A few weeks ago, HITRUST unveiled changes to its HITRUST Certification program that will certainly have an impact on healthcare organizations of all sizes. The two biggest announcements relate to a smaller scale HITRUST CSFBASICs certification path and significant changes to the CSF v9 that is slated for release later this year.
Recognizing the need for small and lower-risk healthcare organizations (e.g., physician practices) to address information security and privacy assurance but those organizations not having the resources, skills, or budget to address the full complement of HITRUST CSF controls, HITRUST announced the development of its CSFBASICs (CSF Basic Assurance and Simple Institution CyberSecurity) program. The program, which is still in piloting and scheduled for release in Q3 2017, offers a simplified set of CSF requirements that focus on 76 information security controls and 33 privacy controls. The CSFBASICs program also reduces the number of maturity levels from 5 to 3 when each control is being evaluated. According to Dan Nutkis, president of HITRUST, the CSFBASICs programs,
"leverage the HIPAA Security Rule's flexibility of approach provisions to create a 'good hygiene' approach to information security and privacy for smaller, more resource-constrained healthcare entities that generally present relatively low inherent risk."
As part of its methodology to continuously update the CSF to keep pace with current information security requirements and provide linkages to other information security regulations and frameworks, HITRUST announced that its CSF version update to v9 from v8.1 is scheduled for July 2017. CSF v9 includes a number of enhancements and changes that affect HITRUST Certification scope:
- Additional regulations/framework mappings: CSF v9 will include mappings to controls within FedRAMP Support for Cloud and IaaS Service Providers and FFIEC IT Examination Handbook. It will also align language of the relevant CSF control requirements to the language in the second release of the OCR audit protocol.
- Additional control requirements added to HITRUST Certification scope: The number of controls required for HITRUST Certification will be increased from 66 to 75 to include controls relevant to the NIST Cybersecurity Framework. The intent is to have the HITRUST Certification serve as a single report to provide compliance scorecards for both HIPAA and NIST Cybersecurity Framework.
What does this mean to me?
Depending on the type/size of healthcare organization, the newly announced changes in HITRUST’s press release will result in either a more simplified approach with HITRUST CSFBASICs Certification or expanded scope for HITRUST Certification using CSF v9. Contact a healthcare assessment specialist at Schellman to determine the approach that is best suited for your organization.
About the Author
Gary Nelson is a Principal at Schellman. Gary currently helps lead Schellman’s HITRUST and DEA EPCS practices and has been a leading expert of both HITRUST for healthcare service organizations and DEA EPCS for providers of electronic prescription and electronic pharmacy applications. Having completed over 500 service audits, Gary is one of the most experienced service auditors in the United States.More Content by Gary Nelson