Highlights from the HITRUST Third-Party Assurance Summit

Andrew Hicks, Managing Principal, Coalfire

The HITRUST TPA Summit brought together experts representing customers, vendors, and assessor firms in various aspects of risk management to share best practices, lessons learned and effective third-party risk management strategies leveraging the HITRUST CSF Assurance Program and HITRUST Assessment Exchange. Coalfire sent a team of healthcare experts to the Chicago event to meet with our HITRUST clients and folks from organizations who are thinking about a HITRUST journey. We were also there to find out what’s next for the HITRUST CSF, and we found out that the future is exciting!

HITRUST is overhauling the MyCSF tool to provide a more user-friendly experience with improved functionality. MyCSF 2.0 will accommodate interim assessments – an assessment object will be required for interim assessments, and an interim letter will be included. Interim assessment requirements will be randomly generated, but limited to one per domain as they are today.

HITRUST also shared new features planned for HITRUST CSF version 10 to be released in Q3 2018.
They plan to significantly change the CSF to be applicable to additional industries, including: travel and leisure, financial services, quick-serve restaurants, automotive, and media and entertainment. To serve these industries, the CSF version 10 will offer these features:

  • A set of core requirements will be applied to all assessments, with control “segments” being optionally added by the organization. Examples of control segments include HIPAA, GDPR, China cybersecurity law, statutory regulations, etc.
  • The core requirements represent the minimum necessary; additional core requirements will be added based on organizational risk factors (i.e., system factors).
  • HIPAA will no longer be embedded by default.
  • PHI will be replaced by “sensitive data,” except for requirements related to HIPAA.
  • V.10 will be released in the October timeframe.
  • This change will agnosticize the CSF and make it applicable to all organizations, not just those in the healthcare industry.
  • To satisfy risk assessment needs, HITRUST is considering releasing the threat catalog so CSF users can see the tie between threats, vulnerabilities, and vulnerability mitigating controls.

HITRUST CSFBASICs consists of streamlined versions of the HITRUST CSF and the supporting HITRUST CSF Assurance Program designed to help small and lower-risk healthcare organizations meet difficult regulatory and risk management requirements. It’s based on a subset of the CSF (76 security requirements and 34 privacy requirements). Here are updates on the program:

  • Beta testing is underway; program is expected to go live in June.
  • HITRUST BASICs will not result in certification.
  • It will be limited to “policy, process, and implemented,” no “measured or managed.” There will be a three-point scoring system, and it will not require an onsite assessment.

The Summit was a nice combination of facilitated discussions, educational sessions and networking opportunities that allowed us to engage with existing and potential new customers to help them realize and consider the benefits of the HITRUST CSF. It was a unique forum for customers, business partners, and vendors to truly collaborate on evolving approaches and ensuring effective communication of appropriate, timely, and consumable risk management information.

Andrew Hicks


Andrew Hicks — Managing Principal, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit Azure bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS