HITRUST CSF Assurance Assessments

In 2022, HITRUST will change its Assurance Assessments and Results Distribution to include three levels bC, i1, and r2. These changes will help start-ups and high-growth organizations obtain assurance assessments through HITRUST.

Introduction

HITRUST was founded in 2007 to provide healthcare IT organizations with assessments of their security controls. It has since broadened the scope to offer risk-based security assessments and assurances to third party associates and stakeholders regardless of industry.

The HITRUST CSF, previously known as the Common Security Framework, is a collection of security controls. A scoping exercise done in the MyCSF portal is leveraged to select the controls that are applicable to an organization based on an evaluation of risk factors. An external assessment of the use of the controls could lead to a HITRUST certification.

HITRUST currently offers only one certification at a high level of assurance. If you would like to learn more about the current requirements, please read our HITRUST CSF Certification whitepaper. This article will explain the changes coming to HITRUST Assurance Assessments and Results Distribution in 2022, including bC, i1, r2, and RDS.

Currently, HITRUST offers three levels of assessments:

  • HITRUST CSF Rapid Assessment: Self-assessed, security-only questionnaire facilitated through the HITRUST Assessment Exchange. (A low level of effort resulting in a low level of assurance.)
  • HITRUST CSF Readiness Assessment: Performed in preparation for a validated assessment. (A high level of effort resulting in a low level of assurance.)
  • HITRUST CSF Validated Assessment: Assessment leads to the HITRUST Certification. (A high level of effort resulting in a high level of assurance.)The chart below represents the “level of effort” required for the HITRUST CSF legacy certification. For comparison, the chart uses 360 controls as an average, and three mandatory maturity test categories.
    HITRUST CSF Legacy Certification Chart

2022 Changes to the HITRUST MyCSF

Although anecdotal evidence states that a HITRUST Certification has prevented federal audits, small organizations often have difficulty documenting evidence and managing the HITRUST MyCSF portal. Start-ups and high-growth organizations asked for a HITRUST “Lite” assessment leading to certification, and HITRUST responded to this request with a new portfolio of assessments.

Beginning in Q1 of 2022, HITRUST will offer three new assessments

Basic, Current-state Assessment (bC)

  • Focus on good security hygiene controls for almost any size organization
  • Suitable for rapid and/or low assurance requirements
  • 71 HITRUST CSF requirements
  • Considers control implementation only
  • No supporting evidence required
  • Self-assessment only (no External Assessor required)
  • No certification can result

Implemented, 1-year Assessment (i1)

  • Readiness and Validated Assessments
  • Focus on leading security practices; designed to provide moderate assurance
  • Considers control implementation only; Policy and Process maturity levels are not considered
  • Approximately 200 HITRUST CSF requirements
  • QA is completed by HITRUST
  • Can lead to a 1-year HITRUST certification

Risk-based, 2-year Assessment (r2)

  • Same level of assurance and effort as the legacy HITRUST CSF Validated Assessment
  • Considers all five control maturity Levels; Measured and Managed are still optional
  • Varies from 198 to 2,000 requirements; an average threshold is considered 360 controls
  • Can lead to a 2-year HITRUST certification
  • Requires an assessor’s examination of evidence

The chart below is a comparison of effort for the new i1 and r2 assessments leading to certification. For comparison, the chart uses 360 controls as an average.

New HITRUST CSF Certification Options Chart

Also new for 2022, certification attestation hosted by the governing body.

The HITRUST Results Distribution System (RDS)

Assessed entities grant access to reliant parties in HITRUST’s RDS system. RDS replaces sending PDF reports.

Conclusion

In 2022, HITRUST will change its Assurance Assessments and Results Distribution to include three levels bC, i1, and r2. Basic, Current-state Assessment (bC) will focus on good security hygiene controls for almost any size organization. Implemented, 1-year Assessment (i1) will focus on leading security practices and is designed to provide moderate assurance. Risk-based, 2-year Assessment (r2) will have the same level of assurance and effort as the legacy HITRUST CSF Validated Assessment. These changes will help start-ups and high-growth organizations obtain assurance assessments through HITRUST.