Article
Upcoming HITRUST CSF Version 9 release: Understanding the impact
Jun 26, 2017 · Authored by
HITRUST has announced that the next major update to the existing HITRUST CSF is scheduled for July 2017.
Organizations that have already self-evaluated against the current version 8.1, or those now beginning planning activities, should be aware of:
- How the version 9 release may impact their HITRUST certification efforts to date, and
- What considerations, decision points and required actions to incorporate over the next several months.
“Version control” – Determine which version to certify against
Organizations wishing to certify against version 8.1 must create their Validated Assessment object prior to the version 9 release.
To determine whether to certify against the current version 8 or the upcoming version 9, consider:
- Certification deadlines: those with 2017 certification commitments may not have enough time to familiarize themselves with and meet the version 9 requirements
- Current progress: those already heavily into their certification preparation activities may choose to manage their remaining timeline so they can still certify against version 8; those just beginning planning may want to wait and begin with version 9
Version 9 – What to expect
While the specific control requirement impact to an organization won’t be known until the July release, HITRUST has communicated the types of changes to be incorporated:
- New: Alignment with the second release of the Office for Civil Rights’ Audit Protocol and FedRAMP requirements related to cloud services
- Enhancements: More specific guidance related to Infrastructure as a Service (IaaS) and the control responsibilities for providers and customers
In addition, as with the last major update from version 7 to version 8, additional control requirements within the HITRUST CSF are expected to now become required for organizations seeking certification. The number of controls required for certification is expected to increase from the current 66 to approximately 75.
For assistance with understanding how the version 9 update may impact your organization’s HITRUST assessment scope or certification timelines, please contact our HITRUST specialists.