The HITRUST TPA Summit brought together experts representing customers, vendors, and assessor firms in various aspects of risk management to share best practices, lessons learned and effective third-party risk management strategies leveraging the HITRUST CSF Assurance Program and HITRUST Assessment Exchange. Coalfire sent a team of healthcare experts to the Chicago event to meet with our HITRUST clients and folks from organizations who are thinking about a HITRUST journey. We were also there to find out what’s next for the HITRUST CSF, and we found out that the future is exciting!
HITRUST is overhauling the MyCSF tool to provide a more user-friendly experience with improved functionality. MyCSF 2.0 will accommodate interim assessments – an assessment object will be required for interim assessments, and an interim letter will be included. Interim assessment requirements will be randomly generated, but limited to one per domain as they are today.
HITRUST also shared new features planned for HITRUST CSF version 10 to be released in Q3 2018.
They plan to significantly change the CSF to be applicable to additional industries, including: travel and leisure, financial services, quick-serve restaurants, automotive, and media and entertainment. To serve these industries, the CSF version 10 will offer these features:
- A set of core requirements will be applied to all assessments, with control “segments” being optionally added by the organization. Examples of control segments include HIPAA, GDPR, China cybersecurity law, statutory regulations, etc.
- The core requirements represent the minimum necessary; additional core requirements will be added based on organizational risk factors (i.e., system factors).
- HIPAA will no longer be embedded by default.
- PHI will be replaced by “sensitive data,” except for requirements related to HIPAA.
- V.10 will be released in the October timeframe.
- This change will agnosticize the CSF and make it applicable to all organizations, not just those in the healthcare industry.
- To satisfy risk assessment needs, HITRUST is considering releasing the threat catalog so CSF users can see the tie between threats, vulnerabilities, and vulnerability mitigating controls.
HITRUST CSFBASICs consists of streamlined versions of the HITRUST CSF and the supporting HITRUST CSF Assurance Program designed to help small and lower-risk healthcare organizations meet difficult regulatory and risk management requirements. It’s based on a subset of the CSF (76 security requirements and 34 privacy requirements). Here are updates on the program:
- Beta testing is underway; program is expected to go live in June.
- HITRUST BASICs will not result in certification.
- It will be limited to “policy, process, and implemented,” no “measured or managed.” There will be a three-point scoring system, and it will not require an onsite assessment.
The Summit was a nice combination of facilitated discussions, educational sessions and networking opportunities that allowed us to engage with existing and potential new customers to help them realize and consider the benefits of the HITRUST CSF. It was a unique forum for customers, business partners, and vendors to truly collaborate on evolving approaches and ensuring effective communication of appropriate, timely, and consumable risk management information.