HITRUST 2023 Update Delivers Six Important Improvements Plus a Brand New Assessment

HITRUST is an information risk management, standards, and certification body established in 2007 to assist healthcare organizations in complying with highly complex HIPAA regulations.

While it remains a vital tool for hospitals, medical centers, and other healthcare entities, HITRUST has broadened its scope over time to accommodate many other industries. Today, it supports programs that safeguard sensitive data and manage information risk for organizations of all kinds, including third-party suppliers.

A HITRUST 2023 update is launching this month as version 11 of the HITRUST CSF. This article provides CISOs, CSOs, and other security executives with insight into the reasons for the update and the important and surprising improvements it delivers. We also share how you can learn more.

Quick Overview of the HITRUST CSF

The foundation and primary purpose of HITRUST is the HITRUST CSF Framework. This is a certifiable framework that provides a comprehensive, flexible, and efficient path for complying with a wide range of regulatory requirements and security standards. It is an elegant approach to security and compliance that is unique in its simplicity.

Other popular security frameworks are provided by the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO/IEC), as two examples. For healthcare organizations specifically, HITRUST remains the foundational cybersecurity framework, although organizations in many other sectors rely heavily on this framework as well due to its unique attributes.

Six Reasons for the HITRUST 2023 Update

HITRUST is committed to continuous improvement as well as maintaining relevance and effectiveness. According to the HITRUST press release dated December 20, 2022, three primary objectives drove the HITRUST 2023 update to v11. These include protecting against new threats, enabling greater efficiencies, and streamlining adoption efforts. In addition, the update delivers three highly specific benefits. These objectives and benefits are described briefly below, based on the press release.

• Protects against new and emerging threats. The newest update enables the entire HITRUST assessment portfolio to leverage cyberthreat-adaptive controls that are appropriate for each of the three levels of assurance.

• Reduces organizational effort. Greater efficiencies, including improved control mappings and more precise specifications, reduce the effort an organization must invest in moving toward successful HITRUST adoption and certification. The effort required to achieve the one-year assurance level and maintain it for two years can be reduced by up to 45%, as an example.

• Enables a building-block approach. The update creates a ‘traversable assessment journey’ through an expanded, aligned portfolio. Because all HITRUST assessments are now subsets (or supersets) of each other, organizations are able to reuse their work in lower-level assessments to progressively achieve higher assurance levels.

• Integrates with Microsoft systems. The update is compatible with Microsoft software including 365, Azure, Dynamics 365, and Power Platform. In addition, Microsoft, HITRUST, and an ecosystem of partners and healthcare organizations are collaborating on advanced new capabilities to improve clarity on compliance requirements and shared responsibilities.

• Expands authoritative sources. The update adds two new authoritative sources in support of the HITRUST CSF. One is NIST Special Publication 800-53 (rev 5) addressing Security and Privacy Controls for Information Systems and Organizations. The other is Health Industry Cybersecurity Practices (HICP) to mitigate current threats, ranging from access and asset management, to email and endpoint protection systems, to medical device security and more.

• AI-based development tool. CSF v11 is the first version to offer standards development capabilities based on artificial intelligence to aid HITRUST assurance experts in mapping and maintaining authoritative sources. In addition to reducing these efforts by up to 70%, it will improve mapping quality and enable new authoritative sources to be more easily included in future versions.

The Three Flavors of HITRUST Assessment

Periodically, updates to the HITRUST CSF affect various elements of the CSF assessments to ensure that adopting organizations reap the benefits of continuous security and compliance improvements.

CISOs, CSOs, and other security executives who are considering adopting the HITRUST framework have a choice of three different levels of certifiable HITRUST assurance, depending on the security needs of your organization and other potential factors. New with HITRUST CSF v11 is an upgrade to the portfolio of assessments—still maintaining three distinct levels of assurance to provide flexibility and progression, while now offering certification with all three options. Below is a brief overview of the three assessment levels available with CSF v11.

