The HITRUST Common Security Framework, or HITRUST CSF, is a global, certifiable framework developed to aid organizations’ regulatory compliance efforts. In 2020, HITRUST CSF v9. 4 introduced several updates specific to the Cybersecurity Maturity Model Certification (CMMC) for US Department of Defense contractors. In September 2021, HITRUST v9. 4 was updated to v9. 5. What are the most significant changes in this latest version?
HITRUST CSF v9.5’s Additions to v9.4’s Controls
Similar to the CMMC’s inclusion in the HITRUST CSF v9. 4 update, v9.5 brings compliance guidance, mapping, and tools for a major regulation. Though the CSF was initially created to aid compliance with the Health Insurance Portability and Accountability Act (HIPAA), v9.5 ensures that covered entities and business associates have the risk management tools for the highest level of compliance.
The two primary areas addressed by CSF v9.5 are additions to:
- Control Reference 11(a) – The content of data breach notifications sent to affected individuals
- Control Reference 11(c) – Data breach notification timeline
The changes are intended to better assist healthcare organizations with their incident response and general HIPAA compliance efforts.
Level HIPAA Implementation in HITRUST CSF 9.4 and 9.5
The HITRUST CSF creates a single source for implementing and maintaining the processes and controls necessary for regulatory compliance across numerous frameworks. CSF certifications are based upon numbered levels, indicating complexity and risk, and levels dedicated to compliance frameworks (e.g., “Level HIPAA”).
HITRUST v9.5 provides new certification requirements pertaining to HIPAA compliance under Control Category 11.0: Information Security Incident Management.
Benefits of HITRUST CSF Certification
The HITRUST CSF benefits organizations subject to HIPAA compliance because the regulation doesn’t specify many explicit technical implementations. While this is intended to provide flexibility across all operation complexities and sizes, it complicates compliance due to the lack of guidance and specifications.
HIPAA’s regulatory requirements focus much more on outcomes rather than the exact technical, administrative, and physical safeguards necessary for achieving them.
Working towards achieving certification for HITRUST’s Level HIPAA provides a simplified guide for compliance.
HITRUST CSF (11a)—Reporting Information Security Events
Control Reference 11a, Reporting Information Security Events, relates to formalizing response and reporting procedures following any information security event. The Level HIPAA-specific additions made to 11a in v9.5 pertain to the regulation’s Breach Notification Rule.
HIPAA Breach Notification Rule
HIPAA requires covered entities and business associates to provide notification of any unauthorized use or disclosure of protected health information (PHI)—specifically when security and privacy have been compromised in a manner that violates the Privacy Rule.
The types of notifications include:
- Individual Notice – Provided by the covered entity to all parties impacted, and by mail (unless the individual has given consent to receive notices electronically via email). When a covered entity has outdated information for ten or more impacted parties, it must post a notification on its website and provide a toll-free number for 90 days. As a last resort, covered entities must provide print and media broadcasts in the local area for affected patients. All individual notifications must include:
- A description of the breach and information compromised (e.g., names, SSN)
- A description of measures taken by the covered entity (e.g., mitigation, recovery)
- A list of actions impacted parties may take to protect themselves and how
- HHS Secretary Notice – Provided by the covered entity to the US Department of Health and Human Services (HHS) using the breach reporting form.
- When 500 or more individuals are impacted by a breach, notice must be delivered no later than 60 days after breach discovery.
- For breaches impacting less than 500 individuals, covered entities must report to HHS on an annual basis, no later than 60 days after the end of the calendar year.
- Media Notice – Provided by the covered entity to a local and regional media outlet that serves a given region in which 500 or more individuals have been impacted by a breach. Notice must be delivered no later than 60 days after breach discovery.
- Business Associate Notice – Delivered by a business associate to covered entities with whom they work, no later than 60 days after discovery.
This regulation is thorough when it comes to notifying the various stakeholders impacted by a PHI breach.
