Introduction to the HITRUST CSF Assessment

Written by: Amanoritsewo Emiko

What is HITRUST and the HITRUST CSF Framework?

The Health Information Trust Alliance (HITRUST) is a nonprofit organization that provides a certifiable information security framework for protecting implemented systems storing, processing, or transmitting sensitive data. The HITRUST Common Security Framework (CSF) is the cybersecurity framework provided by HITRUST, which includes 14 security controls, 149 control specifications, and 45 control objectives. Additionally, it provides organizations with a means towards complying with a number of regulations.

HITRUST CSF is based on ISO 27001 and was originally developed for the healthcare industry. However, it has since become industry agnostic and focuses on providing a higher level of assurance for organizations looking for a more stringent security framework.

What are the Different Types of HITRUST Assessments?

HITRUST offers three different types of assessments where a HITRUST certification can be reached: the e1, the i1, and the r2. The i1 assessment delivers assurance for information sharing in environments with lower risk thresholds. It comprises security controls that help address current emerging cybersecurity risks. When a company decides to get a validated i1 assessment, they will end up dealing with fewer controls in comparison to the r2 assessment. Organizations getting an i1 assessment are required to meet just one of the HITRUST maturity levels – the implementation level. Organizations will need to provide evidence proving they have implemented all elements of the HITRUST control requirement statements. These controls must be implemented for at least 90 days in order to be counted towards a certification.

The i1 and r2 assessments help enterprises understand their cybersecurity effectiveness and resilience. A primary difference between the i1 and r2 is that the i1 certification covers one year, while the r2 covers two years with an interim assessment performed in between. Additionally, while i1 evaluation occurs only at the implementation level, r2 requires assessment against all maturity levels (policy, procedure, implemented, measured, managed). Although the i1 provides a lower barrier of entry, the r2 grants a higher level of assurance and shows a more mature security control environment to clients.

Here is a breakdown of the five HITRUST maturity levels and their focus on organizational evaluation criteria vital for certification:

1. Policy determines the extent to which an organization has maintained policies relevant to HITRUST CSF controls. An organization’s security policies should address every scoped-out requirement statement element.
2. Procedure assesses the specific step by step processes for meeting the documented policies.
3. The implemented level requires an organization to fulfill the stipulated security procedures.
4. The measured level assesses the metrics of all controls.
5. Lastly, the managed level focuses on ongoing management based on identified irregularities and risks.

Fulfilling these requirements results in HITRUST certification and an organization becomes HITRUST CSF certified after successfully applying the frameworks.

Some of the Challenges Organizations Experience With HITRUST

Through our experience, we have noted the following pitfalls and challenges our clients have faced while going through a HITRUST assessment:

• Not understanding the requirement statements: the control requirement statement could be misinterpreted due to vagueness.
• Not fulfilling all elements of the control requirement: control requirements are made up of multiple elements that must be captured within policy and procedure, and implemented to receive a 100% for each maturity of the control requirement statement. This can sometimes be overlooked as, specifically in v9.x, all elements are only listed in the illustrative procedures of the control requirement.
• HITRUST terminology definitions are sometimes different: some of the general terms used throughout the control requirement could be defined differently in the open internet, which is why it is important to rely only on the HITRUST provided glossary and confirm with HITRUST support when questions arise.
• Not applicable and zero population requirements: there is usually confusion when determining if a control is not applicable or if the control did not operate during the sampling period. In this case, a complete and accurate description about why the control is not applicable, or a written attestation about why the control did not operate, is sufficient.
• Inheritance from third parties and service providers: if a third-party service provider is being utilized that has received a HITRUST certification, controls they are responsible for in your environment can be inherited as a part of your assessment. The percentage of the control allowed to be inherited differs between controls and environments. It is important to always refer to the Shared Responsibility Matrix to confirm.
• Use of SOC2 documents: inheritance is permitted through the use of a third-party’s SOC2 assessment on the implementation maturity level only. However, determining which controls can accept a SOC2 needs to be reviewed and referenced following HITRUST’s requirements.

The New Essentials, 1-year (e1) Assessment

In January 2023, HITRUST released the Essentials (e1) Assessment. This assessment is designed to assist low-risk organizations in gauging the general cybersecurity posture against new and emerging threats. The e1’s curated 44 requirements will involve less effort to complete compared to the more rigorous HITRUST i1 and r2 assessments. The certification is valid for one year and renewed annually.

For some organizations, the e1 assessment can be used as a baseline to show they have implemented foundational cybersecurity practices. The e1 can additionally be used as a milestone to show progress towards the HITRUST i1 and r2 assessments and to evaluate or onboard third-party business partners for third-party management.

An advantage to the e1 assessment is that it provides the proper level of assurance to begin your HITRUST certification process. An organization could build from the e1 assessment, become accustomed to the frameworks, and save time and resources.

Keys to Success

If your organization is looking to get HITRUST certified, you should consider these key points to make sure the process moves smoothly:

• High-level management buy-in is vital to ensuring required departments and personnel are made available for interviews and to provide evidence required for testing.
• Having a dedicated project manager who has knowledge of HITRUST or has completed the HITRUST training and become a CCSFP.
• A clear understanding of the in-scope environment. HITRUST requires a certification to be around an implemented system — an intimate knowledge of the components and boundaries of the environment avoids any issues in the later stages of the assessments.
• Utilizing a trusted HITRUST Certified External Assessor to guide your organization through the HITRUST process.

What are the Different Stages of the HITRUST Framework?

An organization looking to get HITRUST certified should start first with a Readiness Assessment, where an organization begins to get familiar with the controls required for certification and identify any major gaps in controls. Purchasing a subscription to HITRUST’s MyCSF tool provides organizations with access to all of the HITRUST requirement statements required for the different assessment types. Organizations should take a pass at scoring and assessing themselves, which should then be validated by an External Assessor firm. Recommendations and guidance are provided from the External Assessor, giving specific remediation instructions and feedback to close any identified gaps. Once remediation is completed, controls have been implemented for 90 days, and policies and procedures have been in place for 60 days, a validated assessment can be completed by your External Assessor. A Validated Assessment is then submitted to HITRUST for Quality Assurance and HITRUST provides the final report deliverable.

Benefits of HITRUST Certification

Achieving HITRUST certification is a rigorous process, but shows that an organization has adhered to the established industry security standards and regulations. These high standards provide assurance to clients and prospects about the overall maturity of an organization’s information security controls.

HITRUST isn’t easy! However, choosing a quality partner to lead you through it can make the process easier. If you have any questions regarding HITRUST or HITRUST CSF frameworks, our team at Wolf is here to help.