Our 2024 Compliance Benchmark Report is out now! | Download the report

Leveraging HITRUST Gap & Diagnostic Assessments to Identify Gaps between CSF Versions

On January 18, 2023, HITRUST launched the latest version of its framework, HITRUST CSF v11, which brings significant changes compared to the previous version, HITRUST CSF v9.6.

HITRUST understands the importance of keeping organizations up to date with the evolving threat landscape and ensuring compliance. With the release of HITRUST CSF v11, they have redesigned the framework to enhance the efficiency of the assessment portfolio and its relevance to cyber threats. The primary goal of this new framework is to enable organizations to stay prepared for current threats and identify appropriate measures to protect their data.

The update includes the introduction of new controls and requirements, modifications to existing ones, and updates to risk factors and scoring methodology. Additionally, HITRUST CSF v11 offers enhanced security and risk management capabilities, increased flexibility for organizations, and improved alignment with other frameworks and regulations.

Here are some of the key benefits that organizations can expect from the new HITRUST CSF v11 framework:

  1. Cyber Threat-Adaptive Assessments: The new framework and controls leverage threat intelligence information to proactively defend against the latest cyber threats, such as phishing and ransomware.
  2. Expanded and Aligned Assessment Portfolio: This updated framework provides a comprehensive approach that addresses diverse assurance needs for different risk levels and compliance requirements. It offers greater assurance reliability compared to other assessments.
  3. Traversable Assessment Journey: A new feature introduced in HITRUST CSF v11, traversable assessments allow organizations to reuse lower-level HITRUST assessments, progressively achieving higher levels of assurance by sharing common control environments and inheritance.
  4. Reduced Level of Effort: The selection and specification of controls ensure that the most relevant ones are in place, eliminating redundancy. This streamlines the HITRUST certification process, reducing the time and effort required and helping organizations obtain credentials in a timely manner.
  5. Expanded Authoritative Sources: AI-powered improvements increase speed, efficiency, and automation for organizations. The update includes additional sources like NIST SP 800-53, Rev. 5, and HICP, along with refreshed mappings for HIPAA, NIST CSF, and NIST 800-171.

Tips for Businesses Transitioning from HITRUST CSF v9.6 to v11

Considering the significant changes in the new HITRUST CSF v11 framework, organizations should keep the following points in mind during their transition from v9.6 to v11:

  1. Communication and Training: It is essential to communicate the changes to all employees and provide necessary training to ensure awareness of the new requirements and individual responsibilities in compliance.
  2. Update Risk Management Program: Align the risk management program with the newly outlined risk factors and scoring methodology in HITRUST CSF v11.
  3. Review Controls and Requirements: Evaluate the new controls and requirements in v11 and identify any gaps in the current compliance posture of the organization.

To facilitate a smooth transition and address any critical control gaps, it is recommended to collaborate with a trusted cybersecurity and compliance partner. A detailed HITRUST gap assessment or diagnostic assessment conducted by such a partner, like A-LIGN, can help organizations:

  • Align with industry standards and the new framework
  • Mitigate risks and vulnerabilities
  • Improve operational efficiency
  • Enhance trust and reputation with customers, stakeholders, and partners

To ensure that your business effectively addresses any critical gaps in controls, A-LIGN offers a comprehensive HITRUST gap assessment. The HITRUST gap assessment is designed for organizations that have previously undergone the HITRUST certification process. The gap assessment involves a focused evaluation of the controls that have changed between frameworks, identifying any gaps, and providing recommendations.

This gap assessment becomes crucial when there are changes in the HITRUST standard, such as transitioning from v8 to v9 or from v9 to v11. Additionally, changes to scoring rubrics used to determine how controls are evaluated can also lead to the requirement of a HITRUST gap assessment. For example, if an organization previously scored 100% on their controls based on a less rigorous rubric, the updated rubric may yield a lower score, indicating the need for additional work.

This process allows for targeted testing and ensures businesses remain aligned with the updated standards. The gap assessment by A-LIGN provides valuable insights, helps customers maintain compliance with the latest HITRUST standards, and offers a tailored approach based on their specific needs and resources.

A-LIGN also offers a diagnostic assessment for organizations transitioning from HITRUST v9.6 to v11. This assessment generally compares previous version controls like v9.6 to an updated version like v11 framework. The diagnostic report provides best practice recommendations on how to address changes between versions based on the CSF general control library. It does not consider the specific requirement statements of an organization like the gap assessment described above does.

Organizations with a mature control environment and a compliance team could leverage the general comparison and recommendations offered in a diagnostic assessment to make the necessary changes needed to complete a validated assessment against the new CSF version. Following the diagnostic assessment, your business will receive a general comparison report outlining the identified gaps and providing recommendations on how to close them. This will enable your organization to maintain compliance and stay up to date with the latest framework.

If your organization has never done a HITRUST Assessment before, a full readiness assessment is recommended. In contrast to the gap assessment or diagnostic assessment that only provides gaps and recommendations for controls that changed between two CSF versions, the full readiness assessment reviews the scope of every single control requirement.

If your business is currently navigating the changes brought about by HITRUST CSF v11 and would like to undergo a diagnostic assessment or gap assessment to identify any gaps, we encourage you to reach out to the A-LIGN team. Our experienced professionals are available to provide further information and guidance on which assessment will be most beneficial to your organization.

Contact us today to learn more about our services and how we can support you during this transition period.

Download our HITRUST checklist now!