Overview
HITRUST is enhancing e1 or i1 assessments to provide a “combined assessment” option, in which the HITRUST CSF requirements mapping to included authoritative sources (e.g. HIPAA) are included alongside their assessment of the “core” e1 (44) or i1 (182) HITRUST requirement statements.
When an assessed entity opts to combine their e1 or i1 validated assessment with the HITRUST CSF requirements mapping to one or more authoritative sources, the assessed entity will receive Insights Reports for each added authoritative source in addition to their e1 or i1 HITRUST CSF Report. Insights Reports provide easy-to-understand and reliable reporting focused on the authoritative sources included in the e1 or i1 assessment. These reports may be shared with internal and external stakeholders of the assessed entity to illustrate the organization’s control maturity against HITRUST CSF requirements mapping to the added authoritative sources in a clear and concise format.
Insights Reports allow assessed entities to:
- More easily understand and communicate to external and internal stakeholders insights into the organization’s conformity with HITRUST CSF requirements mapping to a specific standard or regulation (such as HIPAA).
- Communicate these insights to customers and prospective customers, which can speed their adoption of solutions and services and accelerate time-to-value.
- Increase the usefulness of e1 or i1 assessments at a modest additional investment.
- Add value to the MyCSF subscription with added capabilities that support the HITRUST Assess Once, Report Many™ approach. A single assessment may produce multiple Insights Reports.
- Identify information security and compliance controls that are met by cloud service providers (CSPs) and other external partners to facilitate leveraging shared responsibility and inheritance efficiencies.
A sample HIPAA Insights Report may be found here.
Details
The following sections outline the changes that enable combined e1 and i1 assessments.
Factors Page
The Factors page within e1 and i1 validated assessments will include all compliance factors that are eligible for insights reporting. At this time, only the following compliance factors are eligible:
- HIPAA (Health Insurance Portability and Accountability Act), including the security, privacy, and breach notification rules
- NIST AI Risk Management Framework v1.0 and ISO/IEC 23894:2023, in a combined “AI Risk Management” compliance factor
HITRUST will continue to make additional authoritative sources available for insights reporting. Additional sources being actively considered by HITRUST currently include StateRAMP's moderate impact overlay of NIST 800-53 r5, GDPR (The General Data Protection Regulation), and HICP (Health Industry Cybersecurity Practices). Assessed entities and external assessors are encouraged to let HITRUST know which additional authoritative sources we should consider through this UserVoice forum.
When compliance factors are added to e1 and i1 assessments, MyCSF may ask follow-up questions. For example, when the HIPAA security rule is included, MyCSF will ask the assessed entity’s US healthcare entity type (e.g., business associate) in the context of the assessment’s scope.
For e1 or i1 combined validated assessments, each included compliance factor will require the assessed entity to purchase an Insights Report credit. For more information regarding Insights Report credits, please contact your Customer Success Manager or sales@hitrustalliance.net.
Pre-QA Assessment Results Review
A new phase, Pre-QA Assessment Results Review, has been added to the e1 or i1 validated assessment workflow for the purpose of displaying the preliminary assessment results before the assessment is submitted to HITRUST. The Pre-QA Assessment Results Review phase occurs after the Performing Validation phase and is present in all e1 and i1 assessments, regardless of whether a combined assessment is being performed (according to the implementation timeline below). For the full assessment workflow and a detailed description of each phase, see the e1 or i1 Assessment Workflow.
The preliminary assessment results displayed during this phase have not been confirmed by HITRUST and are subject to change based on the results of the QA review for validated assessments.
The a newly added Pre-QA Assessment Results Review page in MyCSF includes:
- For e1 or i1 core requirement statements:
- HITRUST e1 or i1 certification determination
- Individual domain scores
- In combined e1 and i1 assessments, for each added compliance factor:
- The results (no observations noted, observations noted, or not applicable) for each authoritative source element.
- For each authoritative source element with observations noted, a list of requirement statement that will appear as a control observation in the Insights Report.
