HITRUST Services
The HITRUST CSF® is a security, privacy, and compliance risk management framework comprised of nationally and internationally accepted standards, including ISO, NIST, COBIT, PCI, HIPAA, and more, to ensure a comprehensive set of baseline security and privacy controls. The CSF normalizes these security requirements and provides clarity and consistency, reducing the burden of compliance with the varied requirements that apply to organizations.
Originally developed for the healthcare industry, the HITRUST CSF now offers over 30 authoritative sources comprised of the frameworks mentioned above plus state, Federal, and foreign regulations. As such, the CSF can be used by healthcare and other organizations allowing them to perform one assessment and report against many requirements instead of performing multiple assessments and generating multiple reports, thereby containing effort and cost. The expanded HITRUST portfolio below provides a 100% overlay of one into the other, allowing an organization to start with a contained effort and grow its HITRUST profile to match its level of risk and needed levels of maturity and assurance.
The expanded HITRUST portfolio of assessments and certifications include:
Basic Current State (bC): A self-assessment focusing on good cyber hygiene. No certification available.
Implemented 1-Year (i1): Validated Assessment + Certification against 219 static controls. Suitable for moderate assurance requirements. Only control implementation is assessed.
Risk-Based 2-Year (r2): The legacy HITRUST certification which includes a Validated Assessment + Risk-Based certification. Suitable for high assurance requirements. Three to five maturity criteria are assessed and the assessment is tailored to specific scoping factors.
As an Authorized HITRUST External Assessor, SCA can help simplify HITRUST and offers the following services:
HITRUST Readiness Assessment (i1 or r2)
The Readiness Assessment involves a review of your MyCSF data, which may include policy, process, implementation, measured and managed artifacts as well as self-scoring of each control requirement. The outcome of the Readiness Assessment is to uncover potential control requirement deficiencies so that they can be corrected, and scoring maximized in preparation for the Validated Assessment.
HITRUST Remediation (i1 or r2)
Remediation assistance includes consulting services surrounding control implementation and developing policy and process documents to help guide your company through effective and efficient control remediation. Note that the i1 does not require policy and procedure documentation.
Validated Assessment (i1 or r2)
To achieved HITRUST Certification, an organization must undergo a Validated Assessment which must be performed by an Authorized HITRUST External Assessor such as SCA. The Validated Assessment involves a stringent review and scoring of each control requirement as determined by the assessment scope and is submitted to HITRUST for approval and certification.
Interim Assessment
For r2 only, the Interim Assessment is required to maintain HITRUST r2 certification and follows a similar process as the Validated Assessment. The Interim Assessment is designed to evaluate the client’s continued alignment with HITRUST requirements. Here only a sample of controls are reviewed as well as any open CAPs (Corrective Action Plans).
Bridge Assessment
For r2 only, the Bridge Assessment fills the void when an already HITRUST r2 certified organization is unable to complete their next HITRUST r2 Validated Assessment before their existing certificate’s expiration. A Bride Assessment follows a similar methodology as an Interim Assessment, reviewing only a sampling of controls, and provides a temporary certificate valid for 90 days allowing the organization to maintain relationships with those that requested HITRUST certification and to also complete the next r2 Validated Assessment.
HITRUST Consulting
SCA analysts are available in various capacities to help support your HITRUST initiative. Our consulting includes assistance for those just starting their HITRUST journey with a Basic Current State (bC) Assessment through remediation as described above. Wherever you are in your HITRUST journey, SCA can help!
Discuss your needs with our HITRUST professionals today! SCA offers a no-cost strategy and scoping exercise to explore your HITRUST assessment and certification options, provide more insight into the potential size (number of controls) and fees for HITRUST services and help you can make confident decisions about your HITRUST path.