866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

HITRUST CSF v11: An Overview of the Update Blog Feature
Andrew Sullivan

By: Andrew Sullivan

Print/Save as PDF

HITRUST CSF v11: An Overview of the Update

Healthcare Assessments

“New year, new me!”

It seems we always hear that in January as if as soon as the ball drops in New York City, everyone wants to shed their old habits and begin anew, whether it’s changing things regarding their health or their work or something else entirely. We always seem to be most reinvigorated to make major moves in the first month of the year, and in 2023, HITRUST is also getting in on the action.

As of January 18, 2023, HITRUST CSF v11 is available within HITRUST’s proprietary tool, MyCSF, and this isn’t a New Year’s resolution that will soon fade. This update has introduced big changes, and given that HITRUST CSF serves many different kinds of organizations in many different industries, this update is going to have quite a ripple effect.

If you’re someone that has previously undergone a HITRUST assessment or certification, and if you’re still just considering it, don’t worry. We’re both a HITRUST assessor and a member of the HITRUST Authorized External Assessor Council, and in this article, we’ll get you up to speed on what’s new in HITRUST CSF v11.

There will surely be more details to come, but for now, this information will provide a foundation for you to build on as your HITRUST projects move forward.

Changes in HITRUST CSF v11

What’s notable in this new version can be boiled down to three things:

  • A brand new assessment type
  • Changes to existing HITRUST assessments
  • An additional “inheritance” option where your third parties are concerned

The New HITRUST e1 Assessment

HITRUST CSF v11 still provides their familiar i1 or r2 certification options:

  • The Implemented, 1-year (i1); and
  • The Risk-Based, 2-year (r2) assessments.

But in this new version, you now have a third option: the HITRUST Essentials, 1-year (e1) assessment that provides entry-level assurance focused on the most critical controls to demonstrate that “essential cybersecurity hygiene” is in place.

With its fixed 44 requirements, this new assessment option is intended for organizations that have been deemed very low risk by their customers, or if you’re just seeking to quickly demonstrate basic security maturity.

For more information related to the e1 assessment, refer to the HITRUST data sheet: e1 Datasheet - HITRUST Alliance.

 

Changes to the HITRUST i1 Assessment

That being said, you still have your more familiar HITRUST i1 and r2 options.

For those who may not already know, the i1 provides a moderate level of assurance that addresses cybersecurity leading practices and a broader range of active cyber threats than the e1 assessment.

And, in HITRUST CSF v11, it’s the i1 that has received the most significant overhaul:

  • New Fixed Amount of Requirements: Fixed 182 requirements during initial certification.
    • Previously, the different assessment types had disparate requirements, whereas now the i1 includes the 44 e1 requirements.
  • New Rapid Recertification: As discussed in HAA-2023-005.
    • We will be publishing another article soon with more details.

For more information related to the i1 assessment, refer to the HITRUST data sheet: HITRUST-Implemented-1-Year-i1-Assessments. 

Changes to the HITRUST r2 Assessment

And then you have the r2, which has been the flagship offering from HITRUST and will likely remain so. The r2 assessment is intended to provide a high level of assurance that focuses on a comprehensive risk-based specification of controls with an expanded approach to risk management and compliance evaluation. It’s also for those that want to utilize a robust risk-based framework as a basis for their security and/or privacy programs.

One of the changes you’ll notice in the new r2 validated assessments is that the evaluative elements—the testing components of a requirement statement previously located within the illustrative procedures—have been moved into the requirement statement language itself to provide better clarity on the expectations for each requirement.

In addition, v11 has removed the Geographic factor when scoping assessments. Facilities will still be required to be denoted and tested where applicable; however, the risk factor question that asked whether the in-scope facilities were “state,” “multi-state,” or “off-shore” has been removed and made agnostic.

That being said, with CSF v11, the entire HITRUST portfolio of assessments is traversable, meaning that they share common control requirements, allowing organizations to progressively achieve higher assurance levels throughout their HITRUST journey; starting with the e1 that is nested within the i1 that is nested inside the r2. 

For more information related to the i1 assessment, refer to the HITRUST data sheet: HITRUST-Risk-Based-2-Year-r2-Validated-Assessment. 

New Requirement Inheritance Option

Separate from these changes to the assessments is HITRUST CSF v11’s new provision for the inheritance of requirements from third parties that engaged a different version of HITRUST CSF.

Say one of your providers uses v9.x of CSF while you use v11—there may be requirements between the two that are significantly different. But now, HITRUST has implemented the “Legacy Inheritance Support” factor to allow v11 assessments to inherit similar baseline statements from v9.x assessments that are similar, but not exact.

To take advantage of this support, however, said baseline statement must be present in both the inheriting and inherited assessments.

Next Steps for HITRUST CSF v11

It’s a new year, and 2023 has opened with a new version of HITRUST CSF. With these newly expanded and adjusted HITRUST offerings, you can now choose the right assessment based on your organization’s risk, needs, and commitments to your reliant parties.

Thanks to HITRUST’s nesting approach between the e1, i1, and r2 assessments, it’s now easier than ever to start with an assessment that is less rigorous and incrementally increase your organization’s ability to eventually meet the risks that concern your reliant parties.

For more information on this new v11, MyCSF subscribers can check the CSF Summary of Changes document, which provides details on changes made as part of the version 11 upgrade. You’ll also find:

  • An outline of the new features and changes in the assessments
  • How these changes will impact existing assessments
  • Information on the direct changes that will be applied to your existing assessment before your upgrade to version 11 (found in the preview function in HAA 2021-006)

We’ve also deconstructed HITRUST extensively—check out these articles for simplified explanations of several of this framework’s different facets:

 

About Andrew Sullivan

Andrew Sullivan is a Manager with Schellman. Prior to joining Schellman in 2019, Andrew worked as a Senior Associate at a Big 4 audit firm specializing in SOX audits from an IT perspective. As a Senior Associate with Schellman, Andrew Sullivan is focused primarily on SOC 1 and SOC 2 audits for organizations and across various industries.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.