New: Essentials 1-Year (e1) Validated Assessment + Certification

This new, certifiable one-year assessment accommodates lower-risk scenarios, but can also serve as a starting point for organizations in their progressive journey to higher security assurance. This level’s pre-set controls are accepted as fundamental cybersecurity practices and overlap with authoritative sources that share similar goals. While the e1 assessment requires less effort to complete, it also offers less assurance than the more rigorous HITRUST i1 and r2 assessments.

A HITRUST webinar on January 26 will share additional details and provide guidance as to the best use of this new assessment.

Implemented 1-Year (i1) Validated Assessment + Certification

The i1 assessment evaluates best practices and works well in moderate risk environments. It is an excellent choice when the Essentials Assessment does not offer sufficient assurance, and the most advanced risk-based assessment (below) is not reasonable. This assessment references a standard set of 219 required controls. The one-year assessment is threat-adaptive, which means that requirements are periodically added to and removed from the HITRUST CSF to reflect the constantly changing threat landscape. Requires annual evaluation and certification renewal.

Risk-based 2-Year (r2) Validated Assessment + Certification

The r2 assessment is tailored to the individual organization and considers a variety of scoping factors to determine assessment size and scale. This may include evaluating requirements across three to five cybersecurity maturity levels and reviewing 1,500 or more pieces of documentation.

The risk-based two-year assessment is most suitable for high-risk environments or scenarios where a high degree of security assurance is required. A business associate who stores large volumes of ePHI for various healthcare providers would be one of many examples. Requires bi-annual evaluation and certification renewal.

To help organizations successfully and efficiently prepare for their certifiable, validated assessments, convenient HITRUST readiness assessments are available from authorized HITRUST Readiness Licensees. This strategy can save you considerable time and effort in achieving compliance and obtaining certification.

How to Learn More About the HITRUST 2023 Update to CSF v11

Regular updates to the HITRUST CSF demonstrate the HITRUST commitment to remain on the leading edge of cybersecurity to effectively help organizations promote information security and safeguard private and sensitive data. The HITRUST 2023 update announced in December’s press release builds on previous versions of the CSF in the tradition of continuous improvement.

Organizations who have downloaded a previous version of the HITRUST CSF are being notified of the latest version by HITRUST and are also invited to attend these upcoming webinars.

• A webinar scheduled for Tuesday, January 24, 2023, will review the CSF v11 changes in greater depth. Registration is open on the HITRUST website.

• To learn more about the new Essentials 1-Year Assessment, HITRUST has scheduled a separate webinar for Thursday, January 26 and registration is open now.

Until HITRUST shares more information about the v11 update, the new Essentials Assessment, and recommended next steps, CISOs, CSOs, and other security executives are advised to continue to adhere to the requirements of your current HITRUST CSF in order to maintain full compliance.

Summary

In keeping with its commitment to ensure current and relevant safeguards for organizations adopting the HITRUST CSF Framework, in December 2022 HITRUST announced that it will launch CSF v11.

The primary purposes of the v11 update are to (1) add protections against new and emerging threats, (2) streamline the efforts necessary for an organization to move toward successful HITRUST adoption and certification, and (3) make it easier for adopters to progress to higher levels of security assurance using a building-block approach.

The HITRUST CSF offers organizations in numerous industries, including healthcare, a clear and proven path to compliance with the many security regulations applicable to them. Organizations who have adopted the CSF, as well as those who are considering adoption, have access to a variety of resources to learn more about the framework and the new HITRUST 2023 update.

24By7Security is an authorized HITRUST Readiness Licensee able to assist you in understanding the newest update and beginning your journey to HITRUST assessment and certification. Contact us for a complimentary consultation. We speak CISO. 

REMINDER: Is your organization observing Data Privacy Week January 22-28? As a CISO, CSO, or other security executive, you can leverage Data Privacy Week to refresh data privacy awareness throughout your organization. You can also sign up as a Data Privacy Champion and join 24By7Security and hundreds of other security-conscious organizations in advocating for effective data privacy all year long.