Here’s What You Need to Know about HITRUST’s New Assessment and Updates

Julie Butterfield January 19, 2023

In an effort to stay relevant with current and emerging threats, HITRUST has made several updates.

First, the big news: HITRUST has expanded its assessment portfolio to include a less-complex assessment with fewer requirements, called the Essentials, 1-year (e1) Validated Assessment.

HITRUST has also updated the release of CSF v11, made new Correction Active Plan (CAP) identification changes, and made enhancements to the HITRUST Implemented, 1-year (i1) program (rapid re-certification).

“The investments we’ve made in our AI-based standards development platform have dramatically improved our ability to assess threat-adaptive mitigations, add authoritative sources, and reduce redundancies, allowing organizations to achieve the same level of assurance with less effort,” said Andrew Russell, VP of Standards at HITRUST.

Let’s break these down.

Essentials, 1-year (e1) Validated Assessment
HITRUST has discovered a growing need for a low-effort and reliable cybersecurity assessment and certification based on basic cybersecurity hygiene and the most critical threats.

It has thus expanded its assessment portfolio to include e1, which is a less-complex assessment with fewer requirements, designed to be easily understood, relevant to today’s cyberthreats, and applicable in any industry.

Offered in January 2023, the e1 focuses on the most critical cybersecurity threats and requires a fraction of i1 and r2’s CSF requirements.

  • The i1 includes 180 HITRUST CSF requirements
  • The r2 averages more than 400 HITRUST CSF requirements
  • The e1 requires less than 50 CSF requirements

More features of the e1 include:

  • Organizations can demonstrate a “minimum bar” of cybersecurity hygiene.
  • The e1 delivers a suitable assessment for organizations with a lower risk profile.
  • It results in a one-year certification and requires an external assessor, such as 360 Advanced.

Subsequently, HITRUST is sunsetting CSF v9.1 through v9.4, starting in September of 2023, and it will be fully phased out by March of 2026.

CSF v11 Release
HITRUST has aligned the selection of requirement statements used for the e1 assessment, i1 assessment, and r2 assessment baseline.

The overlapping requirements allow organizations to move through the assessment portfolio to demonstrate increased levels of information-protection assurance without having to redo the work completed by previous assessments.

Some of the enhancements also include:

  • Added health industry cybersecurity practices mapping
  • Refreshed NIST cybersecurity framework mapping
  • Refreshed HIPAA Security Rule, Privacy Rule, and Breach Notification mapping

v11 became available in January 2023 within MyCSF.

Corrective Action Plan (CAP) Identification Changes
There will soon be a standard CAP identification method for the b1, i1, and r2, which will provide clarity to reports that have resulted from several different assessments.

Beginning in June 2023, all r2 assessments that haven’t had CAPs identified within MyCSF will be converted to the standard CAP identification method.

Rapid Recertification for i1 assessments
An i1 rapid recertification assessment in MyCSF is slated to be released in 2023. It will allow assessed entities to evaluate a selection of i1 requirement statements to demonstrate that the control environment has not substantially changed since the previous i1 assessment. If the control environment has not materially degraded since the i1, the assessed entity is allowed to rely on scores from their previously completed i1 for the remaining requirements.

“Security requirements are never complete, and a framework that is adaptive and responsive to security and compliance stakeholders is sorely needed,” said Robert Booker, HITRUST Chief Strategy Officer.

How 360 Advanced Helps
From serving on the HITRUST External Assessor Council, to holding an extensive knowledge of HITRUST and its latest updates, the team at 360 Advanced helps you customize the most suitable security approach for your business. We identify your optimal solution, whether it includes SOC reporting, penetration testing, or HITRUST assessments so we can review your cybersecurity and compliance plans, streamline your process, and save you money.