HITRUST Updates October 2023

HITRUST updates the CSF, its control framework, at least annually to help ensure the CSF addresses current cybersecurity risks. On October 10, 2023, HITRUST announced the latest version v11.2. which includes requirement statement consolidation to help reduce overlap within the CSF and updating the related authoritative sources for the controls.

Additionally as part of the update of the CSF HITRUST has announced the retirement of all versions of the CSF prior to 11.1 for the r2 (Risk-based, 2-year Validated Assessment) and 11.2 for the e1 (Essentials, 1-year Validated Assessment ) and i1 (Implemented, 1 year  assessment). The retirement dates are outlined below:

Assessment TypeVersions RetiredLast day to create an assessment under retiring versionsLast day to submit an assessment under retiring version
r29.5 through 9.6.26/30/244/30/25
r2 and i1 11.110/10/23TBD

HITRUST has previously announced the retirement of all versions of my CSF prior to versions 9.5 with a final submission date for all existing assessments under prior versions of December 31, 2024.

If you are currently in the process of doing an assessment to HITRUST, CompliancePoint would recommend continuing with your current version. However, if you are just beginning your HITRUST journey or have an assessment that will be due for renewal after the dates above we recommend working with your assessor to ensure that you have considered the impact of the changes in the CSF as the v11 framework has significant changes from prior versions.  

CompliancePoint has an experienced team of healthcare and cybersecurity professionals that can help with your HITRUST certification. Contact us at connect@compliancepoint.com to learn more.

Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.