HITRUST Certification With a Revised Assessment and Certification Portfolio
In November 2022, HITRUST announced that HITRUST MyCSF v11 will be released in January 2023. HITRUST introduced a new assessment option and changed the assessment portfolios, which were last updated in 2021.
On December 20, 2022, HITRUST issued a press release highlighting some of the major changes aimed at increasing efficiency and reducing the burden of certification efforts by up to 45%.
“There is no question that frameworks need to stay relevant with current and emerging threats so organizations can conduct assessments as efficiently as possible and provide practical, yet meaningful, assurances to stakeholders.”
Andrew Russell, VP Standards, HITRUST
This article provides a brief overview of HITRUST, the changes that went into effect this year, and how you can update your assessment and certification portfolio to ensure your organization remains compliant.
Overview of HITRUST
HITRUST is a security, privacy, compliance, and risk management framework to help organizations protect their data and ensure compliance with regulatory requirements. Originally focused on healthcare, HITRUST can now be adopted by any industry and covers multiple frameworks and standards through the ability to “assess once and report against many.” HITRUST covers various areas, from physical security to electronic safeguards, to ensure the confidentiality, integrity, and availability of sensitive data. . It is designed to keep data secure and protect it from unauthorized access or misuse. HITRUST is considered the gold standard for healthcare organizations, so meeting its requirements can help organizations demonstrate that they are taking steps to protect patient data and satisfy HIPAA requirements.
Achieving HITRUST Certification
Achieving HITRUST Certification shows that your organization is dedicated to patient care, well-being, and safety. It helps healthcare organizations protect patient data and comply with regulatory requirements, which can help build trust with stakeholders, business partners, and patients.. HITRUST Certification can help with operational efficiency, requiring organizations to adhere to certain security controls and procedures. Meeting these standards gives assurance that an organization is taking steps to keep customer data secure. Finally, helping organizations maintain the confidentiality of PHI helps ensure that patient health information is not misused or disclosed without permission.
HITRUST isn’t just a tool for public relations, though. It puts a number of security and privacy measures and a broad array of regulatory factors into a comprehensive framework to safeguard data s. Many frameworks and regulations can be ambiguous creating uncertainty for security teams. HITRUST brings clarity by offering prescriptive requirements that provide the roadmap to a robust security, privacy, and compliance risk management process.
Understanding the Revised Assessment and Certification Portfolio
So, what’s new in HITRUST? HITRUST MyCSF v11 represents a significant advancement in terms of overall security and privacy with the introduction of new controls, procedures, and requirements. Some highlights of the new release include:
- Expanded scope to include GDPR requirements and CSA STAR Level 1 certification;
- Enhanced data leakage prevention safeguards;
- Updated policies and procedures regarding encryption key management, incident response, and breach notification;
- Implementing cloud-specific security requirements for both IaaS and SaaS offerings;
- Strengthening identity and access management practices.
The v11 Assessment and Certification portfolio consists of the following:
e1: Essentials 1-Year Assessment and Certification (New!)
Containing 44 static controls, think of the e1 as basic cyber hygiene. Only the control implementation is assessed. The certification is good for 1 year and must be repeated annually to maintain certification.
i1: Implemented 1-Year Assessment and Certification
Introduced in January 2022, the i1 now contains 180 static controls (down from 219) and has become threat adaptive. The i1 offers moderate assurance and only assesses the control implementation. Note that some of the implementation specifications do include documentation. Certification for the i1 also lasts for only 1 year, but new in 2023 is the Rapid Recertification process that reduces the controls reviewed for recertification.
r2: Risk-Based 2-Year Assessment and Certification
The r2 is the original HITRUST Assessment and certification that is customized per specific client needs. Using scoping data around organizational, technical, and regulatory factors the r2 can contain over 2,000 controls but the average is 350. The r2 offers the highest level of assurance. While the certification lasts for 2 years, an Interim Assessment is required after 1 year to demonstrate continued adherence to HITRUST.
All HITRUST assessments are now subsets (or supersets) of each other, which allows organizations to reuse the work in lower-level HITRUST assessments to progressively achieve higher assurances by sharing standard control requirements and inheritance. In other words, an organization can start its HITRUST journey with the e1 and grow into the i1 and then r2!
The framework is now integrated across Microsoft Azure, Dynamics 365, Microsoft 365, and Power Platform. It has two new authoritative sources, NIST SP 800-53, Rev 5, and Health Industry Cybersecurity Practices (HICP) standards. It also includes AI-based standards development capabilities to aid our assurance experts in mapping and maintaining authoritative sources for the first time.
The Steps to Take for Maintaining HITRUST Compliance with a Revised Assessment and Certification Portfolio
This year, with the changes in place, it makes sense for organizations to consider a revised assessment and update their certification portfolios accordingly. The good news is that if you already have HITRUST CSF Certification, it will fit into the new, updated framework.
HITRUST CSF Certification is a large project, but it will be well worth it when your organization is elevated and protected. SCA is an Authorized HITRUST External Assessor and can help your organization achieve or maintain your HITRUST certification using a proven process. SCA has been providing cybersecurity assessment and advisory services for over 17 years and HITRUST advisory services for the last five years. We’re familiar with HITRUST MyCSF v11 and its changes and can help your team approach and tackle your HITRUST goals with confidence and certainty!