The HITRUST CSF Version 9.1 Release – How It Could Apply to Your Organization

Michael T. Williams, Senior Consultant, Coalfire

If you’re familiar with the Health Information Trust Alliance (HITRUST) Common Security Framework (CSF), then you’re likely aware that HITRUST revises the CSF requirements twice annually to account for new regulations, technologies, and business models affecting the security of Protected Health Information (PHI). This enables the HITRUST CSF to evolve in step with the changing cyber risk landscape. HITRUST CSF version 9 is currently in effect, but HITRUST will release version 9.1 later this month. Version 9.1 will introduce new requirements based on two regulations: the New York Codes, Rules, and Regulations (NYCRR) Section 500, and the European Union (EU) General Data Protection Regulation (GDPR). It will enable organizations to extend their compliance posture to these regulations, should they apply.

NYCRR Section 500 establishes comprehensive cybersecurity requirements for the New York Financial Services industry. It was enacted on March 1, 2017 in the wake of several high-profile data breaches in the state. Beginning February 15, 2018, organizations must submit a Certificate of Compliance to the Financial Services Superintendent demonstrating implementation, management, and assessment of an effective cybersecurity program. HITRUST CSF version 9.0 implicitly embodies much of NYCRR Section 500 through existing requirements, but version 9.1 invokes new requirements explicitly relating to Certificate of Compliance submission, multiyear audit log and system backup retention, and breach notification to the Superintendent. While NYCRR Section 500 arose from cybersecurity concerns in Financial Services, it specifies a definition of non-public information that includes PHI. Thus, the regulation’s concern with data privacy extends to healthcare transactions.

GDPR is groundbreaking information and privacy legislation developed over three years by the 28 member states of the European Union. Its purpose is to standardize and supervise the use of EU personal data (including health data) by data controllers and processors (i.e., organizations that respectively establish business imperatives and operations for manipulating personal data). GDPR also introduces a schedule of substantial fines for data protection violations (up to four percent of global revenue). HITRUST CSF version 9.1 introduces a series of GDPR-specific requirements relating to transmission security of data flows, third-party security requirements for controllers and processors, breach notification of controllers and data subjects (i.e., data owners), breach documentation and remediation, privacy impact assessment, and Data Privacy Officer (DPO) appointment. Version 9.1 also observes the requirement for GDPR privacy representation by non-EU organizations who interact with EU personal data, thus establishing that GDPR can extend beyond EU borders.

HITRUST CSF version 9.1 will be officially released in February 2018. Organizations currently certifying under version 9.0 will have a six-month grace period to transition (provided they have purchased and scoped a version 9.0 assessment object before the release date). If already certified under version 9.0, organizations need not undertake version 9.1 until their next full assessment cycle.

Coalfire recommends organizations determine whether the NYCRR Section 500 and/or GDPR applies to their operations and systems, then scope their assessment objects accordingly. Organizations should also acquaint themselves with the regulations (cf. and Coalfire can assist organizations in understanding the requirements and undertaking a version 9.1 assessment.

Michael T. Williams


Michael T. Williams — Senior Consultant, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS