HITRUST Innovation Leads to Next Generation i1 Assessment that is Threat-adaptive and Maintains Cyber Relevance

By Jeremy Huval, Chief Innovation Officer, HITRUST

Sadly, it has become cliché to refer to an ever-evolving cybersecurity threat landscape. Amorphous cyber threats plague every industry every day. There seems to be no stopping or slowing the onslaught, so what do we do?

At HITRUST, we’re helping organizations beat back persistent and unrelenting cyber threats through a new type of cybersecurity assessment that’s both threat-adaptive and cyber resilient. Building off the revered HITRUST CSF, we looked at how our portfolio might evolve to stay up to date on emerging risks while maintaining relevance over time. Our answer – the HITRUST Implemented, 1-year (i1) Validated Assessment.

Here’s how it works: The HITRUST i1 Validated Assessment leverages threat intelligence and integrates best practices to maintain applicability regarding information security risks and cyber threats such as ransomware. At present, the i1 Validated Assessment is in a class by itself due to its adaptability; it progressively evolves to retire controls no longer deemed applicable while also staying current with the threats of the day.

Other assessment approaches aren’t adaptive by design and can’t keep pace with current and emerging threats. The HITRUST i1 Validated Assessment, on the other hand, is focused and deliberate in its control selection. It includes controls selected to address cyber threats active now, as determined by analyzing the newest cyber threat intelligence data. Where necessary, technically focused HITRUST CSF requirements included in the i1 Validated Assessment are also updated. And due to its use of the HITRUST CSF, the HITRUST i1 Validated Assessment unsurprisingly provides coverage for numerous standards, such as NIST 800-171, GLBA Safeguards Rule, HIPAA Security Rule, and Health Industry Cybersecurity Practices (HICP).

Notable features

• Maintains relevant control requirements to mitigate existing and emerging threats and provide updates as new threats are identified.
• Designed to sunset controls that have lost relevance and have limited assurance value based on effort required to comply or assess.
• Higher reliability than other moderate assurances based on its unique control selection and assurance program design.
• Lower level of time and effort to complete relative to the HITRUST Risk-based, 2-year (r2) Validated Assessment.
• Can result in a 1-year certification.

Historically, HITRUST has offered just one information certification (the HITRUST CSF Validated Certification) achievable by demonstrating sufficiently strong control maturity through validated assessment performance. A rigorous undertaking by design, HITRUST certification offers gold-standard assurance levels due to comprehensive control and assurance program requirements. Because not every organization or vendor partner relationship needs the highest level of information protection assurance, the HITRUST Implemented, 1-year (i1) Certification will answer demand for a moderate-level assurance. In addition to its threat adaptiveness and cyber resilience, the HITRUST i1 is less effort and costs less than the traditional HITRUST Validated Assessment while still living up to the gold standard quality for which HITRUST certification is known.

And, as an important addition to the HITRUST portfolio, the HITRUST i1 Validated Assessment benefits from numerous HITRUST innovations, including:

• Assurance Intelligence Engine™ (AIE)– The AIE uses a patent-pending approach to analyze assessment documentation for oversights, inconsistencies, and errors. The Assurance Intelligence Engine adds efficiency to HITRUST’s comprehensive assessment review process by adding a layer of automated checks that complement existing, manual reviews to identify potential issues in assessment reports that might otherwise jeopardize the integrity, accuracy, or consistency of information.
• Results Distribution System (RDS)– The new HITRUST Results Distribution System (RDS) addresses the highly inefficient process of obtaining, interpreting, and analyzing assessment results from third-party vendors. The RDS Portal allows assessed entities to designate which parties they want to share their assessment results with, how the results can be accessed (via a web browser and/or API), and the specific assessment detail reports they want to share (such as: certification letter, expanded scope description, and findings). The relying party can review and search online for specific elements they are seeking, set up customizable views, and create alerts for assessment results outside of a defined threshold.
• Reservation-Based Quality Assurance (RBQA)– A reservation system allowing assessed entities to schedule when quality assurance (QA) work will begin for a HITRUST Validated Assessment.
• HITRUST Shared Responsibility and Inheritance Program– A unique set of industry-adopted tools and capabilities to provide greater assurances over shared technology risk management, including guidance for internal and external inheritance and sharing control responsibility in the cloud.
• Kanban-Style Status Dashboard – Provides transparency regarding assessment statuses, open action items and their ownership, and upcoming steps in the assessment workflow. In addition to the Kanban-style board, other dashboards display transparency into HITRUST Validated Assessments as they move through each phase of the Validated Assessment Workflow. The dashboards combine to include key details of each Validated Assessment.

With all this and more, HITRUST is working to bring peace of mind to industry leaders across all verticals who are resolute in cybersecurity preparation and practice. Amidst the swirling tempest of cybersecurity threats and emerging risks, the HITRUST Implemented 1-year (i1) Validated Assessment brings, relative to the HITRUST Risk-based, 2-year (r2) Validated Assessment, a means to convey a relatively moderate level of assurance to stakeholders.

For detailed information about the HITRUST Implemented i1 Cyber Relevant Assessment, please reference the HITRUST OnDemand webinar library: Next Generation HITRUST Information Security Assessment Focuses on Continuous Cyber Relevance

Follow HITRUST on X.
Follow HITRUST on LinkedIn.

About the Author

Jeremy Huval, Chief Innovation Officer, HITRUST

Jeremy is responsible for developing and implementing HITRUST’s innovation strategy; ensuring HITRUST’s innovation provides value to customers, assessors, and relying parties; and overseeing the rollout of new products and capabilities in support of HITRUST’s Standards Development Organization and the HITRUST Assurance Program. Jeremy was at the forefront of developing, refining, and launching the new HITRUST Implemented, 1-year (i1) Validated Assessment.