Organizations across multiple industries are preparing themselves for the anticipated new 9.3 version of the HITRUST CSF. This upcoming update will impact all organizations around the world that create, store, or transmit consumer data through their information systems and exchanges. The HITRUST CSF v9.3 will be released during this fourth quarter of 2019. This blog post will help to inform organizations about what changes they should expect in the certification rules and provide answers on how this new version may impact an organization’s operations.
Why is a New Version Being Introduced?
New legislation and standards are constantly being introduced by different authoritative organizations, states, and countries that seek to further safeguard consumer data. HITRUST aims to continually maintain the HITRUST CSF with up to date security and privacy legislation and standards so organizations can remain in compliance. By introducing a new version that consolidates all these standards into its framework, organizations don’t have to worry about overlooking any regulatory requirements that may affect them. They can review the HITRUST CSF v9.3 to ensure that their information systems are abiding by the new laws or they can take the necessary opt-out procedures.
What Updates Are Included?
The HITRUST CSF v9.3 will have new requirements from the California Consumer Privacy Act 1798. This act was passed in 2018 and will take full effect on January 1, 2020. Enforcement of the act will begin on June 1, 2020. The legislation is very similar to the European Union’s General Data Protection Regulations. The HITRUST CSF v9.3 framework will compare these two laws and outline the key differences when it comes to the protection, transmission, and storage of consumer information. In addition, the updated CSF version will also provide details in regard to when the act is applicable to an organization’s operations, provide information regarding the data access requirements, and also let organizations know the methods on how to opt-out of the requirements — if applicable.
Other new additions included in the HITRUST CSF v9.3 from trusted organizations:
- The Insurance Data Security Act of South Carolina’s 4655 Bill
- NIST Special Publication 800-171 R2 (DFARS) from the National Institute of Standards and Technology
Updates were made to existing standards to the latest version, including:
- Framework Core – Subcategories, v1.1 of the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity.
- CMS Minimum Security Requirements for High Impact Data v3.1 of the Centers for Medicare & Medicaid Services Information Security ARS
- IRS Publication 1075: Safeguards for Protecting Federal Tax Returns and Return Information in the IRS Tax Information Security Guidelines for Federal, State and Local Agencies.
- Trusted Services Criteria 2017 issued by the AICPA Assurance Services Executive Committee
- CIS CSC v7.1 from the Center for Internet Security, Inc.
- ISO 27799:2016 Health informatics – Information security management in health using ISO/IEC
Read about the current HITRUST CSF v9.2 here.
How HITRUST CSF v9.3 Impacts an Organization’s Operations
These federal, state, and international regulations are well-recognized standards agreed upon worldwide. By incorporating them into the HITRUST CSF version, organizations can bring their risk management and policies up to date and operational to address data protection controls. In addition, this new version helps to bring together privacy standards as well as security standards, helping to create a comprehensive and flexible framework for organizations to follow. The new version adopts requirements that affect multiple industries, providing a one-stop source of regulatory requirements as well as best practices so that organizations can seek higher standards in data privacy and security compliance.
With the HITRUST CSF v9.3, an organization can ensure they reach compliance standards by getting one validated assessment instead of multiple assessments for each piece of new legislation, standard, and framework that becomes introduced. Organizations can use the baseline of privacy and security best practices and regulatory standards from HITRUST to demonstrate that their information systems are in compliance and will keep consumer data private and secure.
Obtaining a HITRUST CSF v9.3 Assessment
Organizations will desire to be up to date with the newest standards, and perform the right remediation to their policies, procedures, and controls. Here at I.S. Partners, we help these organizations determine which risk management standards apply to their operations, as well as help them with the self-assessment and validated assessment phases. We bring further clarity to the assessment standards, and help to create solutions that can be used to align and maintain risk management objectives with HITRUST CSF.
If your organization is seeking a HITRUST CSF v9.3 Self-Assessment or Validated Assessment for your privacy and security controls and procedures, contact I.S. Partners. We can discuss when the new version will be available, and provide additional details on which regulations and standards will impact your specific information system operations. Call us today at (215) 675-1400. You can also fill out our contact form to receive a quote.