HITRUST CSF® Assessment Services

Connect with us

doctor looking at tablet healthcare technoogy

Featured

Building a resilient cybersecurity program amidst regulatory change

Team discusses client needs in an office

Featured

Multiple compliance frameworks and compliance strategies

Consultants review software development code

Featured

Strategy check: evaluating your cyber program to strengthen assurance

Students raising their hands in a university classroom

Featured

HITRUST compliance steps for success

HITRUST CSF® Assessment Services

Article

Building a resilient cybersecurity program amidst regulatory change

Webinar

Mastering multiple compliance frameworks

Case Study

International payment solutions provider gains efficiencies to multiple HITRUST® assessments by leveraging inheritance model

Article

SOC 2+ FAQs: How to enhance SOC 2® compliance

Webinar

SOC 2+: Enhancing SOC 2® compliance with additional frameworks

Article

hitrust compliance services office meeting

Compliance steps for success: Preparing for your HITRUST® external assessment

Webinar

AI: How to manage cybersecurity and data governance risks

Webinar

Top cyber trends and emerging risks in the insurance industry

Article

Taking notes on hitrust compliance requirements at a computer

Lessons from the field: Concepts to know for sustainable success in your HITRUST journey

Webinar

Strategy check: evaluating your cyber program to strengthen assurance

Article

How higher education and research institutions may benefit from using HITRUST to navigate research data security requirements

Article

Easing cyber insurance woes using key controls

Article

Team working to analyze data and software

New HITRUST assessments rise to meet the need for varying assurance levels

Webinar

Woman looking at data visualization on tablet

Demystifying HITRUST assessment types: bC, i1 and r2

Article

cybersecurity of personal health information

COVID business shifts change but don’t stop robust HITRUST evaluations

Webinar

HITRUST panel: lessons learned from a year of remote HITRUST validations

Case Study

NCDIT simultaneously undergoes HITRUST and NIST 800-53 readiness

Article

HITRUST CSF™ Version 9: updates and impacts for certification

As an approved HITRUST Authorized External Assessor, we work with organizations across industries to improve data security and regulatory compliance so you can remain focused on mission-critical objectives.

What is HITRUST?

HITRUST, was founded in 2007 as a non-profit organization to help organizations address and manage their information security risks. As a leading comprehensive framework, HITRUST offers a range of services and assessment types to help organizations manage their information security risks and compliance requirements. HITRUST continues to collaborate with stakeholders and government agencies to promote the adoption of multiple industry-recognized security and privacy controls and requirements, including Health Insurance Portability and Accountability Act (HIPAA), National Institute of Standards and Technology (NIST), and International Organization for Standardization (ISO), into a single framework, making it easier for organizations to demonstrate their compliance with multiple regulations and standards simultaneously.

HITRUST assessments are conducted by independent third-party assessors and involve a thorough review of the organization's policies, procedures, and technical controls, as well as an evaluation of its risk management practices. The assessments are available in different levels of rigor and depth, including the streamlined validated assessments (e1 and i1) and the comprehensive assessment (r2).

Connect with our HITRUST team

	HITRUST Essentials, 1-year (e1) Assessment Essentials	HITRUST Implemented 1-year (i1) Assessment Leading Practices	HITRUST Risk-based 2-year (r2) Assessment Expanded Practices
Description	Validated Assessment + Certification	Validated Assessment + Certification	Validated Assessment + Certification
Purpose (use case)	Entry-level assurance focused on essential cybersecurity hygiene controls	Moderate level of assurance focused on cybersecurity leading practices and a broader range of threats than the e1 assessment	High level of assurance focuses on a comprehensive risk-based specification of controls
Certifiable Assessment	Yes, 1 year	Yes, 1 year + Rapid Recertification in year 2	Yes, 2 years + Interim Assessment
Number of HITRUST CSF requirements on a 2-year basis and maturity levels considered	44 (year 1), 44 (year 2) implemented	182 (year 1), ~60 (year 2 with Rapid Recertification) implemented	~375 avg. (year 1), ~20 (year 2 interim assessment) policy, procedure and implemented
Policy and procedure consideration	Minimal	Minimal	Thorough
Level of security assessment	Low	Moderate	High
Level of assurance	Low	Moderate	High
Evaluation approach	1x5: Implementation control maturity level	1x5: Implementation control maturity level	3x5 or 5x5: Control maturity assessment against either 4 or 5 maturity levels
Provides Targeted Coverage for one or more authoritative sources (i.e., Factors)	No	No	Yes, if selected
Alignment with authoritative sources	CISA cyber essentials, Health Industry Cybersecurity Practices (HICP) for small healthcare organizations, NIST 171’s basic requirements, NIST IR 7621	NIST SP 800-171 (basic and derived requirements), HIPAA security rule and HICP for medium-sized organizations	NIST SP 800-53, HIPAA, FedRAMP, NIST CSF, PCI DSS, GDPR and dozens of others

HITRUST CSF® Assessment Services

HITRUST CSF® Assessment Services

Maximize the security, integrity and availability of your information assets with help from Baker Tilly’s HITRUST® team.

What is HITRUST?

Types of HITRUST Assessments

HITRUST FAQ

Our approach

Five benefits of HITRUST

Robust approach to information security

Improved cybersecurity posture

Streamlined approach to compliance

Cost-effective tiered assessments

Increased trust and confidence

NCDIT simultaneously undergoes HITRUST and NIST 800-53 readiness

Baker Tilly HITRUST leadership

Our industries