With the Health Information Trust Alliance Common Security Framework (HITRUST CSF) version 11 release, HITRUST continues to serve the market by making their assessments more accessible.
The addition of both the HITRUST Essentials 1-year (e1) Assessment (or e1 for short) and the HITRUST Implemented 1-year (i1) Assessment (or i1 for short) will make it easier for organizations to get certified and recertify, particularly those that have a minimal-risk profile. And changes to align overlapping controls among all assessments make it easier to work toward a HITRUST Risk-based 2-year Assessment (or r2 for short).
Outside of the new assessment options, changes to the illustrative procedures, content structure and the corrective action plan (CAP) process make things easier to comprehend for everyone involved.
Overall, these changes seek to reduce the level of difficulty, effort and cost while still maintaining a strong control baseline.
Here are important updates with HITRUST CSF version 11 that your organization should know:
The new HITRUST e1 assessment
One major change released with version 11 is the addition of a new assessment: the e1.
This assessment is focused on cyber hygiene — measuring whether an organization is meeting the minimum bar for data security expectations. It helps solve the major complaint that an r2 or even an i1 assessment is too burdensome and costly in some cases.
Organizations that have a minimal-risk profile or those that don’t need to meet compliance within a specific framework are ideal candidates. For example, a healthcare vendor that doesn’t access patient information but still needs to provide confidence in their data security could use the e1.
For other organizations, it can be used as a first step toward more rigorous assessments, such as the i1 or r2.
Overlapping requirements for different HITRUST assessments
In previous versions, the available HITRUST assessments had less overlap. With this update, all requirements for the e1 are also part of an i1 assessment. And all requirements with an i1 are part of the r2 assessment.
Because of this, achieving compliance with requirements in an e1 or i1 prepares you for the corresponding portion of the r2, as well. They can therefore be used as logical steppingstones for any organization that wants to work their way toward an r2 assessment.
Incorporating the requirements for the i1 into the r2 has also made the r2 more threat adaptive.
The original focus of the i1 was on an organization’s ability to defend against threats such as malware or ransomware, while the r2 was more focused on the nature of the systems that were being assessed.
Incorporating the i1 into the r2 will push more organizations to have proper controls in place for potential cybersecurity attacks and other threats.
Rapid recertification for HITRUST i1 assessments
The addition of the rapid recertification process for the i1 is another way that HITRUST is making assessments more accessible.
Like the interim process for r2 assessments, rapid recertification lets companies achieve recertification with less effort. Companies can recertify every other year, meaning a full effort certification is only required every two years.
The process also accounts for updates to the assessment during recertification years.
If an organization needs to recertify after an update, they won’t have to do a full certification. They will only need to meet the standard for any new requirements and prove that their other controls have not materially degraded.
Standardized CAP requirements
HITRUST has improved the CAP process by introducing a streamlined way to determine CAPs. These changes apply to all assessments and clearly indicate when an organization has a gap or a CAP.
According to the newly revised standards, a CAP is necessary only when a control reference score is below 71 (for r2 assessments) and below 80 (for i1 and e1 assessments).
The standards help clarify when a single weakness (or multiple related weaknesses) necessitate action by the assessed entity.
Changes to illustrative procedures
HITRUST has made it easier to read and understand the illustrative procedures, changing the format so that important information is clearly presented.
In previous versions, evaluative elements were contained in a single paragraph that was difficult to parse for individual items. Now that the information has been reformatted and edited for improved clarity, it’s easier for both the auditor and the auditee to understand expectations and account for all evaluative elements.
New and refreshed authoritative sources
One primary benefit of the HITRUST CSF is that it incorporates other frameworks. For HITRUST CSF version 11, they’ve continued to keep pace with regulations by offering new frameworks and updating older ones.
HITRUST has added the following authoritative sources:
- National Institute of Standards and Technology (NIST) SP 800-53 Revision 5
- Health Industry Cybersecurity Practices
And they’ve refreshed:
- Health Insurance Portability and Accountability Act (HIPAA)
- NIST CSF
- NIST 800-171
Legacy version deadlines
HITRUST will be disabling functionality for older versions periodically from 2023—2026.
For i1 assessments, the ability to create assessment objects for CSF version 9.6.2 will be disabled on March 31, 2023. All CSF version 9.6.2 assessment objects will need to be submitted by June 30, 2023.
For r2 assessments, creating new objects for CSF version 9.1 through 9.4 will be disabled on September 30, 2023, and all objects need to be submitted by December 31, 2024.
On March 31, 2026, the libraries for those older versions will be removed from the HITRUST MyCSF tool.
Be aware of these deadlines and make sure that you complete any ongoing assessments within the allowed timeframe.
How Wipfli can help
At Wipfli, our experienced HITRUST consultants can help you prepare for your assessment and complete it on time. We can support you through any stage of the process, including performing a readiness assessment to help ensure your organization has what it needs to achieve certification.
Contact us today for help with a better assessment outcome.
Sign up for more information in your inbox, or keep reading: