By Robert Booker, Chief Strategy Officer, HITRUST HITRUST Focus on Continuous Improvement HITRUST has been…
HITRUST redesigns CSF in v11 to increase efficiencies and cyber threat-adaptive assurances
Updated CSF can reduce certification efforts by up to 45%
FRISCO, Texas, December 20, 2022– HITRUST, the information risk management, standards, and certification body, will release HITRUST CSF version 11 in January 2023 to improve mitigations against evolving cyber threats, broaden the coverage of authoritative sources, and streamline the journey to higher levels of assurance.
“There is no question that frameworks need to stay relevant with current and emerging threats so organizations can conduct assessments as efficiently as possible and provide practical, yet meaningful, assurances to stakeholders,” said Andrew Russell, VP of Standards, HITRUST. “The investments we’ve made in our AI-based standards development platform have dramatically improved our ability to assess threat-adaptive mitigations, add authoritative sources, and reduce redundancies, allowing organizations to achieve the same level of assurance with less effort.”
The CSF v11 demonstrates HITRUST’s commitment to continuous improvement:
Protects against new and emerging threats: The CSF v11 enables the entire HITRUST assessment portfolio to leverage cyber threat-adaptive controls that are appropriate for each level of assurance.
Reduces effort toward HITRUST Certification through greater efficiency: Improved control mappings and precision of specifications afforded through CSF v11 enable reduced level of effort towards a HITRUST certification. For example, the level of effort to achieve and maintain HITRUST Implemented, 1-year (i1) Certification over two years can be reduced by up to 45%.
Enables a traversable assessment journey through an expanded and aligned portfolio: Enables a single framework in the HITRUST CSF to provide a single approach that covers broad assurance needs for different risk levels and compliance requirements with greater assurance reliability than other assessment options. All HITRUST assessments are now subsets (or supersets) of each other, which allows organizations to reuse the work in lower-level HITRUST assessments to progressively achieve higher assurances by sharing common control requirements and inheritance.
In addition, HITRUST CSF v11 is integrated across Microsoft Azure, Dynamics 365, Microsoft 365, and Power Platform. Microsoft, HITRUST, and an ecosystem of partners and healthcare organizations are also collaborating on advanced new capabilities to improve clarity on compliance requirements and shared responsibilities both across the U.S. and worldwide.
“The HITRUST inheritance program offers tremendous value to customers who build on our platform and can inherit our controls in their HITRUST assessment,” said David Houlding, Director, Global Healthcare Business Strategy, Microsoft. “The expanded and traversable HITRUST assessment portfolio provides new flexibility enabling more organizations to leverage Microsoft’s HITRUST assessments through the shared responsibilities and inheritance program to reduce the scope, cost, and time to achieve and maintain their own HITRUST compliance.”
Expands authoritative sources: With CSF v11, HITRUST has added two new authoritative sources, NIST SP 800-53, Rev 5, and Health Industry Cybersecurity Practices (HICP) standards.
AI-Based Standards Development Toolkit: HITRUST has developed AI-based standards development capabilities to aid our assurance experts in mapping and maintaining authoritative sources. CSF v11 is the first version developed with this enhanced function. It will reduce mapping and maintenance efforts by up to 70% while improving the quality of mappings to authoritative sources and allowing for more authoritative sources in future releases.
“Security requirements are never complete, and a framework that is adaptive and responsive to security and compliance stakeholders is sorely needed,” said Robert Booker, HITRUST Chief Strategy Officer. “We restlessly evaluate and update the CSF in response to new cyber security, assurance, and compliance requirements.”