866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

Explaining the Artificial Intelligence Requirements within HITRUST CSF v11.2.0 Blog Feature
Jerrad Bartczak

By: Jerrad Bartczak

Print/Save as PDF

Explaining the Artificial Intelligence Requirements within HITRUST CSF v11.2.0

Healthcare Assessments | Artificial Intelligence

To accommodate the ever-evolving cybersecurity threat landscape, HITRUST has released HITRUST CSF v11.2.0, updating its framework to include more pertinent concepts—one of the most notable additions is artificial intelligence (AI) risk management content.

In this new content, HITRUST created mappings to the NIST AI RMF v1.0 , ISO/IEC 23894, and ISO 31000, and to help you better understand what AI means for your HITRUST certification, we’re here to explain.

As experienced HITRUST external assessors, we’re abreast of the latest updates to the framework, and in this article, we’ll explain how adding this new concept of AI risk management will affect your HITRUST r2 certification so that, if you need to prove your systems are secured and maintained with AI risk management in mind, you’ll know what to expect from the added requirements.

Artificial Intelligence in the HITRUST CSF

With this update to HITRUST CSF v11.2.0, organizations that are pursuing HITRUST certification via an r2 assessment can now select “Artificial Intelligence Risk Management” as a compliance factor within MyCSF while scoping their assessment.

If you’ve pursued HITRUST certification before, you know that adjusting the scope of your assessment or including new factors will affect your total requirements necessary for compliance, so here’s exactly what you can expect to be added to your assessment and what you should prepare to provide as evidence to prove compliance for their AI systems.

HITRUST CSF AI Requirements

When you opt to add the AI component, you will need to account for small changes in requirements in the following domains:

Domain

Expectations

Domain 7 – Vulnerability Management

AI data, models, and systems are included in a documented inventory

Domain 16 – Business Continuity and Disaster Recovery

A business impact analysis (BIA) is conducted at least annually on AI systems

That being said, selecting AI risk management as a factor in your HITRUST r2 certification mostly impacts the following two domains:

  • Domain 1 (Information Protection Program); and
  • Domain 17 (Risk Management).

Domain 1 – Information Protection Program

In general, this section endeavors to ensure that your AI systems are aligned with business objectives—just as the other technologies within your environment are—within the overall information protection program.

A large part of that program regards how your organization documents—through policies, procedures, processes, and/or guidelines—your methods and procedures for maintaining system security. When you add AI risk management to your HITRUST r2 certification, many of the additional requirements also revolve around documentation.

More specifically, documentation should be maintained accounting for both internal and external factors concerning your organization’s AI use—that includes items such as:

Internal Factors

External Factors
  • How AI affects human resources within the organization
  • The transparency of organizational AI systems
  • Internal stakeholder needs
  • Legal regulations that must be followed
  • Contractual obligations
  • Overall societal, environmental, and political impacts

This domain also requires that your organization documents:

  • The risk management process;
  • Risk criteria;
  • Risk identification; and
  • Risk analysis, as pertains to AI systems.

Domain 17 – Risk Management

As for the risk management itself, when you select AI risk management as a HITRUST r2 factor, you’ll have several additional requirements to satisfy—although many may already be covered through practices that are in place within the organization, you’ll likely need to make a few slight tweaks.

For example, you likely have already:

  • Ensured that a risk assessment policy has been developed and disseminated, and is reviewed at least annually;
  • Established and disseminated personnel roles in the risk assessment policy;
  • Assigned an official within the organization to manage the implementation of that policy;
  • Implemented a risk management plan and
  • Performed annual testing of your risk management framework.

All those things should already be in place—particularly if you’ve pursued HITRUST certification before, as these are requirements—but when you add AI risk in, you’ll need to ensure you:

 

  • Make statements that convey your organization’s commitment to AI risk management and issue them to stakeholders to increase stakeholder confidence in your AI systems.
  • Consider human behavior and culture within your risk assessment process for AI systems.
  • Perform a societal impact analysis and an individual impact analysis on AI systems at least annually to essentially determine how the AI system affects the individual user and, in a broader scope, society while in use.

One other specifically interesting addition to this domain when AI is a factor seems to tie into the ethical questions around AI that are constantly being discussed in the news by organizations, governments, and ordinary people alike, as you’ll also be required to document your consideration of the consequences of AI use within your risk management process—things like the potential of your system(s) to:

  • Cause human harm,
  • Infringe on human rights, and
  • Cause environmental harm, to name a few.

Getting Ready for AI in HITRUST

The world of cybersecurity compliance is continuously adapting to keep up with the rapidly changing threat landscape. While the healthcare sector is one where it’s particularly important to ensure security due to the slew of patient data that is held within systems, HITRUST is an industry-agnostic standard that can appeal to many different kinds of organizations beyond just healthcare, any of whom may use AI systems.

Now, the HITRUST CSF accounts for these, and you understand a few of the highlights from the new update that dictate how you’ll need to approach your controls when adding AI risk management to your r2 certification. Still, partnering with an experienced and knowledgeable external assessor can help you fully digest these and other developments in the HITRUST CSF.

As one of the largest HITRUST assessors in the industry, you can trust that you’ll get the highest quality assessment along with the peace of mind that comes with all your questions answered, so reach out to us with any of your compliance questions or needs your organization

About Jerrad Bartczak

Jerrad Bartczak is a Senior Associate with Schellman based in New York. In his work ensuring that clients maintain an effective system of controls within their organization, he has experience conducting HITRUST, SOC 1, SOC 2, and HIPAA audits and maintains CISA, CCSFP, CCSK certifications.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.