Search button

Tackling HITRUST version changes

March 19, 2018 Article 1 min read
Authors:
Kyle Miller
HITRUST is changing versions again. Here's what it means for your organization — and the actions you should consider whenever HITRUST releases a new version.

Meeting in front of laptops about HITRUSTHITRUST is continually updating the Common Security Framework (CSF) based on updates to currently mapped and newly added frameworks and authoritative sources. These updates can cause changes to the number and applicability of HITRUST CSF requirement statements in your currently generated assessment objects. In general, the change in new requirement statements will not represent new controls to implement, but rather split current requirement statements to make them more granular and concise.

What does this mean for your organization? Whether you're already certified or preparing for a validated assessment, consider the following actions whenever HITRUST releases a new version:

  1. Ask HITRUST support to back up your object. This is crucial to preserve work performed prior to refreshing your current assessment object. Once this object is backed up, you should be able to access the previous version object going forward.

  2. Refresh your assessment object, and perform a gap analysis of new and modified requirement statements. Fortunately, the MyCSF tool will identify the differences for you. Remember, as long as you don't change any scoping factors, it isn't a major version change, or the threat landscape hasn't changed drastically, there should be few (if any) brand new requirements to deal with.

  3. Reevaluate relevant project timelines based on the gap analysis. Preparing for a validated assessment? You have six months from the time the new version is released to the public to initiate an assessment against the previous version. Organizations getting ready for a validated assessment should review their current timeline and ensure a certified validated assessment is achievable within six months of a new version release.

    Currently certified? You'll remain certified to that version for the full two years. This means your interim assessment will be performed against the version you certified against. It's important not to refresh your assessment object between certification and interim assessment to ensure you're assessed against the correct version. However, with HITRUST's assistance, you can develop a new object based on your initial object, update to the most current version, and begin working on gaps to ensure your organization is ready for the recertification assessment. This assessment must be done to the most current version in effect at the time.

A HITRUST assessor can address your organization's unique situation. Don't be shy about asking questions to help clarify the steps your organization should take.

Related Services:

Cybersecurity Cybersecurity Technology Consulting

Related Industries:

Healthcare Professional Services Technology Companies

Related Thinking

Cybersecurity professional talking to colleagues about Microsoft 365.
May 23, 2023

Microsoft 365 & cybersecurity: Is your environment as secure as you think?

Article 5 min read
Business professionals learning about the FDIC OIG InTREx audit report.
May 23, 2023

After the FDIC OIG InTREx audit report: Implications and next steps for banks

Article 5 min read
Business professionals sitting at a table discussing reducing benefit plan risk.
May 2, 2023

Safe and secure: Reducing benefit plan risk and fulfilling fiduciary responsibility

Webinar 1 hour watch