What it is, how it works, and why you want it

The eagerly anticipated update to the HITRUST CSF Framework was announced in late December 2022, and officially launched in January 2023.

The HITRUST CSF is a certifiable framework that provides a comprehensive, flexible, and efficient path for complying with a variety of regulatory requirements and security standards that govern many different industries. The framework is an elegant approach to security and compliance that became even more refined in the newest version (v11).

One of the most welcome innovations in CSF v11 is the creation of a nested portfolio of three separate security assessments that work in a progression or continuum. This building-block approach enables your organization to advance efficiently from one level of security assurance to the next. The choice to advance remains optional based on individual organization needs, infrastructure, risk appetite, and other factors.

How Threat Adaptiveness Works in the HITRUST Framework

According to the December 2022 press release from HITRUST, the first of six reasons for the new CSF v11 update was to enable the entire HITRUST assessment portfolio to leverage a threat-adaptive framework of controls that are appropriate for each of the three levels of assurance.

The cyberthreat adaptiveness that is built into the newest HITRUST level, the Essential 1-Year (e1) Validated Assessment & Certification, was missing from its predecessor, the Basic Current-State (bC) Assessment. As a result, the bC lacked validation and certification components.

Previously, only the i1 assessment was threat-adaptive, as its requirements were periodically added to and removed from the HITRUST Framework to reflect the constantly changing landscape of cybersecurity threats.

With introduction of the new CSF v11, the entire HITRUST framework is now threat-adaptive and can be updated to remain relevant, current, and therefore more effective in securing organizational assets. And all three assessments can now be validated and certified.

With CSF v11, the three levels of the HITRUST Framework are now:

• Essential 1-Year (e1) Validated Assessment + Certification
• Implemented 1-Year (i1) Validated Assessment + Certification
• Risk-based 2-Year (r2) Validated Assessment + Certification

According to HITRUST, the ability “to adjust and refresh information security control requirements on a regular basis to meet the latest and emerging cyberthreat activity, such as ransomware and phishing, differs dramatically from most common frameworks, which often remain unchanged for many years.”

Authoritative Sources Add Value

The core of the HITRUST Framework is based on ISO/IEC 27001:2005 and 27002:2005, which are promulgated by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC). 

Upon this solid foundation, the HITRUST CSF incorporates nearly 40 additional security and privacy regulations, standards, and frameworks in order to provide comprehensive and prescriptive coverage. These resources include:

• The National Institute of Standards (NIST) Cybersecurity Framework (CSF)
• The Payment Card Industry (PCI) Data Security Standard (DSS)
• The Health Insurance Portability and Accountability Act (HIPAA), including the HIPAA Security Rule and HIPAA Privacy Rule
• The European General Data Protection Regulation (GDPR)
• Other prominent global, national, and state standards.

These are collectively known as authoritative sources in the HITRUST framework. As an example, CSF v11 added two new authoritative sources: NIST SP 800-53, Rev 5, and Health Industry Cybersecurity Practices (HICP) standards.

With each upgrade, HITRUST incorporates new and updated authoritative sources in a practice that helps to keep the framework current and comprehensive.

MITRE ATT&CK Database Identifies Current and Emerging Threats

To support its threat-adaptive framework for cybersecurity, HITRUST utilizes leading threat intelligence to identify incidents of compromise (IoCs) and incidents of attack (IoAs). These are cross-referenced with the MITRE ATT&CK^® database to understand the techniques used in the attacks and the appropriate enterprise mitigations to prevent them.

MITRE ATT&CK is a globally accessible knowledge base of tactics that are used by hackers and attackers according to reports and observations of real-world exploits. The base is populated primarily by publicly available threat intelligence and incident reporting, as well as by research on new techniques conducted by cybersecurity analysts and threat experts.

This curated database is used as a foundation for the development of specific threat models and security methodologies in the private and public sectors as well as in the cybersecurity product and service community. It assists CISOs and their security teams in safeguarding their organizations from known and emerging threats, including those targeting Windows, Linux, MacOS, Incident Command System (ICS), and Mobile systems. According to recent research by the Enterprise Strategy Group, nearly nine in ten organizations are now using MITRE ATT&CK as a resource.

HITRUST staff actively reference the MITRE cyberthreat database in a process that encompasses three primary activities:

• Threat intelligence data is regularly reviewed and analyzed for Indicators of Compromise and Attack (IoCs and IoAs).
• Threat activity is mapped to Techniques, Tactics, and Procedures within the MITRE ATT&CK Framework.
• Recommended mitigations are mapped to HITRUST CSF Requirements and included in each Assessment as appropriate.

This process is ongoing, and HITRUST has an established protocol for rolling out updates.

How HITRUST Advises of Changes

HITRUST staff conducted webinars on January 24 and 26, 2023, to introduce details of the new CSF v11 and its threat-adaptive framework, including how updates will be communicated.

• The Essential 1-Year Assessment (e1) will be updated with new threats and controls and recommended mitigations as needed. (As noted above, the i1 and r2 assessments will be updated if appropriate.)
• HITRUST will publish an Advisory detailing the update to the HITRUST Framework.
• New requirements, controls, and mitigations will be reflected in the next cycle of certification, allowing CSF users ample time to adjust. Both e1 and i1 are on a one-year certification cycle, while r2 certification is renewable every two years.

As always, users of the HITRUST CSF should review all advisories as they are distributed in order to stay on top of improvements and additions to the framework. The HITRUST website is also an excellent resource for information and documentation.

Summary

HITRUST is dedicated to developing current, relevant safeguards for organizations who have adopted the HITRUST CSF Framework. Maintaining a tradition of regular updates, the new CSF v11 was delivered in January 2023. Previously, CSF v9.6 was introduced in January 2022, and in September 2021, CSF v9.5 delivered an updated HIPAA Compliance and Reporting Pack through the MyCSF Portal.

One of the most important innovations of CSF v11 is the addition of threat-adaptive security requirements and controls at all three security assurance levels, from the new e1 to the i1 and r2 assessments. This welcome addition makes the HITRUST CSF a uniquely and entirely threat-adaptive framework, thereby enabling it to remain relevant, current, and effective in securing organizational assets at all levels. Adding further value, all three assessments can now be validated and certified, making it easier for organizations to demonstrate compliance with applicable regulations and standards.

As an authorized HITRUST Readiness Licensee, 24By7Security is able to assist you in understanding the newest update and beginning the journey to HITRUST assessment and certification. Contact us for a complimentary consultation.