Skip to Content

Tackling HITRUST version changes

March 19, 2018 Article 1 min read
Kyle Miller
HITRUST is changing versions again. Here's what it means for your organization — and the actions you should consider whenever HITRUST releases a new version.

Meeting in front of laptops about HITRUSTHITRUST is continually updating the Common Security Framework (CSF) based on updates to currently mapped and newly added frameworks and authoritative sources. These updates can cause changes to the number and applicability of HITRUST CSF requirement statements in your currently generated assessment objects. In general, the change in new requirement statements will not represent new controls to implement, but rather split current requirement statements to make them more granular and concise.

What does this mean for your organization? Whether you're already certified or preparing for a validated assessment, consider the following actions whenever HITRUST releases a new version:

  1. Ask HITRUST support to back up your object. This is crucial to preserve work performed prior to refreshing your current assessment object. Once this object is backed up, you should be able to access the previous version object going forward.

  2. Refresh your assessment object, and perform a gap analysis of new and modified requirement statements. Fortunately, the MyCSF tool will identify the differences for you. Remember, as long as you don't change any scoping factors, it isn't a major version change, or the threat landscape hasn't changed drastically, there should be few (if any) brand new requirements to deal with.

  3. Reevaluate relevant project timelines based on the gap analysis. Preparing for a validated assessment? You have six months from the time the new version is released to the public to initiate an assessment against the previous version. Organizations getting ready for a validated assessment should review their current timeline and ensure a certified validated assessment is achievable within six months of a new version release.

    Currently certified? You'll remain certified to that version for the full two years. This means your interim assessment will be performed against the version you certified against. It's important not to refresh your assessment object between certification and interim assessment to ensure you're assessed against the correct version. However, with HITRUST's assistance, you can develop a new object based on your initial object, update to the most current version, and begin working on gaps to ensure your organization is ready for the recertification assessment. This assessment must be done to the most current version in effect at the time.

A HITRUST assessor can address your organization's unique situation. Don't be shy about asking questions to help clarify the steps your organization should take.

Related Thinking

A business professional working on a laptop at their desk
December 7, 2023

Cybersecurity insurance: Once optional, now essential

In The News 2 min read
Three business professionals in a conference room assessing their Microsoft 365 cybersecurity protection
November 15, 2023

Assess your Microsoft 365 cybersecurity protection

Assessment 1 min read
Business professional teaching CPE-eligible financial services webinar.
November 2, 2023

2023 Financial Services Symposium

Webinar 6 hour watch