HITRUST CSF Version Update and New Assessment Types

Troy Hawes, Managing Director, IT Consulting Services

April 13, 2023
LinkedIn Share Button Twitter Share Button Other Share Button Other Share Button
staircase to tall ferris wheel

This article was updated on October 27, 2023.

The HITRUST CSF is a certifiable security and privacy framework that helps organizations secure, comply, and assess against several security and privacy-related standards, regulations, and recommended practices.

HITRUST is used by organizations in many different highly regulated industries, such as health care organizations, technology companies, insurance plan providers, and any organization that handles different classifications of sensitive data.

With its version 11 update, HITRUST has maintained its commitment to improve the framework. The latest version helps organizations better manage risk by staying updated on the current cyberthreat landscape.

HITRUST CSF Version 11

HITRUST launched version 11 of the CSF at the beginning of 2023.

HITRUST is decommissioning the version 9.x series. Organizations currently using version 9.1 through 9.4 must switch over to version 11 or a higher version of 9.x—either 9.5 or 9.6—by 2024.

Timing and Deadlines

Organizations have until December 31, 2024, to submit assessments using versions 9.1 through 9.4, but any new assessment objects using these versions had to be created by September 30, 2023.

Organizations currently using versions 9.5 or 9.6 for r2 assessments can continue to use those versions, but they will also be decommissioned in the future.

Three HITRUST Certification Assessment Types

The following is a cursory explanation of each assessment type. For more details on each assessment, visit HITRUST Assurance Advisories.

includes description, certifications requirements, and more related to the different assessment types
Why Switch to HITRUST CSF Version 11?

Version 11 e1 and i1 assessments were designed to be threat-adaptive through the selection of requirement statements that address active cybersecurity threats. The inclusion of i1 requirement statements in the r2 assessments introduces a threat-adaptive assessment for all assessment types.

Version 11 also includes new and refreshed authoritative sources and mappings by adding National Institute of Standards and Technology (NIST) SP 800-53 Revision 5, the Health Industry Cybersecurity Practices, among others.

Additionally, the requirement statements are laid out differently from previous versions, so each statement includes the evaluative elements, making it easier to know what needs to be tested.

Why Not Upgrade to Version 9.5 or 9.6?

If you’ve been using version 9.1 to 9.4, moving to version 11 is recommended to make use of the changes and improvements made to the framework. Version 9.5 and 9.6 will eventually be decommissioned. If you must switch, you might as well invest in upgrading to the latest version to reduce the hassle of multiple version implementations and to leverage the latest enhancements and clarifications made to the requirement statements.

Is There a Risk to Using 9.5 or 9.6 Instead of Moving to HITRUST CSF Version 11?

While all active HITRUST frameworks provide a high level of assurance, Version 11 is based on the latest ongoing cybersecurity threats and improved control mappings. If you already assess against version 9.5 or 9.6, the recommendation is to stay with that version and start to compare the changes made to version 11 so you can update policies, procedures, or implemented evidence to eventually move to the new version.

Could HITRUST Certification Be the Next Level of Your Security Program?

Some organizations have begun to utilize HITRUST assessments instead of SOC examinations to evaluate a vendor’s maturity of their security and privacy controls.

Unlike SOC examination, also known as SOC audits, organizations cannot define the controls with a HITRUST assessment. HITRUST requirements are more specific, maturity-based, and harder to meet.

We’re Here to Help

For guidance on implementing HITRUST version 11 or developing or improving a security program at your organization, contact your Moss Adams professional.

Additional Resources

Ask a Question

The material appearing in this communication is for informational purposes only and should not be construed as legal, accounting, tax, or investment advice or opinion provided by Moss Adams LLP or its affiliates. This information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials have been prepared by professionals, the user should not substitute these materials for professional services, and should seek advice from an independent advisor before acting on any information presented. Moss Adams LLP and its affiliates assume no obligation to provide notification of changes in tax laws or other factors that could affect the information provided.

Related Topics

Article
Protect Patient Data by Executing Best Practices and Controls with the HITRUST CSF
Article
Article
SOC for Cybersecurity: How to Check the State of Your Cyberrisk Program and Build Stakeholder Confidence
Article
Article
Updates to SOC 2 Guidance and Points of Focus
Article
View More

Contact Us with Questions

Assurance, tax, and consulting offered through Moss Adams LLP. ISO/IEC 27001 services offered through Moss Adams Certifications LLC. Investment advisory offered through Moss Adams Wealth Advisors LLC. Services from India provided by Moss Adams (India) LLP.