Yes. Both will be accessible in MyCSF.

The HITRUST CSF v11.1.0 release contains the following enhancements:

• Added MARS-E v2.2 mapping and selectable Compliance factor, “MARS-E v2.2”
  • The existing MARS-E Compliance factor, “MARS-E v2.0” will not be selectable as of v11.1.
• Added IRS Pub. 1075 (Rev. 11-2021) mapping and selectable Compliance factor, “IRS Pub. 1075 (Rev. 11-2021)”
  • The existing “IRS Pub. 1075” Compliance factor, will not be selectable as of v11.1.
• Refreshed FedRAMP mapping and selectable Compliance factor, “FedRAMP”

The reason an organization would move to v11.1.0 would be to take advantage of the enhancements listed above. The CSF Summary of Changes document offers additional details regarding CSF changes. MyCSF subscribers can utilize the preview functionality described in HAA 2021-006 to determine impact on an existing assessment prior to upgrading to v11.1.0 including a detailed look at the direct changes that will apply to the assessment.

There will be no impact unless an organization and assessor firm determine the modifications to certain requirement statements and illustrative procedures in v11.1.0 are appropriate for the scope and requirements of the assessed entity. Assessments for v11.0.1 can still be generated despite the release of v11.1.0.

The HITRUST CSF version 11 (v11) enables a fully traversable portfolio, which facilitates seamless movement between HITRUST assessments based on the use of common requirement statements to maximize reusability. As risk and compliance program maturity or information protection needs change, v11 allows organizations to use what they have already done to easily upgrade to higher levels of HITRUST assurance with just incremental effort. v11 enables cyber threat adaptive HITRUST Assessments across the portfolio that continuously evolve to address emerging threats such as ransomware and phishing.

The HITRUST CSF v11 framework includes new and refreshed Authoritative Sources powered by the speed and efficiency of Artificial Intelligence (AI). Plus, changes to Evaluative Elements and Illustrative Procedures that make it easier for MyCSF users to parse and score Requirement Statements.

v11 contains the following new and refreshed Authoritative Sources:

• Added NIST SP 800-53 revision 5 mapping and selectable Compliance factor
• Added Health Industry Cybersecurity Practices mapping and selectable Compliance factor
• Refreshed NIST SP 800-171 mapping
• Refreshed NIST Cybersecurity Framework mapping
• Refreshed HIPAA Security Rule, Privacy Rule, and Breach Notification mapping

For more details about HITRUST CSF v11, Refer to Advisory HAA 2023-001: CSF Version 11 Release.

For a comparison of the v9.6 i1 requirement statement to the v11.0 i1 requirement statements click here.

An authoritative source refresh is an update to a previously mapped authoritative source due to a change in the authoritative source or in order to refine the mapping using the NIST OLIR methodology.

Yes, v11 and v9.1 – 9.6 are currently accessible in MyCSF.
However, v9.1 – v9.4 are transitioning to an end-of-life process for r2 assessments and i1 assessments will transition for v9.6.2 to v11.

r2 Assessments

• On September 30, 2023, the ability to create new v9.1 – v9.4 r2 assessment objects in MyCSF is disabled.
• On December 31, 2024, the ability to submit v9.1 – v9.4 r2 assessment objects in MyCSF is disabled.
• On March 31, 2026, v9.1 – 9.4 libraries are removed from MyCSF.

v9.5 and v9.6 will continue to be available for r2 Assessments.

i1 Assessments

• Between January 18, 2023 and April 30, 2023, i1 assessments may created using either v9.6.2 or v11.
• On April 30, 2023, the ability to create new v9.6.2 i1 assessment objects in MyCSF is disabled.

On July 31, 2021, the ability to submit v9.6.2 and earlier i1 assessment objects in MyCSF is disabled.

The e1 Assessment and accompanying certification is designed to address the need for demonstrable assurances over an organization’s performance of foundational cybersecurity practices and the most critical cybersecurity threats, either via self-assessments or validation by External Assessors. This very narrow focus allows the e1 to move at the speed of business, providing insight into cybersecurity hygiene quickly.

This new assessment can also benefit assessed entities by: (1) serving as a stepping-stone to comprehensive assessments of security maturity and risk management such as the HITRUST i1 or HITRUST r2, or (2) being the targeted “end goal” assurance mechanism for organizations of specific (lower) risk profiles or in certain scenarios such as M&A activity, newly onboarded vendors, or newly implemented IT platforms.

Yes. The e1 Assessment is a replacement for the bC in Version 11 and later of the HITRUST CSF framework, and also in version two of the HITRUST Assessment XChange Third-party Risk Management (TPRM) methodology. Those who already have a bC Assessment underway in MyCSF or the XChange will be able to complete their bC without issue.

The “cyber threat-adaptive” innovation in the HITRUST e1 Assessment is one of the most important benefits that makes it unique. Simply stated, cyber threat-adaptive means that as the threat landscape evolves, the HITRUST CSF framework and e1 requirements will be updated to remain cyber relevant over time to reduce future risk. This cyber threat-adaptive proactivity to adjust and refresh information security control requirements on a regular basis to meet the latest and emerging cyberthreat activity, such as ransomware and phishing, differs dramatically from most common frameworks, which often remain unchanged for many years.

For current e1 pricing, contact your HITRUST Product Specialist by calling: 855-448-7878 or emailing: sales@hitrustalliance.net

For a comparison of the v9.6 i1 requirement statement to the v11.0 i1 requirement statements click here.

