Home Compliance StandardsHITRUST Changes Between HITRUST CSF v9.4 and v9.5
HITRUST

Changes Between HITRUST CSF v9.4 and v9.5

by RSI Security
written by RSI Security
computer

The HITRUST Common Security Framework, or HITRUST CSF, is a global, certifiable framework developed to aid organizations’ regulatory compliance efforts. In 2020, HITRUST CSF v9. 4 introduced several updates specific to the Cybersecurity Maturity Model Certification (CMMC) for US Department of Defense contractors. In September 2021, HITRUST v9. 4 was updated to v9. 5. What are the most significant changes in this latest version?

 

HITRUST CSF v9.5’s Additions to v9.4’s Controls

Similar to the CMMC’s inclusion in the HITRUST CSF v9. 4 update, v9.5 brings compliance guidance, mapping, and tools for a major regulation. Though the CSF was initially created to aid compliance with the Health Insurance Portability and Accountability Act (HIPAA), v9.5 ensures that covered entities and business associates have the risk management tools for the highest level of compliance.

The two primary areas addressed by CSF v9.5 are additions to:

  • Control Reference 11(a) – The content of data breach notifications sent to affected individuals
  • Control Reference 11(c) – Data breach notification timeline

The changes are intended to better assist healthcare organizations with their incident response and general HIPAA compliance efforts.

 

Request a Free Consultation

 

Level HIPAA Implementation in HITRUST CSF 9.4 and 9.5

The HITRUST CSF creates a single source for implementing and maintaining the processes and controls necessary for regulatory compliance across numerous frameworks. CSF certifications are based upon numbered levels, indicating complexity and risk, and levels dedicated to compliance frameworks (e.g., “Level HIPAA”).

HITRUST v9.5 provides new certification requirements pertaining to HIPAA compliance under Control Category 11.0: Information Security Incident Management.

 Security

Benefits of HITRUST CSF Certification

The HITRUST CSF benefits organizations subject to HIPAA compliance because the regulation doesn’t specify many explicit technical implementations. While this is intended to provide flexibility across all operation complexities and sizes, it complicates compliance due to the lack of guidance and specifications.

HIPAA’s regulatory requirements focus much more on outcomes rather than the exact technical, administrative, and physical safeguards necessary for achieving them.

Working towards achieving certification for HITRUST’s Level HIPAA provides a simplified guide for compliance.

 

HITRUST CSF (11a)—Reporting Information Security Events

Control Reference 11a, Reporting Information Security Events, relates to formalizing response and reporting procedures following any information security event. The Level HIPAA-specific additions made to 11a in v9.5 pertain to the regulation’s Breach Notification Rule.

 

HIPAA Breach Notification Rule

HIPAA requires covered entities and business associates to provide notification of any unauthorized use or disclosure of protected health information (PHI)—specifically when security and privacy have been compromised in a manner that violates the Privacy Rule.

The types of notifications include:

  • Individual NoticeProvided by the covered entity to all parties impacted, and by mail (unless the individual has given consent to receive notices electronically via email). When a covered entity has outdated information for ten or more impacted parties, it must post a notification on its website and provide a toll-free number for 90 days. As a last resort, covered entities must provide print and media broadcasts in the local area for affected patients. All individual notifications must include:
    • A description of the breach and information compromised (e.g., names, SSN)
    • A description of measures taken by the covered entity (e.g., mitigation, recovery)
    • A list of actions impacted parties may take to protect themselves and how
  • HHS Secretary Notice – Provided by the covered entity to the US Department of Health and Human Services (HHS) using the breach reporting form.
    • When 500 or more individuals are impacted by a breach, notice must be delivered no later than 60 days after breach discovery.
    • For breaches impacting less than 500 individuals, covered entities must report to HHS on an annual basis, no later than 60 days after the end of the calendar year.
  • Media Notice – Provided by the covered entity to a local and regional media outlet that serves a given region in which 500 or more individuals have been impacted by a breach. Notice must be delivered no later than 60 days after breach discovery.
  • Business Associate Notice – Delivered by a business associate to covered entities with whom they work, no later than 60 days after discovery. 

This regulation is thorough when it comes to notifying the various stakeholders impacted by a PHI breach.

 laptop

Relevant Additions in HITRUST CSF v9.5 (11a)

The additions for 11a within HITRUST CSF v9.5 require HIPAA-subject organizations to use “plain language” when notifying individuals affected by a data breach.

As a basic guideline, notifications should be free of legalese, jargon, and technical terms. 

