Since 2007, the vaunted HITRUST CSF certification has been helping organizations in a variety of highly-regulated industries, such as healthcare, demonstrate their commitment to safety and security.
In January 2023, the HITRUST Alliance released v11 of the CSF, which involves substantial changes over v9.6. Based on extensive community feedback, this newest iteration was designed to better address the evolving landscape of cyber threats, incorporate a range of new standards, and make it simpler for organizations to achieve higher levels of certification.
Unpacking the modifications to the framework can be challenging, but elucidating the key changes can help your organization better understand their potential benefits.
Why was HITRUST CSF v11 Created?
HITRUST continuously updates its framework to help ensure organizations sufficiently protect themselves from the newest cyber threats and adhere to the latest versions of standards. At the same time, HITRUST is committed to making it easier for organizations to provide assurances about security and compliance. CSF v11 was created to address all of these goals.
Protect against evolving threats
Healthcare companies are one of the richest sources of sensitive data, so it’s no surprise that the healthcare industry is by far the most common target for cybercriminals. Healthcare organizations, therefore, face the difficult task of defending themselves against an army of determined, inventive attackers.
HITRUST monitors shifting cyber threat trends and incorporates new information into the control requirements of its assessments through periodic updates. In CSF v11, HITRUST applies this adaptive approach to evolving threats across its entire assessment portfolio, helping to ensure that organizations protect against the latest threats no matter which assessment they use.
Incorporate new and refreshed standards
HITRUST certification provides verifiable compliance with a range of standards and regulations. But those standards and regulations can change frequently. Organizations such as the National Institute of Standards and Technology (NIST), for example, periodically update standards and issue new versions.
HITRUST CSF v11 incorporates new standards and refreshes the mappings between updated standards and control requirements. With v11, HITRUST intends to help organizations better assure partners and customers that they are adhering to the most recent versions of standards.
Streamline the journey to certification
High standards are high for a reason: they’re not easy to achieve. But that doesn’t mean they should be pointlessly difficult. With CSF v11, HITRUST aims to make it simpler to climb up the certification ladder by building on previous assessment and certification work. We’ll have more to say about this in the next section.
What Has Changed with HITRUST CSF v11?
HITRUST CSF v11 has introduced several key changes that should enhance security, improve compliance, and accelerate assessments. The most notable updates are: HITRUST has released a new, traversable portfolio, incorporated threat-adaptive controls, and reduced the number of requirement statements.
Traversable assessment portfolio
With v11, HITRUST has altered its assessment offerings to make its portfolio more “traversable”—that is, easier for organizations to move from lower-level to higher-level assessments and certifications.
The three main HITRUST assessments are the HITRUST Risk-based, 2-year (r2) Assessment, the HITRUST Implemented, 1-year (i1) Assessment, and the HITRUST Essentials, 1-year (e1) Assessment.
Whereas before these assessments had some overlapping control requirements, organizations that completed the i1 assessment would sometimes later discover that not all of its controls could be reused for the r2 assessment.
In v11, lower-level assessments are now subsets of higher-level assessments, enabling organizations to leverage all their previous work as they move toward higher-level certifications. See figure 1 below.
When the i1 assessment was introduced in 2021, HITRUST made it “threat-adaptive,” meaning that it leverages continuously updated threat intelligence and integrates best practices that help protect against evolving cyber threats. This assessment was designed to stay current with new threats while sunsetting controls that are no longer needed.
With CSF v9.6, the threat-adaptive capabilities of the i1 assessment were not included with the r2 assessment. With the nesting of the assessments in v11, the entire portfolio is threat-adaptive, regardless of which assessment you select.
CSF v11 introduces the i1 Rapid Recertification Assessment—an accelerated path for achieving i1 recertification. Instead of having to complete an entire i1 assessment every year, the i1 Rapid Recertification Assessment allows you to achieve recertification by demonstrating that your control environment has not materially degraded since the previous, full i1 assessment was performed.
There are a few steps you have to take to achieve rapid recertification, which you can read about here.
Broadened authoritative sources
The HITRUST CSF maps requirements from authoritative sources to specific controls. With CSF v11, HITRUST has added two new authoritative sources, the NIST SP 800-53 Rev. 5 and the Health Industry Cybersecurity Practices (HICP) standards, while also refreshing mappings to several other important sources (read more here). This helps to ensure alignment with changes in the standards while also improving mapping efficiency.
Fewer requirement statements
CSF v11 has reduced the number of requirement statements in the i1 and r2 assessments. For example, the i1 assessment previously had 219 requirement statements; with CSF v11, it has 182. Refreshing the authoritative source mappings, using threat-adaptive capabilities, nesting assessments, and conducting additional consolidation work all have contributed to the reduction of requirement statements. These reductions enable you to achieve certification faster and with less effort than before.
To speed the journey to certification, organizations often “inherit” compliance controls from HITRUST-certified cloud and managed service providers (MSPs). In other words, once your organization has determined which controls you must attest to, you do not have to implement controls that your certified cloud or managed service provider has already covered.
The ability to inherit controls from external organizations continues with CSF v11, as cloud providers that achieve CSF v11 will offer inheritance for v11 principles.
How is HITRUST CSF v11 different from CSF v9.6?
HITRUST CSF v11 includes substantial changes from previous versions. Unlike CSF v9.6, the new CSF contains a traversable portfolio, meaning that all three assessments (e1, i1, and r2) build on top of each other, making it easier for organizations to increase their level of HITRUST adoption over time. Next, it incorporates threat-adaptive controls, meaning that real-time threat intelligence data is integrated into the framework in order to protect against evolving threats. Additionally, HITRUST has added two new authoritative sources to the CSF mapping: the NIST SP 800-53 Rev. 5 and the Health Industry Cybersecurity Practices (HICP) standards.
Simplify HITRUST with Cloudticity
From improved security, better compliance, and streamlined assessment, these changes to the HITRUST framework have the potential to deliver important competitive advantages to your business.
Still, navigating all these changes can be difficult, especially when you want to concentrate on innovation instead of assessment and certification work.
Cloudticity can help you achieve CSF certified status while minimizing the internal disruption and costs to your organization with our HITRUST Inheritance Program. We can also help you map out your path to CSF v11 and determine if it’s right for you.
Working with Cloudticity, your organization can speed up HITRUST certification and simplify ongoing certification while staying focused on providing value to customers.
To learn more about what CSF v11 will mean for your organization and to start planning your move to the new framework, check out the full white paper. Or speak to a healthcare cloud expert at Cloudticity to get on the fast track to HITRUST today.