The assessed entity and external assessor must both approve (“thumbs up”) the Pre-QA Assessments Results Review page in MyCSF, otherwise the assessment will return to the Performing Validation phase.
e1 and i1 Certification Determination
The e1 and i1 certification criteria have not changed. When a combined assessment is performed, the HITRUST CSF requirement statements added to the assessment due to an included compliance factor will not impact whether an organization meets the criteria for an e1 or i1 HITRUST CSF certification.
When calculating the average score for each assessment domain, only the scores for the core e1 or i1 requirement statements are included in the calculation. The average score of the core e1 or i1 requirement statements in each domain must be greater than or equal to 83 for certification to be achieved. For an example calculation, see the e1 or i1 Combined Assessment FAQs.
CAPs and Gaps
When a combined e1 or i1 assessment is performed:
- Only core e1 or i1 requirement statements may require CAPs (see Figure 4, Step 2).
- Only core e1 or i1 requirements are considered when the average control reference score is calculated (see Figure 4, Step 3).
HITRUST QA
When a combined e1 or i1 assessment is performed, the HITRUST QA review of the assessment will include a sample of requirement statements from each included compliance factor in addition to the sample of core e1 or i1 requirement statements reviewed.
Reporting
e1 or i1 HITRUST CSF Reports
When a combined assessment is performed, the e1 or i1 HITRUST CSF Reports will still contain only the core e1 or i1 requirement statements and will not report on any requirement statements added due to the inclusion of a compliance factor.
Insights Reports
In a combined assessment, after the e1 or i1 HITRUST CSF Report has been finalized, a separate Insights Report will be issued for each compliance factor included in the assessment. Each Insights Report will contain only the requirement statements that are mapped to the corresponding authoritative source.
Reviewing and Revising Drafts
The e1 or i1 validated assessment workflow has been expanded to include several new phases (highlighted in Figure 5 below). These phases allow for MyCSF tasks to be opened in order to address revision requests for the HITRUST CSF Reports and/or Insights Reports. For a detailed description of each phase, see the e1 or i1 Assessment Workflow. Note that the phases pertaining to additional reports are only utilized when a combined assessment has been performed.
i1 or e1 Rapid Assessments
In the first half of 2025, the i1 rapid assessment will be updated to support i1 combined assessments. Additionally, the rapid sampling functionality will become available for e1 validated combined assessments that contain compliance factors and include more than 60 requirement statements to the assessment.
The e1 or i1 rapid assessments result in the same i1 or e1 assessment reports (HITRUST CSF Reports and Insights Reports) and i1 or e1 certification as a full i1 or e1 validated assessment.
i1 Rapid Assessment Overview
After completing an i1 combined validated assessment in year 1, the assessed entity may be eligible to complete an i1 rapid assessment in year 2. The i1 rapid assessment will allow the rapid sampling approach, described below, to be applied independently to the core i1 requirement statements and any compliance factor that includes more than 60 requirement statements. If any compliance factors included in the combined assessment include 60 or fewer requirement statements, those requirement statements must all be assessed in the i1 rapid assessment.
e1 Rapid Assessment Overview
After completing an e1 combined validated assessment in year 1, if the combined assessment included a compliance factor that adds more than 60 requirement statements to the assessment, the assessed entity may be eligible to complete an e1 rapid assessment in year 2. The e1 rapid assessment will allow the rapid sampling approach, described below, to be applied independently to any compliance factor that includes more than 60 requirement statements. The core e1 requirement statements and any compliance factors that include 60 or fewer requirement statements must all be assessed in the e1 rapid assessment.
i1 and e1 Rapid Assessment Eligibility
Eligibility to apply the rapid sampling approach in year 2 will be determined individually for each set of requirement statements included in the assessment (where a “set” is the set of e1 core, i1 core, and each set of requirement statements added by a single compliance factor).
Eligibility for each set of requirement statements is determined as depicted in Figure 6 and described below:
Core Requirements
- e1 Core requirement statements: Never eligible for the rapid sampling approach due to the number of requirement statements in the set being 60 or fewer.
- i1 Core requirement statements: May be eligible for the rapid sampling approach based on the assessed entity’s ability to meet the eligibility criteria stated below.
