HITRUST Services
The HITRUST CSF® is a security, privacy, and compliance risk management framework comprised of nationally and internationally accepted standards, including ISO, NIST, COBIT, PCI, HIPAA, and more, to ensure a comprehensive set of baseline security and privacy controls. The CSF normalizes these security requirements and provides clarity and consistency, reducing the burden of compliance with the varied requirements that apply to organizations.
Originally developed for the healthcare industry, the HITRUST CSF now offers over 40 authoritative sources comprised of the frameworks mentioned above plus state, Federal, and foreign regulations. As such, the CSF can be used by healthcare and other organizations allowing them to perform one assessment and report against many requirements instead of performing multiple assessments and generating multiple reports, thereby containing effort and cost.
The expanded HITRUST portfolio of assessments and certifications include:
Essentials (e1): Foundational cybersecurity for startups and companies with lower risk profiles or less complexity. Control implementation is assessed for 44 static controls. 1-year certification.
Implemented (i1): Leading security practices for those with established information security programs who also need a moderate level of assurance. Control implementation is assessed for 182 static controls. 1-year certification.
Risk-Based (r2): Expanded practices for those who need to demonstrate compliance with one or more regulations and frameworks. It is the most comprehensive HITRUST assessment and provides a high level of assurance. Three to five maturity criteria are assessed. 2-year certification.
As an Authorized HITRUST External Assessor, SCA can help simplify HITRUST and offers the following services:
HITRUST Readiness Assessment
The Readiness Assessment involves a review of your MyCSF data, which may include policy, process, implementation, measured and managed artifacts as well as self-scoring of each control requirement. The outcome of the Readiness Assessment is to uncover potential control requirement deficiencies so that they can be corrected, and scoring maximized in preparation for the Validated Assessment.
HITRUST Remediation
Remediation assistance includes consulting services surrounding control implementation and developing policy and process documents to help guide your company through effective and efficient control remediation. Other ancillary services available to support remediation include penetration testing, risk assessments and information security program review and more to streamline HITRUST remediation efforts.
Validated Assessment
To achieved HITRUST Certification, an organization must undergo a Validated Assessment which must be performed by an Authorized HITRUST External Assessor such as SCA. The Validated Assessment involves a stringent review and scoring of each control requirement as determined by the assessment scope and is submitted to HITRUST for approval and certification.
Interim Assessment
For r2 only, the Interim Assessment is required to maintain HITRUST r2 certification and follows a similar process as the Validated Assessment. The Interim Assessment is designed to evaluate the client’s continued alignment with HITRUST requirements. Here only a sample of controls are reviewed as well as any open CAPs (Corrective Action Plans).
i1 Rapid Recertification
For i1 only, Rapid Recertification is an accelerated way to recertify to i1 requirements in your second year. This is accomplished through assessing a contained sampling of controls. Clients must be using MyCSF v11 and newer.
Bridge Assessment
For r2 only, the Bridge Assessment fills the void when an already HITRUST r2 certified organization is unable to complete their next HITRUST r2 Validated Assessment before their existing certificate’s expiration. A Bride Assessment follows a similar methodology as an Interim Assessment, reviewing only a sampling of controls, and provides a temporary certificate valid for 90 days allowing the organization to maintain relationships with those that requested HITRUST certification and to also complete the next r2 Validated Assessment.
HITRUST Consulting
SCA analysts are available in various capacities to help support your HITRUST initiative. Our consulting services include assistance for those just starting their HITRUST journey to those in process to those who are certified but want a fresh HITRUST External Assessor relationship. Wherever you are in your HITRUST journey, SCA can help!
Discuss your needs with our HITRUST professionals today! SCA offers a no-cost strategy and scoping exercise to explore your HITRUST assessment and certification options, provide more insight into the project scope and number of controls, estimate fees for HITRUST services and help you can make confident decisions about your HITRUST path.