The HITRUST Common Security Framework (CSF) has continued to progress since its inception. The HITRUST CSF maps information security related standards, regulations, and frameworks organizations must comply with, including HIPAA, PCI, NIST 800-53, ISO 27001, COBIT, and many others enabling an “audit once, report many” approach to compliance initiatives.
While the HITRUST CSF is prescriptive, it allows flexibility for different industries and organizational maturity. The framework reflects industry needs and leaves no stone unturned when it comes to new developments. So, it should come as no surprise that, as the information security landscape evolves, so does the framework itself.
While HITRUST was initially developed to protect ePHI/PHI within the healthcare industry, the CSF continues to expand with an evolving mission to “champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain.”
With the release of HITRUST CSF 9.1, the framework incorporates requirements from the financial sector and regulations soon to be enforced in the EU. Specifically, the New York State Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) and the EU General Data Protection Regulation (GDPR) requirements.
If you’re unfamiliar with the New York State Cybersecurity Requirements for Financial Services Companies, here’s what you need to know. The 23 NYCRR 500 was introduced in response to “the ever-growing threat posed to information and financial systems by nation-states, terrorist organizations, and independent criminal actors.” The regulation gives companies some leniency in how they apply information security controls, but “requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion.”
HITRUST CSF 9.1 also incorporates relevant requirements from the GDPR—a personal data regulation based on “more than four years of deliberation” set to go into effect May 25, 2018.
While the GDPR has its roots in the EU, it affects any US companies that conduct business in the E.U., target E.U. customers, or monitor the behavior of individuals within the E.U. The inclusion of the regulation is extremely helpful for any US-based companies affected, as violations can lead to strong penalties. The introduction of HITRUST CSF 9.1 exemplifies HITRUST’s commitment to develop a security framework that is flexible enough for any industry but prescriptive enough to provide clear direction.
A common struggle with implementing HITURST within an organization is that it is so robust it can seem impossible to follow—but not if you have the right help. LBMC Information Security is part of a select group of HISTRUST CSF assessors who can not only assess your organization against the framework but also provide the necessary guidance to prepare you for certification. Companies should remember that many of the regulatory factors, even if applicable to their organization, do not all have to be tackled during the first validated assessment. Starting with a baseline assessment is allowed, which gives companies the flexibility to tackle HITRUST piece by piece as it applies to their organization.