Protecting the privacy & security of your patient’s health information.

BLOG POST: HITRUST CSF v9 – Don’t Worry, You'll be Fine

It's mid-September and healthcare security professionals are anxious. I know what you’re professionals are always anxious! For some, the late-summer anxiety may be caused by the new HITRUST framework release. The release (link: became official on 9/11/2017 when the HITRUST Alliance published its annual update to the CSF (the standard formerly known as the Common Security Framework). The CSF itself is the amalgamation of several regulatory and industry frameworks that have been cross-referenced, simplified, and de-duplicated into one custom framework for the healthcare industry. Additionally, the CSF sets the requirements that must be met for an organization to receive HITRUST certification, a security certification that is increasingly required by leading healthcare organizations. 

An update to the framework. This is bad news, right?

Definitely not. One of the great benefits of subscribing to the HITRUST CSF are the regular updates to account for changes in other security sources. For instance, v9 of the CSF includes requirement updates based on clarifications and guidance released in the Office for Civil Rights (OCR) HIPAA Audit Protocol v2. The framework also incorporated NIST’s new guidance on password complexity requirements (NIST SP 800-63B) released earlier this summer. Organizations aligning with v9 of the CSF can take advantage of the relaxed password complexity requirements.

In addition to updates to authoritative sources, HITRUST has consistently expanded coverage of the framework each year. This year’s new frameworks include:

  • FFIEC Information System Examination – Information Security
  • FedRAMP
  • DHS Critical Resilience Review
  • EHNAC Accreditation requirements

For organizations looking to achieve HITRUST certification, the v9 release includes an increase in controls that are required for certification. This translates into a significant increase in the number of requirement statements that will populate within a validated assessment. The bright side is that the inclusion of more requirements helps strengthen the clout associated with HITRUST certification. The increase in requirements also pushes the healthcare industry toward a more mature information security posture.

What new controls are required for certification within v9?

With v9 of the CSF, HITRUST added 19 controls to the list of requirements that are required for certification. Here's brief overview of the new topics that were introduced to CSF validation process with v9: 

  • Processes for managing user privileges to systems and applications
  • Controls for remote diagnostic and configuration access
  • Establishing standard requirements for evaluating risks for the organization
  • Developing procedures for the for an independent review of information security controls
  • Requirements for addressing security when interacting with customers
  • Protection of organizational records
  • Technical compliance checking for systems and networking devices
  • Change management and change control procedures
  • Controls for mobile code execution (e.g., Java, JavaScript, ActiveX, PDF, postscript, Shockwave movies, and Flash animations)
  • Data back-up requirements
  • Electronic messaging controls
  • Electronic commerce and on-line transaction protections
  • Administrator and operator logging
  • Processes for documenting security requirements for information systems
  • Establishing processes for learning from past Information Security incidents
  • Defining business continuity planning processes

With v9, HITRUST also demoted 10 controls from its previous required-for-certification lists.  These controls are still part of the framework and remain critical to implementing a robust security program, but they will not be included in v9 validation assessments.  

An increase in required controls? Does this mean that HITRUST certification is now harder to achieve under v9?

Possibly. If your organization has traditionally aligned itself with other security frameworks, you'll find the new requirements are generally included within other security best practices. If your organization is just building its security program, you will definitely see an uptick in requirements to implement and include in your policies and procedures from v8.1 to v9.

We're looking to complete certification/re-certification against v9 in 2018. What should we do first?

  1. Don't panic. Yes, there is a significant increase in requirements, but you can handle this. To start, get familiar with the new requirements. Review HITRUST's release notes and summary of changes to identify all the tweaks to old requirements and updates to new requirements. 
  1. Get familiar with the new requirements. Log into MyCSF, create a new assessment object, and begin to review the new requirements that are now added with v9.

WARNING: If you've been planning to assess against v8.1 before March 11, and you already have a v8.1 object, DO NOT refresh or modify the assessment details in you v8.1 object.

  1. Perform a gap assessment of your policies and procedures to the new requirements. Policy and procedure updates are often the most time-consuming remediation tasks for HITRUST certification.  Start working with business and IT teams to identify how the new requirements can be applied and determine ways to implement updates.

Note: Where you're stuck, be sure to ask your assessor for example policy statements and processes that you could refine and adopt internally. 

  1. Engage an assessor firm early for guidance. Since your assessor firm will be performing the certification, it is best to have your assessors available when interpreting the new baseline requirements. Be sure to engage an assessor with significant experience with the framework and HTIRUST certification. The success of your certification is dependent on your assessor firm’s experience. 
  1. Get started on making progress quickly! If you're looking to get certified in 2018, create an assessment object in MyCSF now. This is the only way to ensure you can continue to certify assess against v9 throughout 2018. Start remediating your gaps soon, Q1 2018 (when v9.1 is expected) and Summer 2018 (when v10 is expected) will be here before you know it!
  1. Bonus: Develop a long-range strategy to align with all 135 CSF requirements. Individuals who have followed the HITRUST framework in previous years have seen a steady increase in the number of controls required for certification. Each year, HITRUST assesses the security landscape and reviews the CSF controls that best demonstrate a reasonable level of assurance for certified organizations. The changes to the required-for-certification controls in v9 reflect this analysis. The required-for-certification controls will continue to change in future years. Ultimately, the best way to reduce future HITRUST anxiety is to develop a plan to implement all 135 controls within your security program.

For more details on v9 of the CSF, see the official press release on the HITRUST website here.

About the Author

Tyrone is an experienced consultant who advises his covered entity and business associate clients on cybersecurity, privacy and compliance matters. His expertise includes HIPAA security risk assessments, HITRUST certification, SOC 2 certification, security governance and strategic planning, vendor risk management and cloud security best practices.  

Tyrone has in-depth knowledge of security industry standards such as NIST, ISO 27001, ISO 27002, HITRUST CSF and the Payment Card Industry Data Security Standard (PCI DSS). He is a technical leader in Meditology’s IT Risk Management practice and has led penetration assessments, network vulnerability scans, medical device assessments and firewall configuration reviews. His clients include multi-facility health systems, health insurance payers, and business associate organizations of all sizes and complexities.