Instead, language should clearly convey the impact to individuals and the immediate actions to take for their protection. Simplified, easy-to-understand phrasings you may wish to use include:

  • “Your personal information may have been stolen or accessed by unauthorized individuals.”
  • “Please check your credit card and banking activity for the next 30 to 60 days.”

  

HITRUST CSF (11c) – Responsibilities and Procedures

In HITRUST v9.4.2 (Dec 2020), Control Reference 11(c) did not include any Level HIPAA specifications, despite its inclusion of various other framework-based Levels (CIS, CMMC, CMS, etc.). However, they are included in v9.5’s 11(c) Responsibilities and Procedures.

As previously mentioned, HHS requires notifications to be made within 60 days of the discovery of a breach. This timeline’s contingency on “discovery” requires establishing its definition, which constitutes the latest CSF additions made to Control Reference 11(c).

 

HITRUST CSF v9.5 (11c) – Timeline Specification

HITRUST CSF v9.5 establishes incident discovery as, explicitly, “the first day in which the security event is or would have been known by the organization through exercising reasonable due diligence.” 

Note that, given the Breach Notification Rule’s reporting requirements, Level HIPAA specifications for Control Reference 11C effectively pertain to data breaches affecting 500 or more individuals. Therefore, if a data breach affects fewer than 500 individuals, the date of discovery is only pertinent to establishing the year of occurrence.

 

MyCSF Improvements for HIPAA Compliance

Risk management and compliance are top priorities for any organization handling healthcare data due to the high costs of potential fines and penalties. Given HIPAA’s fairly open definition of what constitutes a data breach (i.e., improper use or disclosure of PHI), compliance requires an ongoing, assessed approach.

October 2021 saw 49 data breaches alone—a rate of over one and a half per day.

To that end, HITRUST offers a SaaS platform that healthcare entities and HIPAA-subject organizations can use to conduct self-assessment. 

 

Compliance and Reporting Pack for HIPAA

MyCSF is designed to collect your organization’s HITRUST CSF data and compile reports. The self-assessments that MyCSF enables demonstrate how your policies align with the regulation or standard governing your industry (i.e., compliance gaps).

In August 2021, HITRUST introduced the MyCSF Compliance and Reporting Pack for HIPAA, coinciding with the HITRUST v9.4 update to v9.5 one month later. This addition for MyCSF further aids in mapping applicable HIPAA compliance requirements to HITRUST’s framework. Organizations can now generate reports to check their compliance status and compile evidence for audits conducted by HHS’ Office for Civil Rights.

Self-assessment comprises the lowest CSF accreditation organizations can achieve. For many organizations, the benefit of a MyCSF-facilitated self-assessment is determining any compliance gaps between their third-party assessments.

 

Third-Party Assessment and Certification

Despite the advantages MyCSF offers organizations regarding self-assessment, HITRUST certification requires third-party involvement—the extent of which depends on your security team’s knowledge and capabilities.

While MyCSF assessments can help provide compliance roadmaps and inform ongoing efforts, technical implementations may require expert development, configuration, or advisory.

Further, achieving a CSF Validated or Certified Report—the certified levels of accreditation—requires a HITRUST-authorized assessor.

 

Closing HITRUST CSF Gaps to Maintain Certification and Compliance

The most significant changes to HITRUST CSF were updates to information security events reporting and procedures for HIPAA compliance in HITRUST CSF v9.5. These important additions comprise policy language and execution guidance regarding data breach notifications to maintain regulatory compliance.

As an authorized HITRUST assessor, RSI Security provides implementation, self-assessment, and complete CSF Certification assessment. 

To review any compliance gaps and update your HITRUST CSF v9. 4 certification, contact RSI Security today!

 

Speak with a HITRUST expert today – Schedule a Free Consultation

0 comment
0
FacebookTwitterGoogle +LinkedinEmail

RSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, risk management and compliance efforts (GRC). RSI Security is an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA).

You may also like

When Will HITRUST CSF V10 Be Released?

October 25, 2022

HITRUST: Beyond Healthcare Compliance Management Software

June 22, 2022

Should My Company Become A HITRUST Assessor?

December 30, 2019

HITRUST Scoring Guide: What is it and How...

August 30, 2019

What is the HITRUST Threat Catalogue?

November 17, 2021

What’s the Difference Between HITRUST and NIST?

November 10, 2020

What is HITRUST and How Does it Protect...

July 1, 2019

The Difference Between Business Continuity and Disaster Recovery

September 7, 2021

Improving Critical Infrastructure Cybersecurity: NIST CSF vs. HITRUST...

December 18, 2022

HITRUST Bridge Assessment for Healthcare IT Security

April 9, 2021

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This website uses cookies to improve your experience. If you have any questions about our policy, we invite you to read more. Accept Read More