The i1 Assessment is designed to address the need for a continuously-relevant cyber security assessment that aligns and incorporates best practices and leverages the latest threat intelligence to maintain applicability with information security risks and emerging cyber threats, such as ransomware and phishing. The design and selection of the controls for the i1 Assessment puts it in a new class of information security assessment that is “threat-adaptive” – developed to maintain relevance over time as threats evolve and new risks emerge, while retiring controls no longer deemed material. The i1 Assessment is intended for organizations needing a moderate level of assurance that delivers full transparency, accuracy, consistency, and integrity.

The “cyber threat-adaptive” innovation in the HITRUST i1 Assessment is one of the most important benefits that makes it a strong Leading Security Practices assurance. Simply stated, cyber threat-adaptive means that as the threat landscape evolves, the HITRUST CSF framework and i1 requirements will be updated to remain cyber relevant over time to reduce future risk. This threat-adaptive proactivity to adjust and refresh information security control requirements on a regular basis to meet the latest and emerging cyberthreat activity, such as ransomware, brute force, and phishing, differs dramatically from most common frameworks, which often remain unchanged for many years.

Yes. For many organizations, the i1 will be the only information protection certification needed. Those organizations will simply perform a HITRUST i1 Validated Assessment annually. Using CSF v11, HITRUST offers a Rapid Recertification for i1 Assessments which streamlines achieving the next i1 1-year Certification. i1 Rapid Recertification can be used every other year between full i1 Assessments.

April of 2023

The HITRUST RDS is an online portal that allows assessed entities to fulfill the requests of their relying parties by sharing their assessment results via our application. Through API integration, the relying party can ingest specific elements they are seeking such as: assessment date, scope, control requirements, scores, corrective action plans (CAPs), and more.

Across the industry, third-party assurance reports are distributed almost entirely as PDF documents. These PDFs must then be manually reviewed by relying parties to confirm various elements that are contained within the results. The relying party often needs to re-enter data present in the PDF report into their vendor risk management (VRM) system, third-party risk management (TPRM) system, or governance, risk, and compliance (GRC) system. At present, this process is manual and labor-intensive and is generally repeated annually for every third-party vendor. The HITRUST Results Distribution System (RDS) enables assessment results to be sent electronically from a highly secure portal where the relying party can consume and review available data elements through API directly in their TPRM, VRM, or GRC systems.

For Relying Parties, RDS eliminates the need to manually review and re-enter information from an assessment report. RDS enables electronic receipt of assessment results and can enable a VRM system’s analytics capabilities to review results and provide alerts as specified. VRM integration will require the use of the RDS API.

The MyCSF Compliance and Reporting Pack for HIPAA compiles and reports on information relevant to HIPAA that is collected during the HITRUST r2 Assessment process. The MyCSF Compliance and Reporting Pack for HIPAA cannot be used with HITRUST e1 or i1 Assessments.

The MyCSF Compliance and Reporting Pack for HIPAA can only be generated for assessments using HITRUST CSF v9.5.0 (or higher) – including v11 – and only for objects created or refreshed on or after September 3, 2021.

No, it is only available in HITRUST CSF v9.5.0, and later.

r2 Assessments that have not been previously submitted to HITRUST can change their CSF version to v9.5.0 (or later). Assessed entities should work with their External Assessors to understand the implications of changing CSF versions on their assessment as a change in CSF version may, in certain circumstances, introduce new or modified requirements into an assessment.

Yes. HITRUST Bridge Assessments are available only for r2 Certifications. Since the HITRUST e1 and i1 certifications expire after 1 year, there are no i1 Bridge Assessments available for an e1 or i1 assessment.

The interim assessment is still due on the one-year anniversary of the certification date. A hypothetical timeline: An organization’s HITRUST Certification is set to expire on 5/31/22 and this organization is awarded a HITRUST Bridge Certificate. This organization submits a completed validated assessment to HITRUST prior to the Bridge Certificate’s expiration which results in a HITRUST Certification. The organization’s newly issued HITRUST Certification is dated 6/1/22, and the interim assessment would be due to HITRUST no later than 6/1/23.

The HITRUST Bridge Certificate is designed to assist organizations who need to maintain HITRUST Certification but may be experiencing challenges in completing their next HITRUST Validated Assessment.

The HITRUST Bridge Assessment links the two HITRUST Validated Assessments by offering a limited level of assurance during the period when the next HITRUST Validated Assessment is being completed. This limited level of assurance is not sufficient to stand alone without the completion of a subsequent HITRUST Validated Assessment where the level of assurance can only be maintained for 24 months.

No. This functionality is part of the HITRUST Assessment XChange. For more information on the XChange, contact getinfo@hitrustax.com.

Yes. MyCSF 2.0 maintains a library of documentation and relationships between the documentation and its related control requirements and maturity domains.

There are several changes that will be announced relating to the Assurance Program requirements. These are independent of the HITRUST CSF and MyCSF and are designed to increase the consistency and integrity of the assurance process.

Yes. We do not generate any type of assurance report for targeted assessments. There are assessments that you can perform internally, and you can generate score cards within the tool.

You can assign a weight to the inherited score that will apply to a particular control requirement.

No. When you inherit a control requirement, it inherits scores related to all maturity domains based on the weight given to each. If you inherit from an object that has only scored policy, you will also be inheriting the zeros for the remaining maturity domains.

