New Version of HITRUST CSF Helps Healthcare Tackle Emerging Cybersecurity Threats

December 22, 2022 - HITRUST plans to release version 11 of its cybersecurity framework (CSF) in January with new and improved features for managing emerging cybersecurity threats and reducing certification efforts, the organization announced.

As previously reported, HITRUST can help healthcare organizations improve their security postures and manage third-party risk. The HITRUST CSF is a risk and compliance-based framework that aims to provide structure and guidance across a variety of data privacy and security regulations and standards, helping organizations reduce burden and complexity.

Specifically, CSF v11 offers improved control mappings and precision in order to reduce certification efforts by 45 percent. In addition, the new version “enables the entire HITRUST assessment portfolio to leverage cyber threat-adaptive controls that are appropriate for each level of assurance.”

CSF v11 also includes expanded authoritative sources, including the National Institute of Standards and Technology (NIST) SP 800-53, Rev 5, and the Health Industry Cybersecurity Practices (HICP) standards.  

HITRUST also developed artificial intelligence-based standards development capabilities to assist its assurance experts in mapping and maintaining authoritative sources. HITRUST said that this AI-based toolkit will reduce maintenance and mapping efforts by up to 70 percent.

“Security requirements are never complete, and a framework that is adaptive and responsive to security and compliance stakeholders is sorely needed,” Robert Booker, chief strategy officer at HITRUST, explained in the press release. “We restlessly evaluate and update the CSF in response to new cyber security, assurance, and compliance requirements.”

In addition to streamlined mapping and maintenance processes, CSF v11 “enables a single framework in the HITRUST CSF to provide a single approach that covers broad assurance needs for different risk levels and compliance requirements with greater assurance reliability than other assessment options.”

Essentially, organizations can now re-use work done during lower-level HITRUST assessments to accumulate higher assurances, saving more time and effort in the process. HITRUST also partnered with Microsoft, and v11 is integrated across Microsoft Azure, Microsoft 365, Dynamics 365, and Power Platform.

“The HITRUST inheritance program offers tremendous value to customers who build on our platform and can inherit our controls in their HITRUST assessment,” David Houlding, director, global healthcare business strategy at Microsoft stated.

“The expanded and traversable HITRUST assessment portfolio provides new flexibility enabling more organizations to leverage Microsoft’s HITRUST assessments through the shared responsibilities and inheritance program to reduce the scope, cost, and time to achieve and maintain their own HITRUST compliance.”

The latest version of the HITRUST CSF will ideally reduce complexities, reflect the modern cyber threat landscape, and help healthcare organizations better manage risk.

“There is no question that frameworks need to stay relevant with current and emerging threats so organizations can conduct assessments as efficiently as possible and provide practical, yet meaningful, assurances to stakeholders,” Andrew Russell, VP of standards at HITRUST continued.

“The investments we’ve made in our AI-based standards development platform have dramatically improved our ability to assess threat-adaptive mitigations, add authoritative sources, and reduce redundancies, allowing organizations to achieve the same level of assurance with less effort.”