New HITRUST CSF v9.1 aims to meet GDPR, New York State cybersecurity regulations

HITRUST recently released version 9.1 of the HITRUST CSF that incorporates both the EU General Data Protection Regulation (GDPR) and New York State Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500). With this expanded version, HITRUST continues to build on its initiative to make the HITRUST CSF – a widely used information privacy and security framework – more open and comprehensive so that it can be applied more effectively across global industries.

Further, HITRUST is working with the Data Protection Authorities to pursue accreditation as an approved and accredited certification body for GDPR. This approach will allow organizations to perform one assessment to cover multiple regulations, frameworks or standards, such as HIPAA, GDPR and NIST Cybersecurity.

Developed in collaboration with information security professionals, the HITRUST CSF rationalizes relevant regulations and standards into a single overarching security framework. As the HITRUST CSF is both risk- and compliance-based, organizations can tailor the security control baselines based on a variety of factors including organization type, size, systems, and regulatory requirements.

By continuing to improve and update the framework, the HITRUST CSF has become the most widely-adopted security framework in the U.S. healthcare industry. This commitment and expertise demonstrated by HITRUST ensures that organizations leveraging the framework are prepared when new regulations and security risks are introduced.

Fundamental to HITRUST’s mission is the availability of the HITRUST CSF that provides the needed structure, clarity, functionality and cross-references to authoritative sources.

The initial development of the CSF leveraged nationally and internationally accepted standards including ISO, NIST, PCI and HIPAA to ensure a comprehensive set of baseline security controls. The CSF normalizes these security requirements and provides clarity and consistency, reducing the burden of compliance with the varied requirements that apply to organizations.

Incorporation of GDPR is a key step towards the internationalization of the HITRUST CSF and increased support for global organizational privacy programs. The updated framework now maps the GDPR requirements (consisting of 99 Articles and 173 Recitals), allowing organizations to easily manage and report on the controls intended to address GDPR in order to lower the overall complexity, level of effort and cost of compliance.

With the looming enforcement date of May 25, GDPR affects organizations outside the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. This classifying personal data ranges from names, addresses and telephone numbers to credit card information, social media posts and health information and has important implications for a vast number of businesses in the United States.

“GDPR signals a move towards a more international standard for information privacy. With this new version, we have modified the HITRUST CSF controls to meet the requirements for a comprehensive assessment of GDPR risk posture. This is critical given that GDPR is one of the key compliance issues currently facing privacy officers worldwide,” said Anne Kimbol, Associate General Counsel and Chief Privacy Officer, HITRUST.

“GDPR takes several leaps forward from where the US regulations are today and provides organizations with an opportunity to manage privacy and risk in a meaningful way,” said Kirk Nahra, partner, Washington DC-based Wiley Rein and member, CSF Advisory Council. “With the inclusion of GDPR in the next release of the HITRUST CSF, organizations can begin to obtain a holistic view of their compliance posture; bringing them that much closer to meeting the major regulations they face, regardless of the industry in which they operate.”

In another important step toward increased support for organizational privacy programs, v9.1 of the HITRUST CSF incorporates the New York State Cybersecurity Requirements for Financial Services Companies, now enabling the financial industry to leverage the framework to increase the protection of personal information – a concern addressed by the state after several high-profile breaches.

This state requirement not only affects financial institutions but also healthcare organizations such as health insurers and their business associates, including those outside of New York.

With the growing threat to the security and privacy of all organizations, many industries are turning to the HITRUST CSF, which is already broadly adopted within the healthcare and public health (HPH) sector. This cross-industry adoption is further validated by two new reports: the NIST Interagency Report on the Status of International Cybersecurity Standardization for the Internet of Things (IoT) recognizes the HITRUST CSF as an industry-led security standard that addresses multiple areas of concern; and the Government Accountability Office (GAO) Report to Congressional Committees on Critical Infrastructure Protection cites the HITRUST CSF as a means of demonstrating compliance with the NIST Framework for Improving Critical Infrastructure Cybersecurity in the HPH sector.

HITRUST CSF v9.1 and updates to the CSF Assurance program stay true to HITRUST’s commitment to address security and privacy risk management, streamline the assessment process, and extend the “assess once, report many” approach. HITRUST, in consultation with the HITRUST CSF Advisory Council, regularly updates the CSF to respond to relevant and timely information security and privacy issues.

“HITRUST continues to agnosticize the CSF to support multiple industries and expand its use abroad,” said Bryan Cline, vice president, Standards & Analysis, HITRUST. “This latest release demonstrates our commitment to ensure the HITRUST CSF stays relevant to the information risk management, data protection, and regulatory compliance needs of domestic and global organizations through incorporation of new standards and regulations.”

IoT Innovator Newsletter

Get the latest updates and industry news in your inbox! Enter your email address and name below to be the first to know.