Explaining the Artificial Intelligence Requirements within HITRUST CSF v11.2.0
To accommodate the ever-evolving cybersecurity threat landscape, HITRUST has released HITRUST CSF v11.2.0, updating its framework to include more pertinent concepts—one of the most notable additions is artificial intelligence (AI) risk management content.
In this new content, HITRUST created mappings to the NIST AI RMF v1.0 , ISO/IEC 23894, and ISO 31000, and to help you better understand what AI means for your HITRUST certification, we’re here to explain.
As experienced HITRUST external assessors, we’re abreast of the latest updates to the framework, and in this article, we’ll explain how adding this new concept of AI risk management will affect your HITRUST r2 certification so that, if you need to prove your systems are secured and maintained with AI risk management in mind, you’ll know what to expect from the added requirements.
Artificial Intelligence in the HITRUST CSF
With this update to HITRUST CSF v11.2.0, organizations that are pursuing HITRUST certification via an r2 assessment can now select “Artificial Intelligence Risk Management” as a compliance factor within MyCSF while scoping their assessment.
If you’ve pursued HITRUST certification before, you know that adjusting the scope of your assessment or including new factors will affect your total requirements necessary for compliance, so here’s exactly what you can expect to be added to your assessment and what you should prepare to provide as evidence to prove compliance for their AI systems.
HITRUST CSF AI Requirements
When you opt to add the AI component, you will need to account for small changes in requirements in the following domains:
Domain |
Expectations |
---|---|
Domain 7 – Vulnerability Management |
AI data, models, and systems are included in a documented inventory |
Domain 16 – Business Continuity and Disaster Recovery |
A business impact analysis (BIA) is conducted at least annually on AI systems |
That being said, selecting AI risk management as a factor in your HITRUST r2 certification mostly impacts the following two domains:
- Domain 1 (Information Protection Program); and
- Domain 17 (Risk Management).
Domain 1 – Information Protection Program
In general, this section endeavors to ensure that your AI systems are aligned with business objectives—just as the other technologies within your environment are—within the overall information protection program.
A large part of that program regards how your organization documents—through policies, procedures, processes, and/or guidelines—your methods and procedures for maintaining system security. When you add AI risk management to your HITRUST r2 certification, many of the additional requirements also revolve around documentation.
More specifically, documentation should be maintained accounting for both internal and external factors concerning your organization’s AI use—that includes items such as:
Internal Factors |
External Factors |
---|---|
|
|
This domain also requires that your organization documents:
- The risk management process;
- Risk criteria;
- Risk identification; and
- Risk analysis, as pertains to AI systems.
Domain 17 – Risk Management
As for the risk management itself, when you select AI risk management as a HITRUST r2 factor, you’ll have several additional requirements to satisfy—although many may already be covered through practices that are in place within the organization, you’ll likely need to make a few slight tweaks.
For example, you likely have already:
- Ensured that a risk assessment policy has been developed and disseminated, and is reviewed at least annually;
- Established and disseminated personnel roles in the risk assessment policy;
- Assigned an official within the organization to manage the implementation of that policy;
- Implemented a risk management plan and
- Performed annual testing of your risk management framework.
All those things should already be in place—particularly if you’ve pursued HITRUST certification before, as these are requirements—but when you add AI risk in, you’ll need to ensure you:
- Make statements that convey your organization’s commitment to AI risk management and issue them to stakeholders to increase stakeholder confidence in your AI systems.
- Consider human behavior and culture within your risk assessment process for AI systems.
- Perform a societal impact analysis and an individual impact analysis on AI systems at least annually to essentially determine how the AI system affects the individual user and, in a broader scope, society while in use.
One other specifically interesting addition to this domain when AI is a factor seems to tie into the ethical questions around AI that are constantly being discussed in the news by organizations, governments, and ordinary people alike, as you’ll also be required to document your consideration of the consequences of AI use within your risk management process—things like the potential of your system(s) to:
- Cause human harm,
- Infringe on human rights, and
- Cause environmental harm, to name a few.
Getting Ready for AI in HITRUST
The world of cybersecurity compliance is continuously adapting to keep up with the rapidly changing threat landscape. While the healthcare sector is one where it’s particularly important to ensure security due to the slew of patient data that is held within systems, HITRUST is an industry-agnostic standard that can appeal to many different kinds of organizations beyond just healthcare, any of whom may use AI systems.
Now, the HITRUST CSF accounts for these, and you understand a few of the highlights from the new update that dictate how you’ll need to approach your controls when adding AI risk management to your r2 certification. Still, partnering with an experienced and knowledgeable external assessor can help you fully digest these and other developments in the HITRUST CSF.
As one of the largest HITRUST assessors in the industry, you can trust that you’ll get the highest quality assessment along with the peace of mind that comes with all your questions answered, so reach out to us with any of your compliance questions or needs your organization
About Jerrad Bartczak
Jerrad Bartczak is a Senior Associate with Schellman based in New York. In his work ensuring that clients maintain an effective system of controls within their organization, he has experience conducting HITRUST, SOC 1, SOC 2, and HIPAA audits and maintains CISA, CCSFP, CCSK certifications.