HITRUST CSF v9.1 Release: Integrating GDPR and New York State Cybersecurity Requirements

March 26, 2018 | HITRUST, Privacy

The Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) announced the release of version 9.1, which incorporates the EU General Data Protection Regulation (GDPR) and New York State Cybersecurity Regulations (NYCRR 500). With the growing threat to the security and privacy of all organizations, many industries outside of healthcare have turned to the HITRUST framework for improved security management.

“This latest release demonstrates our commitment to ensure the HITRUST CSF stays relevant to the information risk management, data protection, and regulatory compliance needs of domestic and global organizations through incorporation of new standards and regulations,” said Bryan Cline, Vice President, Standards & Analysis, HITRUST.

Incorporation of GDPR and NYCRR 500

General Data Protection Regulation (GDPR): On May 25, 2018, the European Union General Data Protection Regulation (GDPR) directive will go into effect. It was designed to standardize and strengthen data protection for European consumers with requirements that include requiring consent when collecting information, appointing a Data Protection Officer (DPO), and notifying privacy regulators and consumers of a breach within 72 hours of discovery.

New York State Cybersecurity for Financial Services Companies (NYCRR Section 500): With corporate data security breaches on the rise, the New York State Department of Financial Services (DFS) implemented Cybersecurity Requirements for Financial Services Companies. Key requirements include establishing a cybersecurity program, adopting a written cybersecurity policy, appointing a Chief Information Security Officer, and conducting a risk assessment.

What Does HITRUST CSF v9.1 Mean for Your Organization?

The HITRUST CSF v9.1 is the latest update to the framework built to address security and privacy risk management, streamline the assessment process, and extend the “assess once, report many” approach. So how should you determine if your organization should complete a v9.1 assessment?  Have you been previously assessed under the prior version, CSF v9.0? Have you reviewed the NYCRR Section 500 and GDPR to see if the regulations apply to your organization?

BARR Advisory is available to assist organizations with HITRUST certification. To discuss if HITRUST CSF v9.1 applies to your organization, contact us today.

Let's Talk