Anyone that wishes to allow their assessments to be inherited will need to subscribe to the HITRUST MyCSF. This applies to internal as well as external inheritance. External inheritance is viewed as a service that is provided to customers making it easier to assess if they are working with a service provider that they can inherit from. This should encourage organizations to do business with those that provide this service.

Yes. Inheritance will continue to be a premium feature in MyCSF and will require an appropriate subscription.

The HITRUST Assurance program is a common, standardized methodology to effectively and consistently measure compliance and risk via simplified information collection and reporting, consistent testing procedures and scoring, and demonstrable efficiencies and cost-containment; and additional assurances around the accuracy, consistency and repeatability of assessments due to the use of pre-qualified professional services firms—all of which is designed to meet the unique regulatory and business needs of the healthcare industry. In short, it is a risk-based approach to selecting HITRUST CSF controls for assessment, including management oversight of the assessment. The HITRUST Assurance Program delivers simplified compliance assessment and reporting that addresses multiple federal, state and industry requirements for both covered entities and their business associates.

If you are in possession of a HITRUST report or letter PDF and are seeking verification that the PDF is authentic please contact support@hitrustalliance.net. You will be asked to provide a copy of the PDF in question and evidence showing you received it from the organization.

Before starting the Certification process, HITRUST recommends a self-assessment or readiness assessment be performed to prepare organizations for the validated assessment. To begin the Certification process, please select a HITRUST Assessor. Once you select an Assessor, you will need to purchase a validated assessment from HITRUST. Complete the validated assessment using the MyCSF tool and then the Assessor will perform the validation/audit work. Please note access to the MyCSF is granted for 90 days. Once the Assessor work is complete, please submit to HITRUST for review. HITRUST will create a report and, depending on the scores in the report, will issue a letter of certification.

38,000 HITRUST Assessments have been performed in the last three years with 15,000 HITRUST Assessments in 2015 alone. HITRUST anticipates a continued demand for its Certifications due to third-party assurance requirements from several major health organizations and requests for combined SOC 2 + HITRUST reports.

A HITRUST Certification Report covers 40 authoritative sources. The HITRUST CSF provides comprehensive coverage of general security requirements and provides prescriptive controls (safeguards), i.e., the control requirements should be detailed enough to support implementation in the intended environment and adequately address relevant threat(s). In many cases where a customer is asking for a proprietary questionnaire to be filled out or an independent assessment performed, the areas of interest from that customer may have already been addressed and assessed through a HITRUST Assessment. In our experience, putting in some time to educate the customer on what is covered within the scope of a HITRUST assessment and providing them the authoritative source mapping will result in the customer accepting the HITRUST Assessment in place of their proprietary programs. In some instances, performing a cross-reference mapping of the customer’s questionnaire to the HITRUST Assessment that was performed, provides the customer with the necessary assurance requested and eliminates the need for a separate questionnaire. We suggest taking these actions first and if those are not successful you can reach out to HITRUST for additional support and suggestions.

Email HITRUST Support:
support@hitrustalliance.net

Reference Documents:
Leveraging the HITRUST CSF
Comparing the CSF, ISOIEC 27001 and NIST SP 800-53
HITRUST CSF and NIST OLIR Program

HITRUST recommends organizations start by performing a HITRUST i1 or r2 Readiness Assessment with their HITRUST Certified External Assessor over the missing scope to satisfy the customer demands while working on the remainder of the HITRUST Validated Assessment.

HITRUST Authorized External Assessors are organizations that have been approved by HITRUST for performing assessments and services associated with the HITRUST Assurance Program and the HITRUST CSF, a comprehensive risk management framework that incorporates the existing security and privacy requirements of organizations. Authorized External Assessors are critical to HITRUST’s efforts to provide trained resources to organizations of varying size and complexity to assess compliance with security and privacy control requirements and document corrective action plans that align with the HITRUST CSF. All Authorized External Assessors are treated equally by HITRUST. This means that every assessor, regardless of their size and portfolio of capabilities, must go through a rigorous onboarding and ongoing quality review process. As part of HITRUST’s due diligence, a review of each organization and individual practitioner is performed to ensure quality standards are met. Each individual must also attend a live virtual training course and pass an exam to become a Certified CSF Practitioner. Although some assessors may have performed more assessments than others, that does not mean that all assessors are not held to the same level of quality standards. As with any professional services firm relationship, each client’s experience may be different in the marketplace. We encourage organizations that find themselves in this position to direct their customers to the information regarding the HITRUST Assessor Program and direct them to HITRUST for any specific questions regarding the program or any concerns related to specific assessor through the HITRUST Ethics Hotline:

English: USA and Canada: 844-940-0033
Spanish: USA and Canada: 800-216-1288
Website: www.lighthouse-services.com/hitrustalliance

There are rare instances when customers may demand that an organization use a specific assessor or chose from a select list of assessors to perform their validated assessment. Unfortunately, this is outside of HITRUST’s control and will need to be negotiated directly with the customer.

HITRUST has an Assessor Council with whom HITRUST interacts as it relates to the CSF Assurance Program. Within the membership of the Assessor Council, there is a quality subcommittee that meets regularly to provide input regarding the requirements of assessors when performing assessments and help ensure the consistency and quality of the procedures being performed by assessors. This, combined with internal HITRUST quality assurance procedures, should provide some assurance that assessors are performing engagements in accordance with the Authorized External Assessor requirements.

