HITRUST Releases CSF v11.3.0: Here’s What You Need to Know

HITRUST first released CSF v11 in the spring of 2023, adding new assessment options to its portfolio and streamlining existing assessments to improve quality and efficiency while making compliance more accessible to organizations of all sizes. Since then, HITRUST has continued to publish updates to ensure its suite of assessments addresses the latest cybersecurity risks facing healthcare organizations.

Let’s take a closer look at the most recent update: HITRUST CSF v11.3.0.

What’s New?

According to a press release from HITRUST, the new CSF v11.3.0 includes several major updates designed to improve efficiency and help organizations keep up with new and existing regulations as well as rapid changes in the threat landscape.

These updates include:

• HITRUST CSF v11.3.0 adds new mappings to frameworks including FedRAMP, StateRAMP, and NIST SP 800-172, paving a more streamlined road to compliance for organizations that work with government entities. Under v11.3.0, HITRUST CSF can also now provide the foundation for CMMC Level 3 Requirements.
• HITRUST CSF v11.3.0 includes mitigations outlined in the MITRE Adversarial Threat Landscape for Artificial-Intelligence Systems (MITRE Atlas), which details best practices and requirements for securing AI systems.
• HITRUST CSF v11.3.0 reduces redundancies in the r2 assessment process by streamlining requirement statements while ensuring controls are still adequately addressed.

Organizations currently undergoing assessments under CSF v11.2.0 may complete their ongoing engagements. Beginning April 16, 2024, all new HITRUST e1 and i1 assessments must align with CSF v11.3.0.

Why It Matters

The release of HITRUST CSF v11.3.0 is a win for healthcare organizations aiming to stay one step ahead of changes in the cybersecurity and compliance landscape. The updates not only streamline the certification process by reducing the time and effort required to achieve compliance against multiple frameworks, but also ensure that HITRUST certified organizations are well-prepared to keep up with new regulations and advancements in technology, including innovations like AI and machine learning.

“Part of what makes HITRUST’s suite of assessments so effective is that the CSF is designed to be threat-adaptive,” said Steve Ryan, attest services manager and head of healthcare compliance at BARR Advisory. “HITRUST assessments don’t just provide assurance that a service provider is prepared to respond to active threats, but they also help organizations think proactively about how to design controls that can withstand constant changes in technology and security best practices.”

Ryan added: “The latest update cements HITRUST’s commitment to creating a framework that accurately assesses whether an organization is equipped to face new and emerging challenges in cybersecurity and compliance.”

CSF v11.3.0 is just the latest release from HITRUST, which also recently unveiled the HITRUST AI Assurance Program, launched to help organizations take advantage of AI tools while managing and mitigating risks.

Want to learn more about HITRUST CSF v11.3.0 and what these updates mean for your organization? Contact us today to speak with a HITRUST specialist.