HITRUST CSF Releases v11 to Increase Efficiencies and Stay Threat-Adaptive

Originally published by BARR Advisory.

Written by Kyle Cohlmia.

HITRUST CSF recently released version 11, which includes important updates to the framework that will help streamline the process to greater healthcare assurance and protect against new and emerging threats.

As a single framework, HITRUST CSF v11 provides broad assurance for different risk levels and compliance requirements with greater reliability than other assessment options. HITRUST CSF v11 enables the entire HITRUST assessment portfolio to leverage threat-adaptive controls that are appropriate for each level of assurance.

Let’s take a closer look at the exciting enhancements to HITRUST CSF v11 and how your organization can prepare for and adjust to the new changes.

Updates and New Additions

Overall, HITRUST CSF v11 includes improved control mappings and precision of specifications, which reduces the level of effort for a HITRUST certification. For example, the level of effort to achieve and maintain HITRUST Implemented 1-year (i1) Certification can be reduced up to 45% over the course of two years.

Here’s a few more important updates in the HITRUST CSF v11 that your organization can expect.

Assessments

HITRUST CSF v11 added a new assessment to its services, and past assessments are now subsets or supersets of each other. This allows organizations to reuse work from lower-level HITRUST assessments to progressively achieve higher assurance by sharing common control requirements in inheritance.

These updates include:

• The new e1 Assessment: A new HITRUST e1 Assessment was created as the lowest effort HITRUST assessment to obtain. The e1 Assessment contains roughly 50 controls, and is very similar to a SOC assessment in regards to scope and complexity.
• Reduced i1 Assessment controls: The i1 Assessment decreased controls from 219 to 182.
• Reduced r2 Assessment controls: The i1 Assessment now serves as the baseline for the r2 Assessment, which has reduced the number of controls in scope considerably.

Sources

With v11, HITRUST CSF has two new authoritative sources: NIST SP 800-53, Rev 5 and the Health in Industry Cybersecurity Practices Standards.

AI Standards

HITRUST developed AI-based standards development capabilities to aid their assurance experts in mapping and maintaining authoritative sources.

HITRUST CSF v11 is the first version with this enhanced function, which will reduce mapping and maintenance efforts by 70% while improving the quality of mappings to authoritative sources and allowing more authoritative sources in future releases.

End-of-Life Cycles

Past versions of HITRUST CSF will transition to an end-of-life process. For r2 Assessments, HITRUST CSF v9.1 and v9.4 will transition to an end-of-life, and i1 Assessments will transition from 9.6.2 to v11.

Take a look at a few important dates regarding both the r2 and i1 Assessments’ end-of-life cycles.

r2 Assessments

• By September 30, 2023, the ability to create new v9.1 to v9.4 assessment objects in MyCSF will be disabled.
• On December 31, 2024, the ability to submit a v9.1 or v9.4 assessment will also be disabled.
• On March 31, 2026, v9.1 and 9.4 libraries will be removed from the MyCSF.
• v9.5 and v9.6 will continue to be available for r2 Assessments.

i1 Assessments

• Between January 18, 2023 and April 30, 2023, i1 Assessments will still be available in v9.6 or v11.
• On April 30, 2023, the ability to create a new v9.6.2 i1 Assessment will be disabled.
• On July 31, 2023, the ability to submit v9.6 i1 Assessments and earlier assessment objects will be disabled.