TMCnet News
HITRUST CSF v9 Enhancements Extend "Assess Once, Report Many" Approach as a Standard Security Framework for Multiple Critical Infrastructure IndustriesHITRUST announced today specific details surrounding its version 9 (v9) of the HITRUST CSF, to be released in mid-August 2017. This release is a continuation of HITRUST's efforts to improve the overall state of information protection by providing organizations with a comprehensive, common approach to managing information privacy and security risks including those from cyber. The HITRUST CSF-the most widely adopted controls framework in the healthcare industry-is quickly developing as a standard in other industries and is gaining broader adoption internationally. A driver behind this broader growth is found in HITRUST's support for an organization's attestation of compliance with the NIST Cybersecurity Framework (NIST CsF). With the release of HITRUST CSF v9, a single CSF assessment will include the controls necessary to address the NIST CsF requirements and an addendum to the HITRUST CSF Assessment report has been added to display the HITRUST CSF controls through the lens of the NIST CsF Core Subcategories. "By incorporating the NIST Cybersecurity Framework into the HITRUST CSF and establishing a certification mechanism as part of the CSF Assurance program, organizations now have a effective and efficient approach for reporting an organization's cybersecurity posture leveraging the NIST Cybersecurity categorization," said Jason Newman, Vice President, Chief Information Security Officer, Blue Cross and Blue Shield of Minnesota. "This is another benefit in leveraging a common and comprehensive framework in the HITRUST CSF." By increasing the number of HITRUST CSF controls required for HITRUST CSF Certification from 66 to 75, organizations will now be able to leverage a single risk assessment to obtain a standardized report against a common set of security and privacy controls for an "assess once, report many" approach for multiple industries beyond healthcare such as financial services and European markets. This includes assurances for how well an organization is meeting the objectives specified by the NIST Cybersecurity Framework Core Subcategories, Federal Financial Institutions Examination Council (FFIEC) Information Security Examination Handbook and the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria for Security, Confidentiality and Availability (including for SOC2 reporting), or support attestations of compliance with the HIPAA Security Rule. To help organizations better leverage the HITRUST CSF and the CSF Assurance Program, regardless of their primary industry, the HITRUST CSF v9 release incorporates:
"We are excited for the release of version 9 as it shows the continued evolution of the HITRUST CSF framework and program in addressing emerging information security risks. The framework continues to be critical in helping our clients and their various user organizations related to implementing an assess-once/report-many third-party assurance process, especially given that the framework is recognized as 'suitable criteria' for producing an AICPA SOC 2 report," said Scott Taylor, Partner, Deloitte (News - Alert) & Touche LLP. "Integration of the FFIEC information security requirements into the HITRUST CSF and CSF Assurance Program expands the framework's applicability and allows broader adoption in the financial services sector, as well as better context for those reviewing HITRUST CSF Assurance reports from third parties," said Dr. Bryan Cline, vice president, standards and analytics, HITRUST. "It's part of a concerted effort by HITRUST to evolve the HITRUST CSF into a more broadly and globally accepted framework that provides value for all types of industry." HITRUST will be increasing its level of support for global organizational privacy programs in an interim v9.1 release of the HITRUST CSF by incorporating the European Union (EU) Regulation 2016/679, General Data Protection Regulation (GDPR), and mapping the HITRUST CSF's privacy and security requirements to the AICPA Trust Services Criteria for Privacy. These changes will increase applicability of the HITRUST CSF for privacy programs across multiple industries, both nationally and internationally. HITRUST anticipates v9.1 becoming available in February of 2018. HITRUST, in consultation with the HITRUST CSF Advisory Council, actively solicits input from the industry on potential changes and updates to the framework, in addition to comments on changes implemented with each new release of the HITRUST CSF. "HITRUST continues to be a leading voice for the health care industry on effective information security efforts, and these latest developments continue its history of helping the industry keep pace with a constantly changing environment," said Kirk Nahra, Partner, Wiley Rein LLP, privacy expert and member, CSF Advisory Council. A more detailed explanation of the updates in the v9 release can be found in the HITRUST CSF v9 Summary of Changes, which will be included as part of the complete HITRUST CSF download upon release. Helpful Links:
For questions about the HITRUST CSF v9 updates, please feel free to contact HITRUST at [email protected]. About HITRUST Founded in 2007, the HITRUST Alliance, a not for profit, was born out of the belief that information protection should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST-in collaboration with public and private healthcare technology, privacy and information security leaders-has championed programs instrumental in safeguarding health information and managing information risk while ensuring consumer confidence in the organizations that create, store or exchange their information. HITRUST develops, maintains and provides broad access to its common risk and compliance management and de-identification frameworks, and related assessment and assurance methodologies, as well as programs supporting cyber sharing, analysis and resilience. HITRUST also leads many efforts in advocacy, awareness and education relating to information protection. For more information, visit www.HITRUSTalliance.net.
View source version on businesswire.com: http://www.businesswire.com/news/home/20170720005379/en/ |