HITRUST Assessments and the Common Security Framework
by Christopher Fieger, McKonly & Asbury
HITRUST, also known as the Healthcare Information Trust Alliance, was founded for the primary use of healthcare organizations. Since its founding, HITRUST has expanded into various public and private industries. HITRUST provides a baseline framework for companies, including the opportunity to add additional IT frameworks, and provides certification following a validated assessment. In this article, we will cover the three main types of assessments a company can obtain through HITRUST.
This HITRUST framework, called the HITRUST CSF (Common Security Framework), consists of nineteen domains covering various IT related topics. This framework includes different maturity levels composed of 1) policy, 2) process, 3) implemented, 4) measured, and 5) managed. Depending on the HITRUST certification, one or all of these could be present or required. Additionally, an external assessor requirement could also apply depending on the type of assessment.
Essential Validated Assessment (e1)
The first certification type is the essential validated assessment, also known as the “e1” certification. This certification is good for one year, is the least comprehensive certification covering only basic cybersecurity hygiene and requires the use of an external assessor. Control requirements in this certification can be less than 50 requirements.
Implemented Validated Assessment (i1)
The second certification type is the implemented validated assessment, also known as the “i1” certification. This certification is good for one year and a rapid recertification is available in the second year. This certification is more rigorous than the e1 and requires the use of an external assessor. Control requirements in this certification can range from 170 to 190 requirements and include all the e1 requirements.
Risk-based Validated Assessment (r2)
The third certification type is the risk-based validated assessment, also known as the “r2” certification. This certification is good for two years and is primarily risk driven. Control requirements include all the requirements included in the e1 and i1 and additional requirements depending on the assessed risk. This is the most intensive validated assessment from HITRUST and requires an external assessor to complete this certification.
Before going down the path of HITRUST certification, HITRUST offers a readiness assessment. This assessment allows for any gaps to be identified and addressed before the company begins the actual validated assessment period.
McKonly & Asbury is a HITRUST-approved organization that can perform HITRUST readiness assessments and external validated assessments. For more information on these services and more, be sure to visit our HITRUST and SOC services pages on our website and please contact Dave Hammarberg, CPA, CISSP, CFE, MCSE, CISA with any questions.