In most scenarios, a HITRUST Certification or Validated Assessment report is accepted in place of proprietary on-site audits and reporting requests. Scenarios do exist where contracts enable a customer to request a performance of its own on-site audit procedures. Often times the scope of these procedures or areas of focus may be on specific requirements outside the scope of a HITRUST Assessment. Other times, after a HITRUST Assessment has been received and reviewed, the customer may decide to dive further into certain areas covered by the assessment if corrective actions plan or gaps have been identified or if the maturity scores of a particular domain are below the customer’s expectations. In these scenarios, we have found that the scope of the procedures is more targeted at those areas of focus as opposed to a full audit. We encourage assessed entities to work with their customers to make sure that there is an understanding of what has been covered within the scope of the assessment. The scope of proprietary audit procedures should be negotiated only to extend to those areas of focus necessary for the customer to achieve the desired level of assurance.

Organizations accepting ISO 27001 in lieu of HITRUST Certification must still go through the traditional and demonstrably laborious process of comparing and contrasting what’s in the ISO report with what it expects from the comprehensive, prescriptive and often granular requirements of the CSF. While an improvement over custom assessment questionnaires and the now legacy SAS 70, the relying organization would still need to identify any gaps between the two reports (which will almost surely exist), go through the process of requesting additional information from the ISO-certified entity, and then evaluate the response(s).

While an organization could conceivably support ISO certification as a ‘first step” in the assurance process, it could not and should not rely solely on ISO certification. At some point the ISO-certified organization must demonstrate that the complete set of CSF control requirements relevant to their organization have been implemented appropriately if it is to ascertain what residual risk(s) remain. And since this is best accomplished through the HITRUST Assurance Program, it just makes sense—from both an economic and resource perspective—to simply require a HITRUST Validated or Certified Assessment from the onset.

References: Risk Management Frameworks, HITRUST Assurance Program Requirements, and Risk Analysis Guide

The HITRUST Assessment questionnaire will ask about your organization’s information security practices in 19 major topical domains such as information protection program, endpoint protection, portable media security, third party assurance and risk management.

To gain an understanding of your organization’s risk profile, the questionnaire will ask you if:

• Specific requirements are addressed in organizational policy and standards,
• There are processes and procedures to support the implementation of the requirements,
• The requirements have been implemented consistently across the organization,
• The effectiveness of the controls are monitored (e.g., with a metric or other type of measurement), and
• The controls are actively managed based on this monitoring.

Reference: HITRUST Assessment Process, HITRUST Assurance Program Requirements and Risk Analysis Guide

HITRUST has created a document that explains the assessment report, how to interpret, and how it can be used to complement and enhance your current processes.

Reference: Leveraging HITRUST CSF Assessment Reports: A Guide for New Users

A Certified CSF Practitioner is an individual that has completed the required training, passed an exam, and meets the experience requirements for a practitioner. A HITRUST External Assessor is a firm that has met all the requirements to become authorized to perform HITRUST Validated Assessments.

HITRUST practitioners will complete the onsite training during the first year. The second and third year they are required to complete a refresher. The CSF Practitioner Refresher Course is a self-paced online course available for download from the HITRUST Academy. The 4th year the process starts over with the onsite class.

HITRUST External Assessors are designated organizations qualified to provide assessments for clients seeking HITRUST Certification. HITRUST practitioners are either members of a HITRUST Assessor organization that have obtained this status through the HITRUST training class to assist organizations with certifications or independent consultants that have completed the HITRUST training class and assist organizations with self-assessments or implementing the CSF in their environment.

There are three costs associated with the HITRUST External Assessor Program:

1. Application fee (one-time payment of $2,500)
2. Training fee: Five people must complete the Certified CSF Practitioner (CCSFP) Training Course – $3,000 per individual. Additionally, two of those five people must complete the Certified HITRUST Quality Professional (CHQP) Course online – $2,000 per individual. Both the CCSFP and CHQP Courses are offered via the HITRUST Academy.
3. Annual Program Fee (Tier rates based upon overall revenue from the prior year)

For exact pricing information and more details regarding the External Assessor Program, please contact csfassessor@hitrustalliance.net..

We anticipate updates to occur annually, shortly after each HITRUST CSF release, or when significant changes in the threat environment would warrant an interim release.

A HITRUST Implementation Advisory would be issued if there is additional clarification around how HITRUST CSF requirements should be implemented to effectively address one or more threats—or as an interim measure until more stringent or enhanced control requirements can be published in the next scheduled release of the HITRUST CSF.

The threat landscape is constantly changing, as are the technologies and tools that organizations rely upon to support their business missions. Consequently, an organization’s information protection program must change and adapt. Threat intelligence is one of several mechanisms by which HITRUST ensures the continued sufficiency of the HITRUST CSF.

By linking granular threats identified in active threat intelligence to higher-level threats contained in the HITRUST Threat Catalogue and related HITRUST CSF control specifications, organizations will gain greater insight into how well they are addressing extant and emerging threats by evaluating how well they’ve implemented related HITRUST CSF controls in their environment. More so, leveraging threat intelligence that can be correlated via the HITRUST Threat Catalogue’s mappings to the control specifications will allow organizations to determine likelihood and impact in order to further tailor their information protection program and manage their risk.

With each r2 Validated Assessment Report (formerly named the HITRUST CSF Validated Assessment Report) issued, HITRUST includes a scorecard detailing your organization’s compliance with NIST Cybersecurity Framework-related controls included in the HITRUST CSF framework. (The NIST Cybersecurity Framework Scorecard is not available with HITRUST i1 Assessment.)

