Upcoming HITRUST CSF Version 9 release: Understanding the impact

HITRUST has announced that the next major update to the existing HITRUST CSF is scheduled for July 2017.  

Organizations that have already self-evaluated against the current version 8.1, or those now beginning planning activities, should be aware of:

  • How the version 9 release may impact their HITRUST certification efforts to date, and
  • What considerations, decision points and required actions to incorporate over the next several months.

“Version control” – Determine which version to certify against

Organizations wishing to certify against version 8.1 must create their Validated Assessment object prior to the version 9 release.  

To determine whether to certify against the current version 8 or the upcoming version 9, consider:

  • Certification deadlines: those with 2017 certification commitments may not have enough time to familiarize themselves with and meet the version 9 requirements
  • Current progress:  those already heavily into their certification preparation activities may choose to manage their remaining timeline so they can still certify against version 8; those just beginning planning may want to wait and begin with version 9

Version 9 – What to expect

While the specific control requirement impact to an organization won’t be known until the July release, HITRUST has communicated the types of changes to be incorporated:

  • New: Alignment with the second release of the Office for Civil Rights’ Audit Protocol and FedRAMP requirements related to cloud services
  • Enhancements: More specific guidance related to Infrastructure as a Service (IaaS) and the control responsibilities for providers and customers

In addition, as with the last major update from version 7 to version 8, additional control requirements within the HITRUST CSF are expected to now become required for organizations seeking certification. The number of controls required for certification is expected to increase from the current 66 to approximately75. 

For more information about the anticipated updates to be included in version 9, please see: https://hitrustalliance.net/csf-v9-preview/

For assistance with understanding how the version 9 update may impact your organization’s HITRUST assessment scope or certification timelines, please contact our HITRUST specialists.