HITRUST CSF Assessment Services
Maximize the security, integrity and availability of your information assets with help from Baker Tilly’s HITRUST team.
As an approved HITRUST CSF Assessor, we work with organizations across industries to improve data security and regulatory compliance so you can remain focused on mission-critical objectives.
What is HITRUST?
HITRUST, was founded in 2007 as a non-profit organization with the mission to provide a common security framework (CSF) to help organizations address and manage their information security risks. HITRUST is a leading comprehensive framework, offering a range of services and assessment types to help organizations manage their information security risks and compliance requirements. HITRUST continues to collaborate with stakeholders and government agencies to promote the adoption of multiple industry-recognized security and privacy controls and requirements, including HIPAA, NIST, and ISO, into a single framework, making it easier for organizations to demonstrate their compliance with multiple regulations and standards simultaneously.
HITRUST assessments are conducted by independent third-party assessors and involve a thorough review of the organization's policies, procedures, and technical controls, as well as an evaluation of its risk management practices. The assessments are available in different levels of rigor and depth, including the streamlined validated assessments (e1 and i1) and the comprehensive assessment (r2).
Types of HITRUST Assessments
HITRUST Essentials, 1-year (e1) Assessment Essentials | HITRUST Implemented 1-year (i1) Assessment Leading Practices | HITRUST Risk-based 2-year (r2) Assessment Expanded Practices | |
Description | Validated Assessment + Certification | Validated Assessment + Certification | Validated Assessment + Certification |
Purpose (use case) | Entry-level assurance focused on essential cybersecurity hygiene controls | Moderate level of assurance focused on cybersecurity leading practices and a broader range of threats than the e1 assessment | High level of assurance focuses on a comprehensive risk-based specification of controls |
Certifiable Assessment | Yes, 1 year | Yes, 1 year + Rapid Recertification in year 2 | Yes, 2 years + Interim Assessment |
Number of HITRUST CSF requirements on a 2-year basis and maturity levels considered | 44 (year 1), 44 (year 2) implemented | 182 (year 1), ~60 (year 2 with Rapid Recertification) implemented
|
~375 avg. (year 1), ~20 (year 2 interim assessment) policy, procedure and implemented |
Policy and procedure consideration | Minimal | Minimal | Thorough |
Level of security assessment | Low | Moderate | High |
Level of assurance | Low | Moderate | High |
Evaluation approach | 1x5: Implementation control maturity level | 1x5: Implementation control maturity level | 3x5 or 5x5: Control maturity assessment against either 4 or 5 maturity levels |
Provides Targeted Coverage for one or more authoritative sources (i.e., Factors) | No | No | Yes, if selected |
Alignment with authoritative sources | CISA cyber essentials, Health Industry Cybersecurity Practices (HICP) for small healthcare organizations, NIST 171’s basic requirements, NIST IR 7621 | NIST SP 800-171 (basic and derived requirements), HIPAA security rule and HICP for medium-sized organizations | NIST SP 800-53, HIPAA, FedRAMP, NIST CSF, PCI DSS, GDPR and dozens of others |
HITRUST e1 is an assessment option under the HITRUST Assurance Program, which is designed to evaluate the information security controls of service providers that handle sensitive information. The e1 assessment enables service providers to evaluate their compliance with the HITRUST CSF controls and requirements and report their results to their customers and stakeholders.
The e1 assessment is intended for small service providers or those with limited exposure to sensitive healthcare information. It includes a subset of the HITRUST CSF controls and requirements, focusing on the most critical security and privacy requirements. The e1 assessment is a cost-effective way for service providers to demonstrate their commitment to protecting sensitive healthcare information and provide assurance to their customers.
The e1 assessment includes a set of questions that cover the following areas:
- Organization and policies: This area focuses on the service provider's organizational structure, policies and procedures related to information security.
- Physical security: This area covers the service provider's physical security controls, such as access controls, security monitoring and environmental controls.
- Technical security: This area covers the service provider's technical security controls, such as access controls, encryption, network security and vulnerability management.
- Incident management and response: This area covers the service provider's incident management and response processes, including incident detection, response and reporting.
- Business continuity and disaster recovery: This area covers the service provider's business continuity and disaster recovery processes, including backup and recovery procedures and testing.
Overall, the e1 assessment provides a streamlined and cost-effective way for small service providers or those with limited exposure to sensitive healthcare information to demonstrate their compliance with the HITRUST CSF controls and requirements.
HITRUST i1 is an assessment option under the HITRUST Assurance Program, which is designed to evaluate the information security controls of service providers that handle sensitive healthcare information. The i1 assessment is a streamlined, low-cost assessment that enables service providers to evaluate their compliance with the HITRUST CSF controls and requirements and report their results to their customers and stakeholders.
The i1 assessment is intended for service providers with limited exposure to sensitive healthcare information or those that provide non-core services to the healthcare industry. It includes a subset of the HITRUST CSF controls and requirements, focusing on the most critical security and privacy requirements. The i1 assessment is a cost-effective way for service providers to demonstrate their commitment to protecting sensitive healthcare information and provide assurance to their customers.
The i1 assessment includes a set of questions that cover the following areas:
- Organization and policies: This area focuses on the service provider's organizational structure, policies and procedures related to information security.
- Physical security: This area covers the service provider's physical security controls, such as access controls, security monitoring and environmental controls.
- Technical security: This area covers the service provider's technical security controls, such as access controls, encryption, network security and vulnerability management.
Overall, the i1 assessment provides a streamlined and cost-effective way for service providers with limited exposure to sensitive healthcare information or those that provide non-core services to demonstrate their compliance with the HITRUST CSF controls and requirements.
HITRUST r2 is an assessment option under the HITRUST Assurance Program, which is designed to evaluate the information security controls of service providers that handle sensitive healthcare information. The r2 assessment is a rigorous, comprehensive and independent assessment that evaluates an organization's compliance with the HITRUST CSF controls and requirements.
The r2 assessment is intended for service providers that handle large volumes of sensitive healthcare information and are required to demonstrate a high level of information security and privacy controls. The assessment involves a thorough review of the organization's information security policies, procedures, and technical controls, as well as an evaluation of its risk management practices.
The r2 assessment covers all of the HITRUST CSF controls and requirements, including the privacy and regulatory requirements, and is conducted by a qualified and independent HITRUST assessor. The assessment includes an onsite audit, interviews with key personnel, and testing of the organization's technical controls and processes.
The r2 assessment provides a comprehensive evaluation of an organization's information security controls and practices, and enables the organization to demonstrate its compliance with the HITRUST CSF controls and requirements to its customers and stakeholders. The assessment also helps organizations identify areas for improvement and prioritize their information security investments to better protect sensitive healthcare information.
HITRUST FAQ
Our approach
Five benefits of HITRUST
Working with Baker Tilly on our HITRUST and NIST 800-53 readiness was an exceptional experience. Their efficiency and expertise conducting the assessments simultaneously was very valuable to us. The team’s professionalism and customer service really stood out.Landon Perry, CIA, CFE, CGFM – Director of Internal Audit, North Carolina Department of Information Technology