cybersecurity measures to protect and safeguard information
• Adding enhancements to the NIST Cybersecurity Scorecard
• Streamlining the assessment process, extending the “assess once, report many” approach for this standard security framework

It is important that organizations leverage a trusted senior assessor organization with significant experience in both the HITRUST and NIST frameworks. A gap analysis can assess your organization’s current security risk and compliance profile, policies and procedures to help you implement any necessary changes and updates.

About the Author

John Huckeby is the managing director of healthcare and life sciences at Tevora.