If you’re familiar with the Health Information Trust Alliance (HITRUST) Common Security Framework (CSF), then you’re likely aware that HITRUST revises the CSF requirements twice annually to account for new regulations, technologies, and business models affecting the security of Protected Health Information (PHI). This enables the HITRUST CSF to evolve in step with the changing cyber risk landscape. HITRUST CSF version 9 is currently in effect, but HITRUST will release version 9.1 later this month. Version 9.1 will introduce new requirements based on two regulations: the New York Codes, Rules, and Regulations (NYCRR) Section 500, and the European Union (EU) General Data Protection Regulation (GDPR). It will enable organizations to extend their compliance posture to these regulations, should they apply.
NYCRR Section 500 establishes comprehensive cybersecurity requirements for the New York Financial Services industry. It was enacted on March 1, 2017 in the wake of several high-profile data breaches in the state. Beginning February 15, 2018, organizations must submit a Certificate of Compliance to the Financial Services Superintendent demonstrating implementation, management, and assessment of an effective cybersecurity program. HITRUST CSF version 9.0 implicitly embodies much of NYCRR Section 500 through existing requirements, but version 9.1 invokes new requirements explicitly relating to Certificate of Compliance submission, multiyear audit log and system backup retention, and breach notification to the Superintendent. While NYCRR Section 500 arose from cybersecurity concerns in Financial Services, it specifies a definition of non-public information that includes PHI. Thus, the regulation’s concern with data privacy extends to healthcare transactions.
GDPR is groundbreaking information and privacy legislation developed over three years by the 28 member states of the European Union. Its purpose is to standardize and supervise the use of EU personal data (including health data) by data controllers and processors (i.e., organizations that respectively establish business imperatives and operations for manipulating personal data). GDPR also introduces a schedule of substantial fines for data protection violations (up to four percent of global revenue). HITRUST CSF version 9.1 introduces a series of GDPR-specific requirements relating to transmission security of data flows, third-party security requirements for controllers and processors, breach notification of controllers and data subjects (i.e., data owners), breach documentation and remediation, privacy impact assessment, and Data Privacy Officer (DPO) appointment. Version 9.1 also observes the requirement for GDPR privacy representation by non-EU organizations who interact with EU personal data, thus establishing that GDPR can extend beyond EU borders.
HITRUST CSF version 9.1 will be officially released in February 2018. Organizations currently certifying under version 9.0 will have a six-month grace period to transition (provided they have purchased and scoped a version 9.0 assessment object before the release date). If already certified under version 9.0, organizations need not undertake version 9.1 until their next full assessment cycle.
Coalfire recommends organizations determine whether the NYCRR Section 500 and/or GDPR applies to their operations and systems, then scope their assessment objects accordingly. Organizations should also acquaint themselves with the regulations (cf. www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf and https://www.eugdpr.org/the-regulation.html). Coalfire can assist organizations in understanding the requirements and undertaking a version 9.1 assessment.