Relevant Additions in HITRUST CSF v9.5 (11a)
The additions for 11a within HITRUST CSF v9.5 require HIPAA-subject organizations to use “plain language” when notifying individuals affected by a data breach.
As a basic guideline, notifications should be free of legalese, jargon, and technical terms.
Instead, language should clearly convey the impact to individuals and the immediate actions to take for their protection. Simplified, easy-to-understand phrasings you may wish to use include:
- “Your personal information may have been stolen or accessed by unauthorized individuals.”
- “Please check your credit card and banking activity for the next 30 to 60 days.”
HITRUST CSF (11c) – Responsibilities and Procedures
In HITRUST v9.4.2 (Dec 2020), Control Reference 11(c) did not include any Level HIPAA specifications, despite its inclusion of various other framework-based Levels (CIS, CMMC, CMS, etc.). However, they are included in v9.5’s 11(c) Responsibilities and Procedures.
As previously mentioned, HHS requires notifications to be made within 60 days of the discovery of a breach. This timeline’s contingency on “discovery” requires establishing its definition, which constitutes the latest CSF additions made to Control Reference 11(c).
HITRUST CSF v9.5 (11c) – Timeline Specification
HITRUST CSF v9.5 establishes incident discovery as, explicitly, “the first day in which the security event is or would have been known by the organization through exercising reasonable due diligence.”
Note that, given the Breach Notification Rule’s reporting requirements, Level HIPAA specifications for Control Reference 11C effectively pertain to data breaches affecting 500 or more individuals. Therefore, if a data breach affects fewer than 500 individuals, the date of discovery is only pertinent to establishing the year of occurrence.
MyCSF Improvements for HIPAA Compliance
Risk management and compliance are top priorities for any organization handling healthcare data due to the high costs of potential fines and penalties. Given HIPAA’s fairly open definition of what constitutes a data breach (i.e., improper use or disclosure of PHI), compliance requires an ongoing, assessed approach.
October 2021 saw 49 data breaches alone—a rate of over one and a half per day.
To that end, HITRUST offers a SaaS platform that healthcare entities and HIPAA-subject organizations can use to conduct self-assessment.
Compliance and Reporting Pack for HIPAA
MyCSF is designed to collect your organization’s HITRUST CSF data and compile reports. The self-assessments that MyCSF enables demonstrate how your policies align with the regulation or standard governing your industry (i.e., compliance gaps).
In August 2021, HITRUST introduced the MyCSF Compliance and Reporting Pack for HIPAA, coinciding with the HITRUST v9.4 update to v9.5 one month later. This addition for MyCSF further aids in mapping applicable HIPAA compliance requirements to HITRUST’s framework. Organizations can now generate reports to check their compliance status and compile evidence for audits conducted by HHS’ Office for Civil Rights.
Self-assessment comprises the lowest CSF accreditation organizations can achieve. For many organizations, the benefit of a MyCSF-facilitated self-assessment is determining any compliance gaps between their third-party assessments.
Third-Party Assessment and Certification
Despite the advantages MyCSF offers organizations regarding self-assessment, HITRUST certification requires third-party involvement—the extent of which depends on your security team’s knowledge and capabilities.
While MyCSF assessments can help provide compliance roadmaps and inform ongoing efforts, technical implementations may require expert development, configuration, or advisory.
Further, achieving a CSF Validated or Certified Report—the certified levels of accreditation—requires a HITRUST-authorized assessor.
Closing HITRUST CSF Gaps to Maintain Certification and Compliance
The most significant changes to HITRUST CSF were updates to information security events reporting and procedures for HIPAA compliance in HITRUST CSF v9.5. These important additions comprise policy language and execution guidance regarding data breach notifications to maintain regulatory compliance.
As an authorized HITRUST assessor, RSI Security provides implementation, self-assessment, and complete CSF Certification assessment.
To review any compliance gaps and update your HITRUST CSF v9. 4 certification, contact RSI Security today!