The eagerly anticipated update to the HITRUST CSF Framework was announced in late December 2022, and officially launched in January 2023.
The HITRUST CSF is a certifiable framework that provides a comprehensive, flexible, and efficient path for complying with a variety of regulatory requirements and security standards that govern many different industries. The framework is an elegant approach to security and compliance that became even more refined in the newest version (v11).
One of the most welcome innovations in CSF v11 is the creation of a nested portfolio of three separate security assessments that work in a progression or continuum. This building-block approach enables your organization to advance efficiently from one level of security assurance to the next. The choice to advance remains optional based on individual organization needs, infrastructure, risk appetite, and other factors.
The cyberthreat adaptiveness that is built into the newest HITRUST level, the Essential 1-Year (e1) Validated Assessment & Certification, was missing from its predecessor, the Basic Current-State (bC) Assessment. As a result, the bC lacked validation and certification components.
Previously, only the i1 assessment was threat-adaptive, as its requirements were periodically added to and removed from the HITRUST Framework to reflect the constantly changing landscape of cybersecurity threats.
With introduction of the new CSF v11, the entire HITRUST framework is now threat-adaptive and can be updated to remain relevant, current, and therefore more effective in securing organizational assets. And all three assessments can now be validated and certified.
With CSF v11, the three levels of the HITRUST Framework are now:
According to HITRUST, the ability “to adjust and refresh information security control requirements on a regular basis to meet the latest and emerging cyberthreat activity, such as ransomware and phishing, differs dramatically from most common frameworks, which often remain unchanged for many years.”
Upon this solid foundation, the HITRUST CSF incorporates nearly 40 additional security and privacy regulations, standards, and frameworks in order to provide comprehensive and prescriptive coverage. These resources include:
These are collectively known as authoritative sources in the HITRUST framework. As an example, CSF v11 added two new authoritative sources: NIST SP 800-53, Rev 5, and Health Industry Cybersecurity Practices (HICP) standards.
With each upgrade, HITRUST incorporates new and updated authoritative sources in a practice that helps to keep the framework current and comprehensive.
To support its threat-adaptive framework for cybersecurity, HITRUST utilizes leading threat intelligence to identify incidents of compromise (IoCs) and incidents of attack (IoAs). These are cross-referenced with the MITRE ATT&CK® database to understand the techniques used in the attacks and the appropriate enterprise mitigations to prevent them.
MITRE ATT&CK is a globally accessible knowledge base of tactics that are used by hackers and attackers according to reports and observations of real-world exploits. The base is populated primarily by publicly available threat intelligence and incident reporting, as well as by research on new techniques conducted by cybersecurity analysts and threat experts.
This curated database is used as a foundation for the development of specific threat models and security methodologies in the private and public sectors as well as in the cybersecurity product and service community. It assists CISOs and their security teams in safeguarding their organizations from known and emerging threats, including those targeting Windows, Linux, MacOS, Incident Command System (ICS), and Mobile systems. According to recent research by the Enterprise Strategy Group, nearly nine in ten organizations are now using MITRE ATT&CK as a resource.
HITRUST staff actively reference the MITRE cyberthreat database in a process that encompasses three primary activities:
This process is ongoing, and HITRUST has an established protocol for rolling out updates.
HITRUST staff conducted webinars on January 24 and 26, 2023, to introduce details of the new CSF v11 and its threat-adaptive framework, including how updates will be communicated.
As always, users of the HITRUST CSF should review all advisories as they are distributed in order to stay on top of improvements and additions to the framework. The HITRUST website is also an excellent resource for information and documentation.
HITRUST is dedicated to developing current, relevant safeguards for organizations who have adopted the HITRUST CSF Framework. Maintaining a tradition of regular updates, the new CSF v11 was delivered in January 2023. Previously, CSF v9.6 was introduced in January 2022, and in September 2021, CSF v9.5 delivered an updated HIPAA Compliance and Reporting Pack through the MyCSF Portal.
One of the most important innovations of CSF v11 is the addition of threat-adaptive security requirements and controls at all three security assurance levels, from the new e1 to the i1 and r2 assessments. This welcome addition makes the HITRUST CSF a uniquely and entirely threat-adaptive framework, thereby enabling it to remain relevant, current, and effective in securing organizational assets at all levels. Adding further value, all three assessments can now be validated and certified, making it easier for organizations to demonstrate compliance with applicable regulations and standards.
As an authorized HITRUST Readiness Licensee, 24By7Security is able to assist you in understanding the newest update and beginning the journey to HITRUST assessment and certification. Contact us for a complimentary consultation.