BLOG

Blog Post by Angela Fitzpatrick, Senior Manager & HITRUST Leader at Meditology Services

---

One of the many, many things we’ve learned over the last year or more of living and working through a pandemic, is that cybersecurity needs to evolve with the changing threat landscape. Likewise, the regulatory landscape and the security related frameworks we rely upon must attempt to keep pace. HITRUST is no exception as they seek to constantly evolve and update the HITRUST CSF, certifications, and processes.

Healthcare Cyber Regulations Are Evolving

Recent and forthcoming regulation and government guidance regarding cybersecurity and supply chains globally are driving the healthcare industry to implement new control models to adapt to evolving threats.

Some examples of recent and pending healthcare cybersecurity regulations and standards updates include:

• US Executive Orders 14017: “Executive Order on America’s Supply Chains” - Introduced by President Biden to increase resiliency in US supply chains, including mitigating foreign cyber-attacks
• NIST 800-53 Rev 5: “Security and Privacy Controls for Information Systems and Organizations” - Guidance for how organizations should select and maintain customized security and privacy controls for their information systems
• President Biden’s Proposed $9.8B 2021 Budget for Cybersecurity - Increased budget over 2020 includes $1.2B more for Civilian department and $750M for SolarWinds attach response
• Passing of Homeland Security Cybersecurity Bills - Of 13 Homeland Security bills passed in July 2021, 3 focused on bolstering the cybersecurity of state and local government networks in response to ransomware and other cyber attacks
• Bipartisan Data Privacy Bill Drafted - Bipartisan bill drafted to reintroduce the Social Media Privacy Protection and Consumer Rights Act, forcing tech companies to grant users greater control over their data
• UN Cybersecurity Rules, Norms and Principles for Responsible State Behavior - Guidance by the UN to Member States on cybersecurity and threats in the context of international security
• HIPAA Safe Harbor Law, H.R. 7898 - This new law incentivizes covered entities and business associates to adopt industry best practices including HITRUST CSF Certification and NIST CSF standards

HITRUST Releases CSF Version 9.5

Earlier this year, HITRUST communicated a planned release of a new version of the HITRUST CSF, the much-anticipated version 10. However, additional considerations and review are planned before HITRUST releases version 10, which is now slated for release in 2022.

This doesn’t mean that we will not see any updates or changes from HITRUST for the remainder of this year.  On the contrary, HITRUST recently announced the release of the HITRUST CSF Version 9.5.

HITRUST issued an update this week highlighting some of the benefits of version 9.5 in enabling organizations to streamline capturing and presenting regulatory compliance evidence. Specifically, HITRUST notes that the MyCSF Compliance and Reporting Pack for HIPAA within the MyCSF platform will allow organizations to:

• Generate a report, formatted by HIPAA control, that maps the applicable HIPAA requirements to your HITRUST CSF Assessment
• Provide the ability to select only the regulation subparts that the Office for Civil Rights (OCR) requests in the event of an audit or inquiry
• Map each requirement to your corresponding policies and evidence for submission to the OCR

Meditology’s HITRUST experts have also been performing analysis of the specific control changes in version 9.5. We are advising clients on specific impacts to their certification processes, as they can vary across organizations depending on scope and implementation considerations.

More Updates on The Way

HITRUST has also reported that they anticipate an additional update to the HITRUST CSF (v9.6) before the end of 2021. At the same time, HITRUST is working on strengthening their “core components” through several updates including:

• Privacy certifications
• Emerging threat catalogue
• MyCSF UI and UX
• Inheritance updates

We will provide additional updates on the new HITRUST CSF versions and other relevant changes as they become available.

Contact our team if you want to discuss these evolving standards and we can advise on how they may impact your organization.

Meditology: Leaders in Healthcare Cybersecurity and HITRUST Services What Our Clients Are Saying "I rate the value of working with Meditology on our HITRUST Certification as “Exceptional” - 5 out of 5 rating. 2020 was a difficult year but we would not have gotten the results without working with Meditology as a partner because of the thoroughness, attention to quality, and stick-to-it-iveness. We have a legit HITRUST with no CAPs." - AVP, Governance Risk & Compliance, National Direct Access Care Network and Wellness Organization .................................................................... “Meditology saw us all the way through as they always have, we got our cert, they moved staff and timelines around, and they were very flexible in seeing us to the end. We were very happy with the deliverables. And A+ for getting us to the HITRUST Certification. We are satisfied, our Board and Execs are happy." - Director of Security, Software Development Company .................................................................... “I felt a strong sense of partnership right from the beginning. Meditology is competent and knowledgeable about who we are and how we are trying to achieve our HITRUST Certification goals, and that’s a big part of success." - CISO, One of the Nation's Largest Healthcare Payors