HITRUST Expands Assessment Portfolio: Why It Matters
Last month, cybersecurity thought leader HITRUST announced that it would be expanding its assessment portfolio to prioritize quality, reliability, and privacy. This is important information for enterprises evaluating their cybersecurity postures and how they handle assets and risk management across a variety of industries. Keep reading to learn more about these updated assessments, certifications, and how it all impacts your enterprise.
What Is HITRUST?
HITRUST—pronounced like “high trust”—was founded in 2007 with the goal of fortifying cybersecurity practices for healthcare organizations through a Common Security Framework (CSF). Today the CSF has grown into a security, privacy, and compliance risk management framework. Leveraging other global standards for cybersecurity such as NIST or ISO; this framework can be customized to fit the specifics of your enterprise. In addition to offering CSF solutions, HITRUST offers a pathway to CSF certification, allowing you to demonstrate robust security, privacy, compliance, and risk management practices to business partners, clients, and stakeholders.
Why Are HITRUST CSF Assessments Important For Your Enterprise?
Until now, the HITRUST assessment portfolio contained three offerings:
- HITRUST CSF Rapid Assessment: This self-assessment by security only questionnaire is facilitated through the HITRUST Assessment Exchange. It provides a low level of assurance and no certification.
- HITRUST CSF Readiness Assessment: A more in-depth assessment used to prepare for a validated assessment. It provides a low level of assurance and no certification.
- HITRUST CSF Validated Assessment: An in-depth assessment that can result in HITRUST CSF Certification. It can be tailored to one or more authoritative sources and measures maturity against either three or five criteria. It provides a very high level of assurance.
With the above, only the third offering resulted in certification, the HITRUST CSF Validated Assessment Report with Certification. Because of the high level of assurance provided by comprehensive, prescriptive control requirements, it’s a heavy lift, but also the gold standard for security, privacy, and compliance risk management.
HITRUST Expands Assessment Portfolio: What You Need to Know
Feedback from clients, potential clients, stakeholders, and the HITRUST External Assessor community identified the need for more options to address varying assurance requirements and levels of assessment effort. HITRUST is answering the call with new assessments and a new certification that will require less effort than today’s validated assessment while maintaining the gold standard by which HITRUST has become known.
The expanded assessment portfolio includes new names for the Rapid Assessment and Validated Assessment plus the addition of a new assessment to fill the gap for moderate assessment effort and low to moderate assurance:
Basic, Current State Assessment (bC)
This “toe in the water” version zeroes in on good security hygiene controls for practically any size organization. It uses a simple approach to evaluation making it suitable for rapid, low assurance requirements. The bC is a self-assessment against 71 static controls from NISTIR 7621: Small Business Information Security Fundamentals. Since it’s a self-assessment, the bC does not require an External Assessor and does not result in certification; the bC will be available by the end of 2021.
Implemented 1-Year Assessment (i1)
Fills the gap mentioned earlier for moderate assessment and assurance levels by looking at leading security practices and using a more rigorous evaluation method. The i1 contains both an i1 Readiness Assessment to prepare for its matching i1 Validated Assessment and the i1 Validated Assessment can yield a certification that is valid for 1 year. The i1 Validated Assessment must be performed by an Authorized HITRUST External Assessor much like the legacy Validated Assessment. To stay within the parameters of moderate assessment and assurance levels, the i1 evaluates only the implementation of 200 pre-defined/static controls that include all of NIST 800-171, the FTC/GLBA Safeguards Rule, much of the HIPAA Security Rule, and portions of the AICPA TSC (Trust Services Criteria); the i1 will be available by the end of 2021.
Risk-Based 2-Year Assessment (r2)
Previously known as the Validated Assessment and remains unchanged. This most rigorous option provides a very high level of assurance and uses a comprehensive risk-based specification of controls (from 198 – 2,000) from leading frameworks and regulations including NIST 800-53, HIPAA, FedRAMP, NIST CSF, AICPA TSC, PCI DSS, GDPR, and 37 others. Optionally, the controls can be tailored to one or more authoritative sources which can be used to demonstrate compliance with many regulations and frameworks such as HIPAA and the NIST Cybersecurity Framework. Maturity is measured against either three or five criteria, policy, process, implemented, measured, and managed.
The r2 Readiness Assessment helps an organization understand where gaps exist and to prepare for the e2 Validated Assessment that can result in HITRUST CSF Certification that is valid for 2 years. The r2 Validated Assessment must still be performed by an Authorized HITRUST External Assessor and the requirement for the Interim Assessment after 1 year remains intact.
SCA Can Help Your Enterprise Navigate These New Assessments
Security Compliance Associates offers a range of services to assess your cybersecurity controls and determine areas of improvement, which helps you maintain compliance and save time and money. By partnering with us to manage your cybersecurity posture, your internal team can address other important matters.
Have questions or aren’t sure where to start? SCA offers a no-cost Strategy and Scoping session to help you navigate the best HITRUST path for you.