No, the interim review requirement only applies to the HITRUST Certification.

ANSI estimates there are hundreds of ‘traditional’ standards developing organizations (or “SDOs”) in the United States and hundreds more ‘non-traditional’ standards development bodies, such as consortia. The HITRUST Alliance is one of these industry SDOs and produces the HITRUST CSF, the most commonly used information security controls standard in the healthcare industry. And, in its 2018 Report to Congress on the state of NIST Cybersecurity Framework Adoption, the GAO states Healthcare and Public Health (or “HPH”) Sector officials encourage alignment of the NIST Framework with existing cybersecurity guidelines and goes on to state, “the sector aligned the [HITRUST CSF] with the NIST Framework,” which “allows organizations to demonstrate compliance with NIST through their implementation of the pre-existing [HITRUST] framework.” In fact, current HPH Sector guidance uses the HITRUST CSF as the underlying foundation for an organization’s implementation of the NIST Framework.

Refer to https://www.gao.gov/assets/700/690112.pdf for a copy of the GAO report.

Refer to the US-CERT Cybersecurity Framework Website at https://www.us-cert.gov/ccubedvp/cybersecurity-framework for a copy of the HPH Sector implementation guide, or download a copy directly using https://www.us-cert.gov/sites/default/files/c3vp/framework_guidance/HPH_Framework_Implementation_Guidance.pdf.

Although all CSF controls placed in scope after the tailoring process must be implemented by the organization to effectively manage excessive residual risk, not all controls are assessed for a HITRUST Validated or Certified Report. This is consistent with NIST guidance that allows for focused assessments to address specific issues or answer specific questions. “Organizations have maximum flexibility on how risk assessments are conducted and are encouraged to apply the guidance in this document so that the various needs of organizations can be addressed and the risk assessment activities can be integrated into broader organizational risk management processes” (NIST SP 800-30 r1, Guide for Conducting Risk Assessments, pg. ix). For purposes of certification, control selection is based on an analysis of breach data, leading practices and regulatory requirements (e.g., the HIPAA Security Rule).

With respect to the way an assessment is conducted, one control does not have more weight or importance than another. This is because, by definition, all the controls that the organization has determined it must implement—regardless of whether they were designed from a custom risk analysis or tailored from a control baseline by a supplemental analysis—must be implemented in order to manage risk to an acceptable level. But the HITRUST Assurance Program only requires this level of “completeness” for purposes of certification and, even then, organizations can remove controls that do not apply to them or accept a small amount of risk for partial implementations of those that do.

HITRUST also encourages the prioritization of remediation activities based on relative risk by providing impact ratings and their relationship with each other with the inclusion of priority codes. Although examples have not yet been provided in the Risk Analysis Guide. HITRUST encourages organizations to modify the impact ratings based on an evaluation of their control environment and consider other factors, such as existing infrastructure, budget constraints and organizational culture when developing and prioritizing corrective actions.

For more information, refer to the Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection brochure and the Risk Analysis Guide for HITRUST Organizations and Assessors (new version coming soon).

The HITRUST CSF is designed with certain highly regulated industries in mind. However, it is a region- and industry-agnostic control framework that can be used globally by organizations across all industries. Furthermore, HITRUST is the only standards development organization with a framework, an assessment platform, and an independent assurance program. Other compelling benefits and considerations are presented in FAQs throughout this document.

The table below compares the HITRUST CSF with several other leading information security and risk frameworks:

Although HITRUST provides tailoring options for the HITRUST CSF based on an organization’s specific risk factors, any framework can be applied inappropriately. Given the relatively uncontrolled sprawl of sensitive information in many organizations, the HITRUST CSF can (and should) be applied as broadly as necessary to scope to the specific types of information, systems, and/or business units requiring information asset protection.

Scope can be minimized by ensuring that workflows requiring the use of sensitive information are understood and such uses are restricted to the minimum necessary, as required by many legal and regulatory bodies, as well as best practices. In addition, information assets and data flows with sensitive information can be isolated from other assets and data flow types, e.g., through network segmentation.

For more information, refer to the Risk Analysis Guide for HITRUST Organizations and Assessors.

From its inception, HITRUST chose to use a risk-based rather than a compliance-based approach to information protection and help mature industry’s approach to safeguarding information. By integrating NIST’s moderate-level control baseline into the CSF, which is in turn built upon the ISO 27001:2005 control framework, HITRUST leverages the comprehensive threat analyses employed by these frameworks to provide a robust set of prescriptive controls relevant to the healthcare environment. The CSF also goes beyond the three baselines for specific classes of information and provides multiple control baselines determined by specific organizational, system, and regulatory risk factors. These baselines can be further tailored through formal submission, review, and acceptance by HITRUST of alternative controls, what PCI-DSS refers to as compensating controls, to provide the industry with additional flexibility in the selection of reasonable and appropriate controls while also providing assurance for the adequate protection of sensitive information.

Traditional risk analysis guidance (e.g., from HHS) can subsequently be modified to support the use of a comprehensive control framework—built upon an analysis of common threats to specific classes of information and common technologies—as follows:

• Conduct a complete inventory of where ePHI lives
• Perform a BIA on all systems with ePHI (criticality)
• Categorize and evaluate these systems based on sensitivity and criticality
• Select an appropriate framework baseline set of controls
• Apply an overlay based on a targeted assessment of threats unique to the organization
• Rank risks and determine risk treatments
• Make contextual adjustments to likelihood and impact, if needed, as part of the corrective action planning process
• Evaluate residual risk: likelihood based on an assessment of control maturity and impact based on relative (non-contextual) ratings

Because the HITRUST CSF provides a risk-based approach to information protection and compliance, organizations of varying risk profiles can customize the security and privacy control baselines through a variety of organizational, technical, and compliance risk factors.

