cyBARR Chats HITRUST Edition, Episode 14 HITRUST CSF v11

Transcript:

What does the new HITRUST version 11 encompass, and how does it differ from other versions?

The v11 is a single framework in the HITRUST CSF, which provides one approach that covers broad assurance needs for different risk levels and compliance requirements with greater assurance, reliability than other assessment options. In addition, HITRUST v11 is integrated across several platforms, including Microsoft Azure, Dynamics 365, Microsoft 365, and Power Platform.

Microsoft, HITRUST, and an ecosystem of partners and healthcare organizations are also collaborating on advanced new capabilities to improve clarity on compliance requirements and share responsibilities both across the US and worldwide. The new version release, contains new and exciting enhancements that will allow healthcare organizations of all sizes to improve mitigations against cyber threats and streamline the process to greater assurance.

How will version 11 protect healthcare organizations from new and emerging threats?

The CSF v11 enables the entire HITRUST assessment portfolio to leverage cyber threat adaptive controls that are appropriate for each level of assurance out there.

How will version 11 reduce efforts towards the HITRUST certification?

There’s been improved control mappings and precision of specifications afforded through CSF v11, which enable reduced level of effort towards a HITRUST certification.

For example, the level of effort to achieve and maintain HITRUST implemented one-year certification over two years can be reduced up to 45 percent.

With version 11, can organizations reuse the work from lower-level HITRUST assessments to achieve a higher assurance?

Absolutely. Another major improvement in the HITRUST world here. So now all HITRUST assessments are now subsets or supersets of each other, which allows organizations to reuse work in the lower level HITRUST assessments to progressively achieve higher assurances by sharing common control requirements in inheritance.

There’s an e1 assessment, which is brand new and the lowest effort assessment to obtain. With the e1 assessment, there are about 50 controls and in regards to scope and complexity, it’s very similar to your average SOC assessment there.

For the i1 assessment, this actually went from 219 controls down to 182, and now the i1 assessment now serves as the baseline for the r2 assessment, which has again reduced the number of controls in scope considerably.

Are there any new sources that version 11 has added?

With v11, HITRUST has added two new authoritative sources, which include NIST SP 800-53, Rev 5, and the Health in Industry Cybersecurity Practices Standards.

Are there any new capabilities that version 11 has adapted?

HITRUST has developed an AI-based standards development capabilities to aid in their assurance experts in mapping and maintaining authoritative sources.

CSF v11 is the first version developed with this enhanced function, and it will really reduce mapping and maintenance efforts up to about 70 percent while improving the quality of mappings to authoritative sources and allowing more authoritative sources in the future release.

Can you talk a little bit more about those end-of-life cycles and how we’ll continue, or discontinue, with the remaining versions?

Yeah, so some major updates and very important updates here as well. v9.1 and 9.4 are transitioning to an end-of-life process for the r2 assessments, and the i1 assessments will transition for 9.6.2 to v11.

For r2 assessments specifically, there are a few updates, which include by September 30th of 2023, the ability to create new v9.1 to 9.4 assessment objects in MyCSF will be disabled. And then on December 31, 2024, the ability to submit a v9.1 or v9.4 assessment will also be disabled. On March 31 of 2026 v9.1 and 9.4 libraries will be removed from the MyCSF. And then finally the 9.5 and 9.6 are going to be continual to be available for the r2 assessments.

So that was r2 assessments. Getting into the i1 assessments. Some more quicker turnaround times here. So between January 18th, 2023 and April 30th of 2023, the i1 assessments are still able to be used, creating either the 9.6 version or the v11 version. However, on April 30th of 2023, the ability to create a new v9.6.2 i1 assessment is going to be disabled.

And then finally, on July 31st, 2023, the ability to submit 9.6 as assessments and earlier assessment objects are going to be disabled as well.

How can organizations start their HITRUST journey now that this version is out?

Yeah, great question. So organizations that previously downloaded the previous versions of the HITRUST CSF will be notified of the new version. If you’re looking to start your HITRUST journey, you can reach out to BARR for a free consultation.

We’re here to answer any of your questions and make the process as simple as possible as we go through these changes.