Article

Upcoming HITRUST CSF Version 9 release: Understanding the impact

June 26, 2017

HITRUST has announced that the next major update to the existing HITRUST CSF is scheduled for July 2017.

Organizations that have already self-evaluated against the current version 8.1, or those now beginning planning activities, should be aware of:

How the version 9 release may impact their HITRUST certification efforts to date, and
What considerations, decision points and required actions to incorporate over the next several months.

“Version control” – Determine which version to certify against

Organizations wishing to certify against version 8.1 must create their Validated Assessment object prior to the version 9 release.

HITRUST timeline

To determine whether to certify against the current version 8 or the upcoming version 9, consider:

Certification deadlines: those with 2017 certification commitments may not have enough time to familiarize themselves with and meet the version 9 requirements
Current progress: those already heavily into their certification preparation activities may choose to manage their remaining timeline so they can still certify against version 8; those just beginning planning may want to wait and begin with version 9

Version 9 – What to expect

While the specific control requirement impact to an organization won’t be known until the July release, HITRUST has communicated the types of changes to be incorporated:

New: Alignment with the second release of the Office for Civil Rights’ Audit Protocol and FedRAMP requirements related to cloud services
Enhancements: More specific guidance related to Infrastructure as a Service (IaaS) and the control responsibilities for providers and customers

Related sections

Article Tags

hitrust cybersecurity healthcare insurance