For more information, refer to the Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection brochure and the Risk Analysis Guide for HITRUST Organizations and Assessors.

Through HITRUST, the CSF provides organizations with a controls framework that is:

• Relevant and supports the HITRUST threat-adaptive assessments through regular maintenance of supporting authoritative sources and changes in the threat environment;
• Scalable to various sizes and types of organizations or systems in a controlled manner;
• Tailorable in the r2 Assessment through managed approvals of alternative (compensating) controls;
• Based on compliance with control baselines intended to manage risk to an industry-accepted level;
• Capable of providing certifiable risk assurances to internal and external stakeholders, including regulators; and
• Supported by appropriate guidance and tools along with regular updates.

For more information on HITRUST and the CSF, refer to the How HITRUST Helps Organizations Manage Risk guide.

Although all CSF controls placed in scope after the tailoring process must be implemented by the organization to effectively manage excessive residual risk, not all controls are assessed for a HITRUST Validated or Certified Report. This is consistent with NIST guidance that allows for focused assessments to address specific issues or answer specific questions. “Organizations have maximum flexibility on how risk assessments are conducted and are encouraged to apply the guidance in this document so that the various needs of organizations can be addressed and the risk assessment activities can be integrated into broader organizational risk management processes” (NIST SP 800-30 r1, Guide for Conducting Risk Assessments, pg. ix). For purposes of certification, control selection is based on an analysis of breach data, leading practices and regulatory requirements (e.g., the HIPAA Security Rule).

With respect to the way an assessment is conducted, one control does not have more weight or importance than another. This is because, by definition, all the controls that the organization has determined it must implement—regardless of whether they were designed from a custom risk analysis or tailored from a control baseline by a supplemental analysis—must be implemented in order to manage risk to an acceptable level. But the HITRUST Assurance Program only requires this level of “completeness” for purposes of certification and, even then, organizations can remove controls that do not apply to them or accept a small amount of risk for partial implementations of those that do.

HITRUST also encourages the prioritization of remediation activities based on relative risk by providing impact ratings and their relationship with each other with the inclusion of priority codes. Although examples have not yet been provided in the Risk Analysis Guide. HITRUST encourages organizations to modify the impact ratings based on an evaluation of their control environment and consider other factors, such as existing infrastructure, budget constraints and organizational culture when developing and prioritizing corrective actions.

For more information, refer to the Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection brochure and the Risk Analysis Guide for HITRUST Organizations and Assessors (new version coming soon).

The best discussion of why one would choose the HITRUST CSF over ISO 27001 and NIST SP 800-53 is provided in an earlier FAQ, but to address the question about accepting one in lieu of another, we’ll need to expand a little further.

The biggest difference between the two certifications is what they intend to certify.

In the case of ISO 27001, the focus of the certification is on the information security management system (ISMS), which includes an evaluation of the information security risk assessment and treatment processes. However, “organizations can design controls as required, or identify them from any source” (ISO 27001, § 6.1.3.b, p. 4). Further, although ISO 27001 Annex A contains a list of control objectives and controls, they are not exhaustive and additional control objectives and controls may be needed” (Ibid., § 6.1.3.c, p. 4). And although the ISO assessor must produce a “Statement of Applicability that contains the necessary controls (see 6.1.3 b and c) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A” (Ibid., § 6.1.3.d, p. 4), it doesn’t extend beyond what’s required in Annex A. Subsequently, organizations have wide latitude in the controls they specify to address the risks they identify at a level suitable to their risk appetite. ISO certification assessors also have some latitude in how they assess the effectiveness of the controls, and there is no quality control of the assessments other than a general requirement that consultants that help organizations prepare for ISO certification do not perform the certification assessment.

In effect, we’re left with the same problems that existed before the creation and implementation of the HITRUST CSF—which is actually structured on ISO 27001 and contains additional guidance from ISO 27002 and multiple other relevant authoritative sources such as HIPAA, NIST SP 800-53, CMS IS ARS, PCI DSS and the NIST Cybersecurity Framework—and its assessment through the HITRUST Assurance Program: a lack of comprehensiveness and prescription in the control requirements; little or no U.S. healthcare industry context; lack of comprehensiveness related to regulations, legislation and other relevant requirements such as leading practice frameworks; and uncertain rigor and approach to the assessments including limited quality control.

The HITRUST CSF on the other hand provides a minimal baseline of comprehensive, prescriptive control requirements tailored to a healthcare organization’s specific organizational, system and regulatory risk factors. And the specific focus of HITRUST Certification is on the maturity of this control baseline’s implementation using a specific, rigorous assessment approach and scoring model in order to gauge the level of excessive residual risk to ePHI in the organization. HITRUST also provides detailed assessment procedures for each control requirement, and ensures assessments are performed by an Authorized External Assessor Organization and requires each assessment undergo a quality assurance review to ensure accuracy and completeness before awarding certification.

