HITRUST CSF V10: What Does It Mean for Me?

One of the features of HITRUST is that the HITRUST CSF (Common Security Framework) is updated at least annually to reflect changes in the cybersecurity risk environment. These updates can range from minor changes to the framework to extensive overhauls. For several years HITRUST has indicated that the next major revision would be reflected in V10 of the HITRUST CSF. The HITRUST Alliance recently updated their frequently asked questions to indicate that they will be releasing V10 of the MyCSF framework early in the 2nd quarter of 2021.

What Do You Expect from V10?

While the actual release has not yet been published, there are several things that CompliancePoint expects to see in this release based on information provided by HITRUST. HITRUST is adjusting the CSF to make the framework more agnostic and less healthcare specific with this release as they move to increase the reliance upon HITRUST certification beyond the healthcare industry. As a result, we expect V10 to move towards a general security framework with optional regulatory factors for specific industries, such as HIPAA and HITECH for healthcare.

HITRUST CSF V10 is also expected to increase the required control references from 75 to 135. With the current required control references, most organizations have been 250 to 550 controls. CompliancePoint expects that increasing the required control references by 80% will result in a dramatic increase in the applicable controls for each organization. As a point of reference, the last time HITRUST increased the control references from 62 to 75; organizations experience a 30% to 40% increase in required controls.     

Will We Have to Assess Against V10?

HITRUST has traditionally had a 6-month implementation period where organizations currently in the assessment process could complete the assessment using the current version of MyCSF without being required to move to the new release. Considering the extensive changes expected with V10 it is possible that HITRUST might extend the grace period, but there is no formal evidence indicating they will do so. Organizations with upcoming assessments may want to consider looking at their timing to determine if it will result in their assessment being subject to 9.4 or 10.   

How Do We Get Ready for V10? 

If you are already certified, you know the HITRUST certification process is an ongoing process.  

Once you have achieved certification, it is vital to keep it.  Managing your certification includes monitoring for HITRUST updates and performing ongoing evaluations to make sure you can meet the new requirements. CompliancePoint’s HITRUST Management Services can help you be ready for updates to the CSF framework.

If you are considering HITRUST, CompliancePoint can work with you to help you determine how to start and manage your HITRUST assessment process, including helping you define the timing for your assessment and prepare for the HITRUST requirements.  

CompliancePoint’s experienced assessors can work with your organization to guide you through the HITRUST assessment process by helping you identify your required controls, implement the controls, and help you with the required documentation, including the development of required policies and procedures. For any questions regarding our services, please feel free to reach out to us at 855-670-8780 or connect@compliancepoint.com.