As organizations that are HITRUST certified, pursuing certification, or have been making plans to do so review the changes in version 11, there are many questions about what’s new and how the changes will impact their current or planned certification. We recently sat down with Clearwater’s Director of Consulting Services and certified HITRUST assessor, Steve Myers, to get some answers. You can listen to our conversation with Steve here or catch the highlights below.
Let’s talk about the different CSF versions and options that organizations have today and when v11 is expected to be the default framework for assessments in the future?
Organizations are currently able to use different 9.x versions. 95 and 96 are available to use today but they can also choose to do different CFS 11 versions. So there’s 11.1 and 11.2, and both of those are available today as well.
Version 11 as it’s presented has some hidden sub requirements. Can you explain what that means for healthcare organizations?
When HITRUST created version 11, they took a lot of the things that were hidden in a version 9.x assessment under the illustrative procedures brought them to the top level. So in a version 11 assessment, I can look at the assessment and clearly see all of the requirements that I need to meet to be successful in my assessment.
When working on HITRUST readiness, clients using MCFS Versions prior to Version 11 tend to focus on the control statement as the only requirement(s) that they need to satisfy; however, many controls have sub-requirements that are only visible if you look at “More Info” or “Illustrative Procedures” from the MyCSF Assessment Object. This can be particularly problematic when you are doing Readiness and are taking the controls at face value.
It’s just a different experience when you’re looking at the CSF or in my CSF, is that correct? You have to be very cautious about what you detail and look at.
Yes and a good example of this is in the Wireless Security Domain. There is a control statement “Vendor defaults for wireless access points are changed prior to authorizing the implementation of the access point.”. At face value, this seems very straightforward; however, when looking at the illustrative procedure there are 5 specific requirements that need to be met in the policy. The illustrative procedure sates: “Examine policies and/or standards related to the management of wireless access points and determine if when configuring wireless access points and devices, the organization changes the following:”
- Vendor default encryption keys
- Encryption keys anytime anyone with knowledge of the keys leaves the company or changes positions.
- Default SNMP community strings on wireless devices
- Default passwords/passphrases on access points
- Other security-related wireless vendor defaults, if applicable
As an assessor, I need to review the policy document and see that each of these is specifically addressed in the Policy Documents presented to satisfy this control. If your policy statement simply states that you will change vendor defaults, you are probably going to score less than 100% in terms of this control. Likewise, when we evaluate the related procedure, we need to validate that each of these items is specifically considered in the procedure(s) attached to the control.
What we see most often is that the bulk of these will be addressed in the procedure document(s) associated with this control but referenced more broadly in the policy document(s).
When a control is taken at face value, this might simply appear to be a configuration management or hardening type item in your assessment. The second sub-control, “Encryption keys anytime anyone with knowledge of the keys leaves the company or changes positions” changes that dynamic in terms of how you might need to consider when responding to the control. You may have a specific encryption policy that deals with re-keying events or when encryption keys need to be changed. This could also be addressed in other policy documents specifically dealing with employee separations. To get full credit on the control, those items must also be presented to the assessor for review regarding this control.
There are many more examples of this type of issue in pre-version 11 assessments. The bottom line is that you really need to make sure you are looking at the related details in the illustrative procedures to confirm you are meeting all the requirements when working on the MyCFS Framework prior to Version 11.
Do you think version 11 does a better job in categorizing what you’re seeing?
Yes, and I think the key difference in a version 11 assessment from a client standpoint is knowing what to do to satisfy the control is very clear and upfront. The only thing I would need to go into a “more info” type of resource in a version 11 assessment might be clarification around sample set. But short of that, everything is laid out at the top level. In the 9.x assessment, I was constantly having to go into “more info” and go into illustrative procedures to fully understand all of the different requirements that I would need to meet. And they were all in paragraph form—it was a lot of reading. In a version 11 assessment, it’s bulleted.
Are there any other kind of sub requirements that have shifted or that organizations should start to prioritize?
If an organization was doing an interim assessment against a version 9, let’s say for an R2, they had done a full R2 under a 9x assessment, and they’re coming up for their renewal on their interim for their one year anniversary, I would probably stick with the 9x assessment. You already have all your data laid out, you know that your base assessment has been through the process and being QA’d and accepted. So that assessment in and of itself should be relatively good for the interim. I wouldn’t necessarily recommend upgrading to a version 11 assessment at that time. However, if you’re beyond your interim cycle and now going to a brand new assessment where it’s time to start over, that would be the perfect time to enter into a version 11 assessment.
In the interim, at what point in time, will organizations in an interim assessment have to move to version 11 or move to the next available version?
When you start a version, it’s valid for a period of time. And if you started it on a valid version and you had an interim, you would be able to continue that interim on that same version. Because it’s a two-year assessment, the interim is just a check-in to say, “am I still compliant?” But HITRUST sets sunset dates for each of the versions with a “start by” and “submit by” date. Organizations can’t start a version after the sunset.
Where can they find the estimated sunset date? And how far in advanced is that announced by high trust for these CSF versions?
It’s announced well enough in advance that most organizations would be able to keep up with that. HITRUST does a good job of putting out bulletins, and the bulletins really give you those sunset dates as they come up.
For those that are just starting down this path, what version would you suggest?
if you’re going to start a HITRUST assessment and you’re starting from scratch, I would go ahead and start with the most current version available. That gives you more time to continue down the path with that assessment. And if you’re collecting evidence and your policies are geared towards that particular version, you should be good for quite a period of time. It also allows you to preview new versions that are coming out and adapt your policies and procedures to those versions. If you start a version behind, your rate of change will likely increase because as they sunset those versions, you would be required to make that adaptation. So by going with the latest version, it gives you more time in your assessment window and allows you to control the change a little bit better.
The Clearwater Perspective
Clearwater recommends that existing HITRUST clients upgrade to Version 11 as soon as they are ready for their next full assessment and new clients start on the latest available MyCFS Version. Version 11 assessments have moved these from the illustrative procedure to the body of the control which makes this much clearer.
What’s next?
If you need help preparing for a HITRUST assessment or continuing your HITRUST journey, we’d love to talk to you. Schedule a call with our HITRUST team.
