HITRUST
Cyberattacks continue to increase in frequency and scale, placing significant pressure on organizations to protect sensitive data and information. Many health care and other organizations require vendors and contractors to have HITRUST CSF® certification from an external assessor to be eligible for, or start, engagements.
Navigating the complex components of certification, however, can drain significant time and resources that could cause your organization to lose contracts should you not be able to verify security protocols.
Assess your current cybersecurity standing, bridge potential gaps, and demonstrate your organization’s commitment to safeguarding private data with a HITRUST CSF certification from our professionals.
How HITRUST CSF Can Support Your Organization
Though HITRUST CSF began as the set of security controls to support the federal laws protecting sensitive patient information in health care, it has now become data agnostic and focuses on any sensitive information that an organization needs to protect. The HITRUST CSF is a certifiable risk management framework for a range of organizations to demonstrate their security and compliance, including:
- Technology companies handling large amounts of sensitive data
- Insurance companies with personally identifiable information (PII)
- Health care organizations looking to mitigate information security risk
- Any organization handling sensitive data, such as protected health information (PHI), proprietary information, or PII
Based on strategic cybersecurity practices from the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST) Special Publication 800-53, HITRUST CSF can be leveraged to map out and comply with requirements and control areas of other security frameworks and standards.
A one-time assessment can also help report on information risk and compliance with:
- HPAA, CMS, Joint Commission, Minimal Acceptable Risk Standards for Exchanges (MARS-E), and Health Industry Cybersecurity Practices (HICP)
- State-specific and international regulations
- Payment Card Industry Data Security Standard (PCI DSS)
- General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other privacy regulations
Navigate the HITRUST Process
Whether your organization needs a new cybersecurity assessor or is planning its first assessment, our professionals can help guide you through the certification process.
Determining which of HITRUST’s three assessment types to verify your standing against is the first step.
How the HITRUST Assessment Process Works
We preface any validated assessment—e1, i1, or r2—with a readiness assessment to prepare your organization for reporting and certification.
Interim assessments are available for the i1 and r2 assessments as the organization approaches the one-year anniversary of certification.
A bridge assessment, when applicable, can be used for previous r2 assessments.
Readiness Assessment
- Review requirements and rate your organization’s controls
- Verify with evidence such as policies, procedures, and employee interviews
- Identify areas that need remediation
- Develop a timeline leading up to the validated assessment
- Prepare for the validated certification assessment
Validated Assessment
- Conduct and document testing to demonstrate the effectiveness of the controls and evaluate their maturity
- Verify that the scope of the assessment is documented appropriately
- Submit testing and evidence to HITRUST for review, including report creation and certification
Interim Assessment
- Complete after r2 certification and before the anniversary date of the certification to verify that the scope remains valid and security controls are effective for continued certification
- Limited review of at least one requirement statement from each of the 19 domains and review of any corrective action plans from the last assessment
Bridge Assessment
- Provides a temporary 90-day certificate if the original r2 certification date can’t be met
- Should only be considered when there are issues completing an assessment before the current certification expires
- Covers one requirement statement in each domain
AI Security and Risk Management Assessments
- Security for AI Systems and the AI Risk Management factors can be added to any e1, i1, or r2 assessment to validate an organization’s AI models and systems
- When selecting the AI Security Assessment, the organization can choose the type of AI model (rule-based, predictive, generative) to include in the assessment scope
- The AI Security Assessment also includes scoping around the data types used to train the model and whether the model’s parameters and architecture are confidential
- Adding the Security for AI Systems factor to an e1, i1, or r2 assessment will add additional requirements that are tested and can lead to a HITRUST-issued certification
- The AI Risk Management factor adds requirements based on the NIST AI Risk Management Framework and the ISO/IEC 23894 AI – Guidance on Risk Management
- An organization adding the AI Risk Management factor can have an Insights Report created detailing how well the organization meets NIST and ISO AI requirements
- These additional AI requirements won’t affect certification scores for e1, i1, or r2 assessments, making them a way to evaluate an organization’s AI systems without affecting the overall HITRUST certification
Readiness Assessment
- Review requirements and rate your organization’s controls
- Verify with evidence such as policies, procedures, and employee interviews
- Identify areas that need remediation
- Develop a timeline leading up to the validated assessment
- Prepare for the validated certification assessment
Validated Assessment
- Conduct and document testing to demonstrate the effectiveness of the controls and evaluate their maturity
- Verify that the scope of the assessment is documented appropriately
- Submit testing and evidence to HITRUST for review, including report creation and certification
Interim Assessment
- Complete after r2 certification and before the anniversary date of the certification to verify that the scope remains valid and security controls are effective for continued certification
- Limited review of at least one requirement statement from each of the 19 domains and review of any corrective action plans from the last assessment
Bridge Assessment
- Provides a temporary 90-day certificate if the original r2 certification date can’t be met
- Should only be considered when there are issues completing an assessment before the current certification expires
- Covers one requirement statement in each domain
AI Security and Risk Management Assessments
- Security for AI Systems and the AI Risk Management factors can be added to any e1, i1, or r2 assessment to validate an organization’s AI models and systems
- When selecting the AI Security Assessment, the organization can choose the type of AI model (rule-based, predictive, generative) to include in the assessment scope
- The AI Security Assessment also includes scoping around the data types used to train the model and whether the model’s parameters and architecture are confidential
- Adding the Security for AI Systems factor to an e1, i1, or r2 assessment will add additional requirements that are tested and can lead to a HITRUST-issued certification
- The AI Risk Management factor adds requirements based on the NIST AI Risk Management Framework and the ISO/IEC 23894 AI – Guidance on Risk Management
- An organization adding the AI Risk Management factor can have an Insights Report created detailing how well the organization meets NIST and ISO AI requirements
- These additional AI requirements won’t affect certification scores for e1, i1, or r2 assessments, making them a way to evaluate an organization’s AI systems without affecting the overall HITRUST certification
Expansive HITRUST CSF and Cybersecurity Experience
With dedicated cybersecurity lines, our professionals have extensive knowledge of cyber-risk frameworks. Our collaborative approach focuses on understanding your organization’s specific needs and strategically developing tailored solutions in the context of broader industry trends and activities.
We don’t simply provide templates; we proactively identify appropriate cybersecurity solutions to help build foundations for long-term success—so you’re prepared to stay ahead of change and address new risks and challenges.
Our professionals understand the nuanced operations of organizations that handle secured information and the demands placed on their vendors—not only in health care, but for any industry seeking to protect sensitive information.
Our one-firm approach allows your organization to tap into the full resources of our firm, integrating guidance and solutions related to other integral support areas.
Insights
Primary Contact
Contact Us
Thank you. Your contact request has been received. We will be in touch soon.
Primary Contact