Over the past few years, the HITRUST CSF® common security framework has gained widespread adoption among healthcare-focused organizations – entities either within the healthcare industry or those that provide services to the healthcare industry. These organizations have used certification via the HITRUST CSF information protection framework to demonstrate their security and privacy posture related to electronic protected health information (ePHI).
Recognizing that organizations outside of the healthcare industry face similar cybersecurity threats and need to secure sensitive information, HITRUST is restructuring the HITRUST CSF to extend adoption of the framework to organizations in industries other than healthcare.
This shift in the focus and use of the HITRUST CSF is being implemented through two releases:
- Version 9.2 (released in January 2019). Existing ePHI-focused control requirement language is reworded to include all types of sensitive data.
- Version 10 (to be released). The framework is restructured to include a core set of controls required for certification and to make available additional industry-specific controls.
Version 9.2: What’s new
With the release of version 9.2 of the framework, the HITRUST CSF has been modified to reflect its expansion beyond healthcare. Control requirement language that previously focused on ePHI and the healthcare industry is now generalized to facilitate wider adoption.
To further aid organizations in addressing global data protection and compliance requirements, version 9.2 also integrates data protection requirements from the European Union’s General Data Protection Regulation (GDPR) and Singapore’s Personal Data Protection Act (PDPA).
With the shift to an industry-nonspecific approach, the HITRUST CSF now can be used by any organization wishing to gain assurance over its information security and privacy practices. Healthcare-focused organizations can continue to perform an ePHI-focused assessment but must select the Health Insurance Portability and Accountability Act (HIPAA) as a regulatory risk factor when setting up their assessments.
For nonhealthcare organizations, the updates to remove healthcare and ePHI language from the previous control requirement language make it easier to understand the intended scope of each requirement and minimize any guesswork about how to implement the controls within their environment.
Version 10: Upcoming changes
Changing the control requirement language in version 9.2 was the first step in transforming the HITRUST CSF into a framework for industries other than healthcare. Version 10, currently anticipated for release in the fourth quarter of 2019, will complete that transformation through a more significant framework restructure.
The existing HITRUST CSF scoping process uses a set of assessment risk factors to generate a risk-based, customized set of control requirements for each organization. As part of version 10, these assessment risk factor options will be enhanced to support two approaches for an organization to choose from:
- HITRUST Control Core: a robust information protection framework that can be adopted by any organization in any industry
- HITRUST Control Core + Industry Focus: a customized information protection framework that incorporates additional control requirements based on an organization's industry (for example, HIPAA) or similarly unique assurance requirement (for example, GDPR)
Organizations that are required to obtain HITRUST CSF certification or have otherwise chosen to adopt the framework internally should consider which approach aligns best with their information security and compliance objectives.
Some organizations might decide to select the Control Core option in order to complete an initial assessment of their information protection program and defer the additional industry-specific control requirements for a later time.
The Control Core + Industry Focus option results in a more precise and relevant set of control requirements that incorporate industry-specific best practices. This approach also is likely to generate a higher number of applicable control requirements, which means the organization will have to make an increased effort to implement and operate the control requirements, as well as a potentially greater effort and expense to undergo the related assessment.
Other considerations include:
- Customer expectations: Customers’ vendor management programs might require some type of periodic security assessment but might not have specific scoping requirements beyond that.
- Existing industry standards: Certain internal and external stakeholders (for example, regulators in the financial services or healthcare industries) are more likely to need or expect organizations to address their own prescriptive, established, industry-specific standards.
- Current program maturity: Organizations that already have adopted the HITRUST CSF or that believe they have established robust risk management and internal control practices might want to assess themselves against the additional industry control requirements.
HITRUST’s latest enhancements to the HITRUST CSF allow for increased adoption by organizations across a wide range of industries and geographies. No longer focused solely on healthcare and ePHI, the HITRUST CSF and HITRUST CSF Assurance Program can be used to demonstrate the strong data protection and information risk management practices of organizations in industries outside of healthcare. By adopting an established and recognized framework and assessment methodology, organizations can communicate their overall security and privacy posture and differentiate themselves within the market.