HITRUST Assessment Types – Which One Is Right For Your Organization?
What is HITRUST?
HITRUST is an organization that develops and maintains the Common Security Framework (CSF). The HITRUST CSF is a certifiable framework, which incorporates various regulatory requirements and industry standards, designed to address security and privacy needs of organizations focused on the healthcare industry. The choice between HITRUST Certification and other frameworks such as PCI DSS Assessment depends on the industry, the types of data being handled, and the regulatory or contractual requirements. For example, organizations in the healthcare sector typically pursue HITRUST certification, while those in the payment card industry focus on PCI DSS to protect cardholder data and meet the card brand requirements. Some organizations may need multiple compliance assessments; for example, both HITRUST and PCI DSS requirements may become relevant if they operate in healthcare and payment industry sectors or have diverse data protection obligations.
HITRUST CSF Assessment Types
The three (3) certifiable (i.e., audited by a credentialed third-party auditor) assessment types provide organizations flexible options for managing risk and reaching a targeted assurance level in progressive steps. Below are a few details regarding each of the assessment types.
Essentials e1 (1 year lifecycle) – Foundational Cybersecurity: The HITRUST Essentials (e1) assessment was introduced at the beginning of 2023. It provides focus and assurance regarding the most critical cybersecurity controls. It demonstrates an organization has the essential cybersecurity hygiene in place. It can be an effective assessment for smaller organizations that are beginning or developing their control environment and looking to define and implement essential, entry-level, cybersecurity practices, controls and processes to establish a baseline security and privacy framework for their organization. It is also a good assessment consideration for organizations that have lower-risk environments. This assessment type contains 44 CSF requirements that need to be independently tested to maintain certification annually. Implemented i1 (2 year lifecycle) – Leading Practices: As an organization desires to increase the assurance they provide over their organizational security and privacy framework, the HITRUST Implemented (i1) assessment provides a moderate level of assurance that addresses cybersecurity leading practices and a broader range of active threats than an e1 assessment. Whether your organizational purpose is to mature your security program or because the growth and increased complexity of your organization requires you to implement a more robust program, the i1 Assessment may be the right assessment for you. This assessment type contains 182 CSF requirements that need to be tested to be certified in Year 1. In Year 2, there is a rapid re-certification, which allows the assessed organization to evaluate a sample (approximately 60) of requirement statements tested in the original i1 assessment in the prior year. This reduces the amount of testing required in Year 2. In Year 3, the organization would need to be assessed against the full 182 requirement statements. Risk-based r2 (2 year lifecycle) – Expanded Practices: The r2 Assessment provides the highest level of assurance of the assessment types, focusing on a comprehensive risk-based specification of controls. It has an expanded approach to risk management and compliance evaluation. The comprehensiveness of control requirements, the depth of the controls review, and consistency of organizational oversight makes it a strong consideration for organizations with high-risk exposure. There are an average of 375 requirement statements for this assessment in Year 1 and an average of 40 requirement statements in Year 2 (Interim assessment). These numbers can vary, depending on the risk profile of your organization when certifying against the framework. A detailed questionnaire about your organization will determine the specific number of requirement statements in scope.
HITRUST Assessments – Does One Size Fit All?
Any of the three assessments may be the right approach for an organization, depending on a number of factors, including nature of risks, complexity of the environment, size of the organization, key stakeholders, among others. While each of these assessments may be appropriate for an organization, and organization could also view the three assessments as stepping stones for security program maturation over time. Beginning with a readiness assessment (not certifiable), then moving to an e1 certification, onto an i1 certification, and finally to an r2 certification, can be an appropriate program maturation path.
We look forward to talking with you about the right pathway to your HITRUST certification and a more robust, certifiable security program!
Peter Clarke (Executive Director , AARC-360)
Neil Gonsalves (Founder and CEO, AARC-360)
Bernie Wedge (Advisory Board Member, AARC-360)