Authoritative Source Requirements
- Compliance factors that include 60 or fewer requirement statements: Never eligible for the rapid sampling approach due to the number of requirements in the set being 60 or fewer.
- Compliance factors that include more than 60 requirement statements: May be eligible for the rapid sampling approach based on the assessed entity’s ability to meet the eligibility criteria stated below.
Eligibility Criteria
General Eligibility Criteria – The assessed entity must meet all of the following criteria to utilize the rapid sampling approach:
- Hold a full MyCSF Subscription. Assessed entities who used the Lite Bundle must upgrade to at least a Professional subscription.
- Have an active e1 or i1 certification resulting from the performance of a full e1 or i1 validated assessment using CSF v11 or later.
- Have an available object in MyCSF.
- Assess the same scope assessed as the prior e1 or i1 assessment.
Eligibility Criteria for Each Set of Requirement Statements – If all of the General Eligibility Criteria are met, then for each set of requirement statements potentially eligible for rapid sampling approach, the following criteria will determine if that particular set of requirement statements may be sampled.
- The set contains more than 60 requirement statements.
- The control environment assessed by this particular set of requirement statements has not materially degraded since the previous e1 or i1 assessment was performed.
- No significant changes have occurred since the previous e1 or i1 certification date in the assessed entity’s business or security policies, processes, controls, hosting locations, or technologies over this particular set of requirement statements.
When assessed entities are not eligible to apply the rapid sampling approach to any set of requirement statements, a full i1 or e1 assessment must be completed to obtain an i1 or e1 certification. When an assessed entity is eligible to apply the rapid sampling approach to at least one set of requirement statements and ineligible to apply the rapid sampling approach to others, an i1 or e1 rapid assessment may be performed. Within the rapid assessment, the eligible sets of requirement statements will be sampled, while the ineligible sets will be assessed in full.
Rapid Sampling Approach
For each set of requirement statements that is determined to be eligible for the rapid sampling approach to be applied, the approach below will be followed.
The below requirement statements must be assessed:
1. New: If the e1 or i1 rapid assessment is created using a newer CSF version than that which was utilized for the assessed entity’s previous e1 or i1 assessment, there may be additional requirement statements included in this set of requirement statements due to the HITRUST threat analysis and other updates to the CSF.2. Rapid Sample:
- Authoritative Sources: A sample of 60 requirement statements from the authoritative source that were scored in the parent e1 or i1.
- Core: A sample of 60 core i1 requirement statements that were scored in the parent i1 assessment. This sample is inclusive of all requirement statements that required a CAP in the previous i1 assessment. Note that the rapid sampling approach is never applied to the core e1 requirement statements. The core e1 requirement statements are always assessed in full.
3. N/As:
All requirement statements from this set that were marked as N/A during the previous e1 or i1 assessment.
All other requirement statements in the set are not required to be assessed. By default, these requirement statements appear within the assessment in a read-only state and include the scores that were entered in the previous e1 or i1 assessment. If the assessed entity would like to show improvement on a requirement statement that is not already required to be assessed in the e1 or i1 rapid assessment, the assessed entity may optionally include any of these requirement statements by toggling the requirement statement from read-only to an editable state.
Adding or Removing Authoritative Sources during a Rapid Assessment
While performing the e1 or i1 rapid assessment, the assessed entity does have the ability to include additional compliance factors that were not included in the parent e1 or i1 assessment. If an additional compliance factor is included in the e1 or i1 rapid assessment, all requirement statements added due to that compliance factor will be included in the New category described above and must be assessed in full.
Additionally, the assessed entity may choose to not include an authoritative source that was assessed in the previous e1 or i1 assessment. The compliance factor for the authoritative source may be un-selected on the Factors page in MyCSF to remove the associated requirement statements from the assessment.
Control Degradation
During the performance of the e1 or i1 rapid assessment and also during HITRUST QA review, MyCSF monitors the scoring of the sampled requirement statements in the rapid assessment and compares them to the parent e1 or i1 assessment to determine whether any scores have been lowered. The control degradation detection process illustrated in the flowchart (Figure 7) and described below is applied independently to each set of sampled requirement statements.