As an example of how high-level control requirements can benefit from the context, comprehensiveness and rigor of the HITRUST CSF and Assurance Program, one only has to look at the joint initiative between AICPA and HITRUST on using the HITRUST CSF to support SOC 2 assessments against the Trust Principles and Criteria. This ensures a standardized set of industry-relevant control requirements are identified for each criterion, and the assessment of these controls are conducted with a specific approach and level of rigor that provides relying entities, including regulators and other third parties, with accurate, consistent and repeatable assurances.

The best treatment on why one would choose the HITRUST CSF over ISO can be found in the risk framework analysis presented by HCSC and Children’s Health Dallas Selecting a Healthcare Information Security Risk Management Framework in a Cyber World. For more information on the HITRUST RMF, refer to the HITRUST RMF Whitepaper.

HITRUST Validated Reports with Certification are valid for two years given the successful completion of an interim review (12 months after the date of the original assessment), and that no breach or significant changes have occurred relating to the scoped control environment. Validated Reports not resulting in certification are point-in-time reports.

The HITRUST Assurance Program is specifically designed to streamline the third-party risk management process by using a single comprehensive framework harmonizing multiple standards and leading practices to support a single assessment that may be reported out in multiple ways, e.g., to support PCI SAQ development, the issuance of SOC 2 reports against specific AICPA Trust Services Criteria, or scorecards of HIPAA or NIST Cybersecurity Framework compliance. Organizations using the HITRUST Assurance Program for third-party risk management experience significant reductions in cost and level of effort required to evaluate third-party reports or issue their own reports to their own stakeholders, including business partners and regulators. This is the fundamental reason why several large healthcare entities have moved from simply accepting HITRUST Validated and Certified Reports to requiring them.

With each r2 Validated Assessment Report (formerly named the HITRUST CSF Validated Assessment Report) issued, HITRUST includes a scorecard detailing your organization’s compliance with NIST Cybersecurity Framework-related controls included in the HITRUST CSF framework. (The NIST Cybersecurity Framework Scorecard is not available with HITRUST i1 Assessment.)

No, the interim review requirement only applies to the HITRUST Certification.

ANSI estimates there are hundreds of ‘traditional’ standards developing organizations (or “SDOs”) in the United States and hundreds more ‘non-traditional’ standards development bodies, such as consortia. The HITRUST Alliance is one of these industry SDOs and produces the HITRUST CSF, the most commonly used information security controls standard in the healthcare industry. And, in its 2018 Report to Congress on the state of NIST Cybersecurity Framework Adoption, the GAO states Healthcare and Public Health (or “HPH”) Sector officials encourage alignment of the NIST Framework with existing cybersecurity guidelines and goes on to state, “the sector aligned the [HITRUST CSF] with the NIST Framework,” which “allows organizations to demonstrate compliance with NIST through their implementation of the pre-existing [HITRUST] framework.” In fact, current HPH Sector guidance uses the HITRUST CSF as the underlying foundation for an organization’s implementation of the NIST Framework.

Refer to https://www.gao.gov/assets/700/690112.pdf for a copy of the GAO report.

Refer to the US-CERT Cybersecurity Framework Website at https://www.us-cert.gov/ccubedvp/cybersecurity-framework for a copy of the HPH Sector implementation guide, or download a copy directly using https://www.us-cert.gov/sites/default/files/c3vp/framework_guidance/HPH_Framework_Implementation_Guidance.pdf.

HITRUST works closely with NIST and we constantly analyze their documentation to see what additional guidance can be utilized. Many guidelines—most often those that are very technical or technology-specific—are typically outside the scope of the HITRUST CSF; however, HITRUST will review these practice guides, determine how HITRUST CSF adopters can best leverage this type of documentation, and provide supporting guidance to the healthcare community, e.g., through HITRUST Implementation Advisories, as needed.

For more information on the HITRUST approach to risk management, refer to the HITRUST Risk Management Frameworks and Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection brochures.

Consistent with the certification requirements for the HITRUST CSF, an organization must achieve a minimum score for each NIST Cybersecurity Framework Core Category, which is aggregated from the scores for individual HITRUST CSF control requirements as they are mapped to each Core Subcategory within a Category. However, no additional Corrective Action Plans (CAPs) are needed to support HITRUST’s certification of the NIST Cybersecurity Framework beyond what is required for HITRUST CSF certification.

If an organization does not meet HITRUST CSF requirements for certification against the NIST Cybersecurity Framework, HITRUST will issue an assessment report with a Letter of Validation in lieu of a Letter of Certification.

While it’s possible, the likelihood that an organization can be certified against the NIST Cybersecurity Framework without meeting the requirements for HITRUST CSF certification are very small. This is because each certification is based on a single assessment. While the individual scores for each control requirement are the same, the scores are aggregated differently to support reporting against the HITRUST CSF Assessment Report domains and the NIST Cybersecurity Framework Core Categories.

The HITRUST Certification of the organization’s implementation of the NIST Cybersecurity Framework is for two (2) years, commensurate with the HITRUST Assessment Report.

An r2 Interim Assessment needs to be submitted by the one-year anniversary of the certification date. Exceptions may be requested prior to the anniversary date to account for extraordinary circumstances that prohibit completion. Since the i1 Certification is valid for one year, there is no Interim Assessment (or Bridge Assessment).

Non-subscriber’s access will be the same as the “report only” option, currently set at 1 object and 3 users.

The requirements are randomly selected by MyCSF upon creation of the Interim Assessment. MyCSF subscribers may create their Interim Assessments up to 120 days in advance of their due date.

Yes.

