HITRUST CSF v9.6 Enhances the Controls and Streamlines Audit Process

Learn how HITRUST v9.6 enhances the controls, such as NIST 800-53 and CMMC, while helping assessors more easily identify the controls that need tested. A-LIGN’s Healthcare and Financial Services Knowledge Leader, Blaise Wabo, explains why you should select v9.6 when pursuing a HITRUST certification.

Since 2007, the HITRUST CSF has been recognized as a well-rounded and certifiable security framework for organizations of all sizes and industries. With the new CSF v9.6 update, HITRUST continues to demonstrate its value for any organization by enhancing several areas of the controls and MyCSF portal so assessors can more easily identify what controls need to be tested and can locate the most updated frameworks.

Let’s look closer at what HITRUST v9.6 includes and what enhancements were made to the CSF and MyCSF portal.

Going Back to the Beginning

The HIPAA Safe Harbor Bill, signed into law on January 5, 2021, by former President Trump, changed the cybersecurity industry in a big way. If your organization processes Electronic Protected Health Information (ePHI), or Personally Identifiable Information (PII), you could be the target of a cybersecurity breach and therefore, an OCR audit. If this situation occurs, the HIPAA Safe Harbor Bill covers you and acts as a layer of security for your organization if you have a cybersecurity program in place.

HITRUST CSF is one of the most reliable ways to demonstrate HIPAA compliance. For this reason, the HITRUST CSF is often utilized, and sometimes required, by organizations in the healthcare industry.

What is the HITRUST CSF?

The HITRUST CSF is a scalable and extensive security framework used to efficiently manage the regulatory compliance and risk management of organizations. By unifying regulatory requirements and recognized frameworks from ISO 27001NIST 800-171HIPAAPCI DSSGDPR, and more into one comprehensive system, the HITRUST CSF streamlines the audit process by assessing once and reporting against many framework requirements. Because of this benefit, and its exhaustive focus on security, the HITRUST CSF has been adopted by organizations across different industries.

What enhancements were made to HITRUST CSF v9.6?

According to the HITRUST advisory, three enhancements were made in v9.6 to the CSF controls, all of which help to update the framework with the newest compliance standards.

  1. Even though HITRUST is based on the NIST 800-53 framework, it has never been an assessment option to select as a regulatory factor. By adding NIST 800-53 revision 4 as a selectable compliance factor, HITRUST is updating the mapping.

HITRUST is also changing language and further defining the illustrative procedures to provide guidance to the assessment firm on how to test against the updated requirement statements. Note that if an organization selects the i1 assessment, they would have to use the latest version of the CSF i.e. v9.6.

2. With the release of HITRUST i1, a scoping exercise to determine controls is no longer needed. All organizations evaluated against the i1 standards, will be measured on the same static control list.

3. HITRUST also made minor updates throughout the controls and standards to correct grammar, modify wording and correct mapping issues.

What enhancements were made to the MyCSF portal?

An additional three enhancements were made in v9.6 to the MyCSF portal, all of which aim to further streamline the assessment process for auditors.

1. CMMC Compliance Factor

With the CMMC certification still coming to fruition, the standard path and control verbiage will be evolving. Every time CMMC makes an update to the standard, HITRUST will highlight the outdated versions with an orange flag to show the line item is no longer valid. Only the most recent version of CMMC will not have the flag.

2. Illustrative Procedure Enhancements

In the past, the ‘Illustrative Procedure for Policy’ description has been in a long, paragraph format. HITRUST has shortened the format to a more concise numbered list, making the information easier to understand by assessors. HITRUST has also broken ‘Illustrated Procedure for Implemented’ into a numbered list and added guidance to the assessor firm on how to score the control. For example, if three items fall under a section, each would be assigned a weighted value of 33.33% for coverage. If all items were met, the assessor would score the client 100% in this control.

3. Sampling Badge

The requirement view within MyCSF now contains a badge for items that require the assessor to select a sample of items to test. The assessor will no longer need to read a long paragraph to learn if the sample testing is required, but rather have a visual indicator to quickly understand what testing is needed.

The A-LIGN Difference

We encourage all covered entities and business associates pursuing a HITRUST CSF assessment to select HITRUST v9.6 if they would like to add NIST 800-53 as a regulatory factor, or if they would like to perform a HITRUST i1 Assessment vs. an r2 Assessment. A-LIGN’s experience and commitment to quality has helped more than 300 clients successfully achieve HITRUST certification. Our diligent audit process helps you prepare for the HITRUST assessment, and our team of HITRUST experts is here to answer any questions you might have through every step of the assessment.

Learn More

Ready to learn more about how A-LIGN can assist you with any of your cybersecurity and compliance needs? Complete the contact form and our team will reach out within 24 hours.