- For each sample of 60 requirement statements, if scores are lowered for two or fewer requirement statements, the sample is accepted and no further testing of requirement statements in that set is required.
- If MyCSF detects either three or four requirement statements in a single sample of 60 requirement statements with lower scores in the rapid assessment, the assessed entity and external assessor have the option to expand the sample of requirement statements to assess an additional sample of 60 requirement statements from the set or assess the set of requirement statements in full if there are fewer than 60 additional requirement statements in the set to assess.
- Case I – three lowered scores: If the assessed entity opts to expand the sample by an additional 60 requirement statements, MyCSF will allow two or fewer requirement statements with lower scores in the additional sample. If MyCSF detects three or more requirement statements with lower scores in the additional sample, that set of requirements must be assessed in full.
- Case II – four lowered scores: If the assessed entity opts to expand the sample by an additional 60 requirement statements, MyCSF will allow one or fewer requirement statements with lower scores in the additional sample. If MyCSF detects two or more requirement statements with lower scores in the additional sample, that set of requirements must be assessed in full.
- If MyCSF detects five or more requirement statements with lower scores in a single sample of 60 requirement statements, that set of requirement statements must be assessed in full.
Upon acceptance of the assessment, HITRUST will perform a Quality Assurance review of the submitted assessment. The QA review includes HITRUST review of a random selection of requirement statements from each set of requirement statements (where a “set” is the set of e1 core, i1 core, and each set of requirement statements added by a single compliance factor).
If scores are lowered during the QA review process, HITRUST will consider whether the scores have been lowered due to an issue with the operation of the control or due to an error in testing approach or documentation. Scores lowered due to an error in testing approach or documentation are not considered to be control degradation. Only scores lowered due to an issue with the operation of the control will count toward the threshold for control degradation.
If scores are lowered due to an issue with control operation, there is a possibility that the threshold for number of scores lowered to indicate material degradation is met during the QA review process. If this occurs, the assessed entity and external assessor must expand the sample of requirement statements evaluated in the e1 or i1 rapid assessment or complete a full e1 or i1 assessment according to the previous guidelines.
e1 or i1 Readiness Assessments
The Factors page within e1 or i1 readiness assessments will include the same compliance factors eligible for inclusion within e1 or i1 validated assessments. Insights Reports are not issued for readiness assessments and therefore Insights Report credits are not required to perform an e1 or i1 combined readiness assessment.
Although Insights Reports are not issued for readiness assessment, the new Assessment Results Review phase has been added to the readiness assessment workflow. This phase occurs after the Answering Assessment phase and is present regardless of whether a combined assessment is being performed. For the full readiness assessment workflow and a detailed description of each phase, see the e1 or i1 Assessment Workflow.
The Assessments Results Review page includes:
- An indication of whether e1 or i1 certification would be achieved if a validated assessment is completed with the same scoring (see Figure 2 above).
- A listing of Gaps that would appear in a validated HITRUST CSF Report.
- The results (no observations noted, observations noted, or not applicable) for each authoritative source element.
- A listing of any requirement statements that would appear as a control observation within the Insights Report if a validated assessment were performed (see Figure 3 above).
Implementation Timeline
As of August 27, 2024:
- All newly created e1 or i1 readiness and validated assessments will include the enhancements described above to support the inclusion of select compliance factors and creation of Insights Reports.
- Any existing e1 or i1 assessment in a phase prior to Inputting CAPs and Signing Rep Letter has been updated to include the Pre-QA Assessment Results Review Phase and new reporting phases shown in Figures 1 and 5 above.
- Any existing e1 or i1 assessments in a phase between Inputting CAPs, and Reviewing Draft Deliverables has been updated to include the new reporting phases shown in Figure 5 above.
Additional Resources
For any additional questions, please contact our support team or a HITRUST Customer Success Manager. Later this year HITRUST will announce an update to the HITRUST Assessment Handbook to address the new e1 or i1 combined assessments.