Information security continuous monitoring (ISCM) has been a part of the HITRUST control maturity and scoring model since the inception of the HITRUST Assurance Program.

Typical assessment and audit approaches generally focus on policy and implementation of the controls needed to implement that policy. HITRUST takes a more robust approach by specifically looking at the implementation of the control, including how well the control is supported by policy and procedures, as well as how well the organization monitors the effectiveness of the control and whether it takes appropriate action should monitoring indicate a degradation in effectiveness or failure of the control.

As shown in the table below, continuous monitoring is addressed by the ‘Measured’ and ‘Managed’ maturity levels with a maximum of 15 and 10 points awarded for each level, respectively.

HITRUST provides a common approach to triaging vendor risk by identifying the means and rigor of the assurances needed from a vendor based on the inherent information-related risks of a proposed or existing business relationship. This includes the information security and privacy controls specified for the vendor as well as the maturity scores required for an acceptable level of assurance.

As shown in the table above, the HITRUST risk triage approach provides (1) specific organizational, compliance and technical factors that help identify the type and amount of inherent risk the business relationship with the vendor poses; (2) a simple risk scoring model to help quantify the risk; and (3) specific recommendations for the type and rigor of the assessment and the maturity of the organization’s information protection.

By providing a common set of risk factors independent of the security and privacy controls that may or may not implemented by a third party, an organization can readily assess inherent risk and determine a reasonable and appropriate mechanism for the assurances it needs at a reasonable cost. Broad adoption will also significantly reduce costs for any third party that needs to provide assurances to multiple customers or business partners.

Based on an analysis of HITRUST Assessment data collected over a 10-year period, HITRUST has concluded that when an organization’s controls within scope of a HITRUST Assessment are operated at or above an aggregated HITRUST CSF maturity score of 79, there is a very high likelihood these controls will continue to operate in a similar manner going forward. And organizations that have mature information security continuous monitoring (ISCM) programs in place can also help ensure that any deficiencies that may arise in their protection programs are quickly identified and addressed. These organizations may qualify for the HITRUST CSF Ongoing Certification (OC) Program, which will allow these organizations to reduce the frequency of full, time-based recertification assessments, as shown in the graphic on the next page.

HITRUST plans to update the Assurance Program to reward those organizations that have mature information protection programs as well as those that are actively implementing ISCM programs through a three-tiered certification program.

Organizations that demonstrate a ‘standard’ level of information protection, typically reflected in a CSF maturity score below 79, will undergo annual recertification assessments while those with higher scores striving to meet HITRUST requirements for ISCM would continue to undergo biannual recertification assessments with a targeted interim assessment.

Organizations that qualify for the ISCM-based HITRUST CSF Ongoing Certification (OC) program would conduct recertification assessments even less often, the frequency of which would be determined by its aggregated HITRUST CSF control maturity score and other criteria. Additional criteria will be developed by the HITRUST ISCM Working Group and integrated into the HITRUST CSF Assurance Program prior to its rollout, the timing of which is yet to be determined.

>Benefits of the ISCM-based HITRUST CSF OC Program include:

• On-demand, near real-time insight into their security and compliance risk posture* (visibility into how well stuff is protected)
• The ability to make quick, risk-based decisions on system security in near real-time** (helps minimize the impact from bad things happening)
• Better prioritization of remediation activities and corrective actions*** (helps identify the problems that need to be fixed first)
• Consistent, continuous adoption of cybersecurity best practices**** (ensures extant and emerging threats continue to be addressed appropriately)
• A higher level of assurance that personal data and individual privacy will continue to be protected and risk appropriately managed in the future (management can sleep better at night)
• Longer periods between comprehensive control gap assessments (fewer interruptions at work)
• Reduced time and effort needed to maintain certification (ability to focus on the real work)
• Reduced lifecycle costs for maintaining certification (more money for other work)
• Higher levels of assurance and trust with and amongst external stakeholders such as regulators, business partners, and customers (everyone can sleep better at night)

*REFERENCE *: Eisensmith, J. (N.D.). Ongoing Authorization: Changing how Government does Security Compliance, CIO Review. Available from https://identity-governance-and-administration.cioreview.com/cxoinsight/ongoing-authorization-changing-how-government-does-security-compliance-nid-5608-cid-180.html.

*REFERENCE **: Eisensmith (N.D.).

*REFERENCE ***: Luu (2015). Implementing an Information Security Continuous Monitoring Solution—A Case Study. ISACA Journal
(1). Available from https://www.isaca.org/Journal/Blog/Lists/Posts/Post.aspx?ID=264.

*REFERENCE ****: Luu (2015).

While useful, the approach used to obtain reputational scores like Security Scorecard and Bitsight is limited (similar to a narrowly scoped external penetration test) and is arguably unique for each organization’s network. It is further recognized that each scorecard vendor uses a proprietary approach to collecting data as well as proprietary analytics when computing the scores or ratings. In addition to the challenges inherent in their opacity, any changes to these proprietary approaches can change an organization’s score, sometimes dramatically, when there has been no discernable change in their actual security posture.* This is because the type of evidence collected for these scorecards is circumstantial and statements made about the actual state of the organization’s security posture must be inferred rather than directly observed.

Simply put, security scorecards cannot replace the level of assurance provided by a thorough assessment of an organization’s information protection program, including its overall approach to risk and risk management as well as detailed reviews of its privacy and security controls.

*REFERENCE *: CSO Online (2016, Aug 4).