The HITRUST Alliance, in its efforts to keep the framework up-to-date, provides new releases annually, being Version 8 of its Common Security Framework (CSF) their most recent one (Version 7 was released in January 2015). The updates to the framework are based on feedback from the HITRUST community, current risks and trends, as well as a way to incorporate updates from the various frameworks and requirements that are mapped and used as baseline requirements in development of the CSF.
The Alliance uses the updates to fine tune the CSF requirements, and also provides any needed clarifications on the requirements based on feedback from supporting organizations and the HITRUST validated organizations and their assessors.
The following changes were included in the latest release:
- Enhanced mapping to various frameworks including the NIST Cybersecurity Framework, the Cloud Security Alliance Cloud Controls Matrix v3.0.1, the PCI Data Security Standard v3.1, the Center for Internet Security Critical Security Controls v6, and the Precision Medicine Initiative’s Data Security Policy Framework.
- HITRUST De-identification Framework, which is a protocol for data de-identification.
- Two new controls related to User Access Review and Session Time-Out.
- Additionally, the HITRUST Alliance formally integrates the AICPA mapping from the SOC 2 Trust Services Principles to the CSF v8.
The HITRUST Alliance has also made recent updates to the My CSF portal, which is the required assessment software platform that organizations use when conducting their HITRUST CSF Self-Assessment and Validated Assessments.
The CSF v8 requirements are required for all assessments ending after December 31, 2016.
With these updates, the HITRUST Alliance continues to help Healthcare organizations to maintain the level of compliance with common industry standards, as well as providing a deeper mapping to other common frameworks and requirements.
About the Author
Greg Miller is a Principal at Schellman. Greg leads the HITRUST service line. Greg has more than 20 years of combined audit experience in both public accounting and private industry.More Content by Greg Miller