HITRUST Assessment Portfolio Expansion FAQs
Why did HITRUST need to add assessments to its portfolio? How do I know which one is appropriate to satisfy internal and external assurances and requests from third parties?
The HITRUST Risk-based, 2-year (r2) Validated Assessment (formerly the HITRUST CSF Validated Assessment) remains the most reliable information assurance report in the marketplace, primarily driven by transparency and consistency in selecting, scoring, and validating controls by qualified third-party External Assessors and the HITRUST Assurance Program. Not every environment or vendor relationship requires the same level of assurance, however each does need appropriate transparency, consistency, and integrity required for that level of assurance. The growing need for lower and moderate assurances is generally driven by considerations of time, budget, and purpose. To meet these needs, HITRUST is adding two new assessment options to address situations with a lower or moderate level of assurance that is easier and faster to perform while still providing a high level of transparency and reliability over comparable options on the market and adding significant efficiencies to reduce time, effort, and cost.
- The new HITRUST Basic, Current-state (bC) is a self-assessment intended to provide a “good security hygiene” assessment.
- The new Implemented, 1-year (i1) Validated Assessment is intended to address both “good security hygiene” and “cybersecurity best practices” while being threat-adaptive – designed to maintain relevance over time as threats evolve and new risks emerge.
- The existing HITRUST CSF Validated Assessment will be renamed the Risk-based, 2-year (r2) Validated Assessment and will continue to provide the highest level of assurance for situations with greater risk exposure due to data volumes, regulatory compliance, or other risk factors.
What is a “cybersecurity best practices” assessment, and how is it different than a “good security hygiene” assessment?
“Good security hygiene” practices are table stakes in the industry. There are many situations, such as the bC, that focus just on this content make sense, such as quick internal evaluations of security controls, or conveying a low level of assurance to customers in low-risk situations. If stakeholders want a more reliable report, organizations will need to move to the Implemented i1 Validated Assessment which includes both “good security hygiene” and “cybersecurity best practices,” due to the authoritative sources the assessment’s requirement selection is based upon and due to its integration of threat intelligence data in the requirement selection process. The Risk-based, 2-year (r2) Validated Assessment (formerly named HITRUST CSF Validated Assessment) will continue to provide the highest level of assurance for situations with greater risk exposure due to data volumes, regulatory compliance, or other risk factors.
How do the new bC and i1 assessments compare in assurance and quality to the previous HITRUST CSF Validated Assessment (now called the r2)?
The HITRUST Basic, Current-state (bC) assessment and HITRUST Implemented, 1-year (i1) Validated Assessment are intended to address situations where a low or moderate level of assurance is warranted or appropriate. The HITRUST Risk-based, 2-year (r2) Validated Assessment (formerly the HITRUST CSF Validated Assessment) will continue to provide the highest level of assurance.
If I need to demonstrate compliance with HIPAA, which HITRUST assessment should I use?
- The HIPAA Security Rule requires organizations to implement various security controls, perform a risk analysis, and establish reasonable and appropriate policies and procedures to comply with HIPAA standards and implementation specifications. To meet these requirements appropriately requires a HITRUST Risk-based, 2-year (r2) Validated Assessment (formerly the CSF Validated Assessment) because the comprehensive assurance methodology used in the r2 Validated Assessment includes a review of controls for implementation, processes, and procedures, whereas other assessments in the HITRUST portfolio do not.
- However, there may be instances when an organization has only implemented or partially implemented controls and does not already have an appropriate set of established policies and procedures, so they want to evaluate progress and effort towards HIPAA compliance. In this instance, an Implemented, 1-year (i1) Validated Assessment could be suitable as an intermediate step towards an r2 Validated Assessment, which is designed to demonstrate full HIPAA compliance.