HITRUST®
WHAT IS THE HITRUST CSF?
The HITRUST CSF is an internationally recognized, comprehensive, and scalable risk management framework that is meant to assist organizations with maintaining an efficient approach to compliance, and protect against emerging cybersecurity and privacy threats.
The HITRUST CSF leverages the standards from authoritative sources (e.g., HIPAA, GDPR, PCI DSS, NIST 800-53, NIST 800-171 and dozens more), so organizations can customize their risk management approach based on the risk and regulatory factors relevant to their organization.
The HITRUST Assurance Program utilizes the CSF and requires organizations to perform assessments using a HITRUST Authorized External Assessor such as 360 Advanced.
A PRISMA-based maturity model is used within the CSF assessments to quantify areas of risk, and ultimately determine if an organization meets the requirement for certification for the type of assessment (e1, i1, or r2) that is performed.
Navigate HITRUST Assessments
with 360 Advanced
360 Advanced helps you navigate HITRUST assessments to get you the report(s) you need to satisfy stakeholder and regulator inquiries. Getting a HITRUST Certification can put you on the fast track to answer client questions about your information security programs, earn new business, show compliance, and provide added assurances for cyber insurers.
Our HITRUST CSF Services
An experienced authorized assessor at 360 Advanced provides the guidance you need to achieve and maintain certification. We use our extensive experience to walk you through the certification process—from scoping and interviews to technical testing and validation.
HITRUST CSF Readiness Assessment
The Readiness Assessment is designed as an introduction to the CSF for the associated assessment type your organization is preparing for and is the springboard to a validated assessment. In addition to familiarizing your organization with the HITRUST approach, 360 Advanced also helps to identify gaps and a path forward to a successful validated assessment.
Essentials, 1-year (e1) Validate Assessment
Released in January 2023, the e1 focuses on the most critical cybersecurity threats and demonstrates that an organization practices essential cybersecurity hygiene. The e1 caters to low-risk enterprises that have a need to demonstrate they have foundational cybersecurity practices in place. The e1 assessment aligns with the following authoritative sources:
- CISA Cyber Essentials
- Health Industry Cybersecurity Practices (HICP) for Small Healthcare Organizations
- NIST 800-171 (Basic Requirements)
- NIST IR 7621
Successful completion of the e1 assessment by an Authorized External Assessor Organization results in a one-year certification.
HITRUST Implemented, 1-Year (i1) Validated Assessment
The i1 focuses on leading security practices for organizations with robust information security programs ready to demonstrate controls that protect against current and emerging threats. The i1 assessment aligns with the following authoritative sources:
- HIPAA Security Rule
- GLBA Safeguards Rule
- Dept. of Labor EBSA Cybersecurity Program Best Practices
- Health Industry Cybersecurity Practices (HICP) for Small Healthcare Organizations
- NIST 800-171
Successful completion of the i1 assessment by an Authorized External Assessor Organization such as 360 Advanced results in a one-year certification.
Rapid Recertification for i1 Assessments
Starting with the release of version 11 of the CSF, the i1 rapid recertification assessment allows for a more streamlined approach to achieving i1 certification in an organization’s subsequent certification year by only requiring the Authorized External Assessor Organization to assess a subset of i1 requirements.
For an organization to be eligible to perform an i1 rapid recertification, it must be able to demonstrate that the control environment has not materially changed or degraded since completion of the previous i1 assessment, and the original assessment has to have been performed using v11 of the CSF or later.
HITRUST Risk-Based, 2-Year (r2) Validated Assessment
The r2 validated assessment is a comprehensive assessment that is tailored to an organization’s inherent risk factors. The r2 assessment is a much more rigorous assessment compared to the e1 and i1 assessments and is suitable for organizations that have a requirement to demonstrate high assurance requirements.
Unlike the e1 and i1, which only require organizations to demonstrate that the requirements are implemented, the r2 assessment requires organizations to demonstrate that the requirements are implemented, and that policies and procedures are in place as well and—optionally—that they are being measured and managed.
Organizations have the option to add nearly 40 authoritative sources to their assessment to demonstrate compliance with multiple standards or regulations within one assessment.
The HITRUST r2 certification is valid for a period of two years, and an interim assessment is required in the second year.
HITRUST r2 Interim Assessment
For an organization to maintain their r2 HITRUST CSF Certification, an interim assessment must be conducted by an Authorized External Assessor Organization on the second year. It must be submitted to HITRUST within the 90-day window leading up to the one-year anniversary of the certification issuance date. The assessment consists of the following:
Testing of one requirement within each of the 19 assessment domains
Review of any requirements that were marked “not applicable” during the original assessment to ensure their status remains the same
Review of any Corrective Action Plans that were identified during the original assessment and ensure the organization has either remediated or made reasonable progress towards remediation.
Testimonials
Start your HITRUST
Journey with 360 Advanced
360 Advanced helps you navigate HITRUST assessments to get you the report(s) you need to satisfy stakeholder and regulator inquiries.