The topic you requested could not be found.
Related topics are listed below.

Currently, a SOC 2 + HITRUST assesses all 135 HITRUST controls. Does a SOC 2 + HITRUST CSF Certification assess all 135 or only the 66 required for HITRUST certification?

HITRUST CSF and SOC 2® Frequently Asked Questions » Currently, a SOC 2 + HITRUST assesses all 135 HITRUST controls. Does a SOC 2 + HITRUST CSF Certification assess all 135 or only the 66 required for HITRUST certification?

HITRUST is working with the AICPA to update the SOC 2/HITRUST certification guidance to illustrate a SOC 2 + HITRUST CSF opinion that would be based upon the CSF Controls required for Certification; for CSF V8 there are 66 controls required for HITRUST CSF…

How often do I need to get a HITRUST CSF assessment report to support my third-party assurance requirements?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » How often do I need to get a HITRUST CSF assessment report to support my third-party assurance requirements?

HITRUST CSF Validated Reports with Certification are valid for two years given the successful completion of an interim review (typically 12 months after the original assessment), that no breach and no significant changes have occurred relating to the scoped control…

If I am already HITRUST CSF Certified, how do I get a copy of my certification for the NIST Cybersecurity Framework?

HITRUST CSF and NIST CSF Frequently Asked Question » If I am already HITRUST CSF Certified, how do I get a copy of my certification for the NIST Cybersecurity Framework?

A scorecard and certification for the NIST Cybersecurity Framework can be generated against a prior assessment against HITRUST CSF v9 and v9.1. Cost of the additional scorecard is $500. For more information, contact HITRUST by email at sales@hitrustalliance.net or by…

How can an organization communicate it has obtained a HITRUST certification for the NIST Cybersecurity Framework?

HITRUST CSF and NIST CSF Frequently Asked Question » How can an organization communicate it has obtained a HITRUST certification for the NIST Cybersecurity Framework?

As part of the HIITRUST CSF Assurance Program, upon receiving a HITRUST CSF Assessment Report, organizations may request a Press Kit with details on how they may publicly communicate their HITRUST CSF Certification status, which also includes certification of its…

How does a CSF assessment meet the HIPAA requirement for a risk analysis, and can it be used to support an OCR audit?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » How does a CSF assessment meet the HIPAA requirement for a risk analysis, and can it be used to support an OCR audit?

HITRUST bases its framework on how risk management is defined, i.e., the process of managing risk to organizational operations, organizational assets or individuals resulting from the operation of an information system (the definition of which is quite broad), and…

How does the threat catalogue make the HITRUST CSF better or improve its ability to help manage risk?

HITRUST CSF Threat Catalogue FAQ » How does the threat catalogue make the HITRUST CSF better or improve its ability to help manage risk?

By identifying and mapping threats to HITRUST CSF control requirements, HITRUST will have additional visibility into how the controls mitigate associated risk. This will help ensure the risks associated with specific threats are addressed appropriately, including any…

How many organizations have completed a HITRUST CSF assessment?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » How many organizations have completed a HITRUST CSF assessment?

38,000 CSF Assessments have been performed in the last three years with 15,000 CSF Assessments in 2015 alone. HITRUST anticipates a continued demand for CSF Certification due to third-party assurance requirements from several major health organizations and requests for…

How many organizations have completed a HITRUST CSF Assessment?

CSF Assurance Program FAQ » How many organizations have completed a HITRUST CSF Assessment?

Over 44,000 CSF assessments have been performed in the last three years with over 18,500 CSF assessments in 2016 alone. HITRUST anticipates a continued demand for CSF certification due to third party assurance requirements from several major health organizations and…

Can I get certified against the NIST Cybersecurity Framework even if I don’t meet the requirements for HITRUST CSF certification?

HITRUST CSF and NIST CSF Frequently Asked Question » Can I get certified against the NIST Cybersecurity Framework even if I don’t meet the requirements for HITRUST CSF certification?

While it’s possible, the likelihood that an organization can be certified against the NIST Cybersecurity Framework without meeting the requirements for HITRUST CSF certification are very small. This is because each certification is based on a single assessment. …

What is the process for an organization to achieve HITRUST CSF Certification?

CSF Assurance Program FAQ » What is the process for an organization to achieve HITRUST CSF Certification?

Before starting the Certification process, HITRUST recommends a self-assessment or readiness assessment be performed to prepare organizations for the validated assessment. To begin the Certification process, please select a HITRUST Assessor. Once you select an…

What is the process for an organization to achieve HITRUST CSF Certification?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » What is the process for an organization to achieve HITRUST CSF Certification?

Before starting the certification process, HITRUST recommends a self-assessment or readiness assessment be performed to prepare organizations for the validated assessment. To begin the certification process, please select a HITRUST Assessor. Once you select an…

What controls are included in both a HITRUST CSF Certification and HITRUST’s certification for the NIST Cybersecurity Framework?

HITRUST CSF and NIST CSF Frequently Asked Question » What controls are included in both a HITRUST CSF Certification and HITRUST’s certification for the NIST Cybersecurity Framework?

An organization selects an appropriate set of security control requirements for its information protection program based on its organizational, system and regulatory risk factors, and it is this set of control requirements that constitute its NIST Cybersecurity…

How does my firm become a HITRUST Assessor?

CSF Assessor Program FAQ » How does my firm become a HITRUST Assessor?

To become a CSF Assessor, organizations must meet certain requirements set forth by HITRUST to ensure adequate knowledge, training and expertise. The process for becoming a CSF Assessor includes the following steps: 1. Complete and submit a CSF Assessor application…

What is the length of time it takes to become HITRUST CSF Certified?

CSF Assurance Program FAQ » What is the length of time it takes to become HITRUST CSF Certified?

CSF Certification can be achieved when all 64 required controls are fully implemented in the scoped environment (2015 CSF v7 requirement). The total amount of time it can take an organization to become certified is therefore dependent on its initial readiness level…

How will HITRUST use threat intelligence to update the requirements in the CSF?

HITRUST CSF Threat Catalogue FAQ » How will HITRUST use threat intelligence to update the requirements in the CSF?

By understanding the control requirements in the HITRUST CSF that are intended to address specific threats identified in threat intelligence bulletins, HITRUST will be able to determine if they are adequately addressed—based on current industry accepted (aka…

Is HITRUST’s certification for the NIST Cybersecurity Framework separate from HITRUST CSF Certification?

HITRUST CSF and NIST CSF Frequently Asked Question » Is HITRUST’s certification for the NIST Cybersecurity Framework separate from HITRUST CSF Certification?

Yes, one certification is for the organization’s implementation of the HITRUST CSF controls and is based on minimum scoring criteria for 19 topical control areas, such as access control and wireless network security. The other is a certification of an…

If I’ve already adopted the HITRUST CSF, does that mean I’ve adopted the NIST CsF?

Frequently Asked Questions About the HITRUST Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » If I’ve already adopted the HITRUST CSF, does that mean I’ve adopted the NIST CsF?

Yes, you’re well on your way as the HITRUST Risk Management Framework (RMF)—consisting of the HITRUST CSF, CSF Assurance Program and related method and tools—is the foundation for a model implementation of the NIST CsF in the private sector.1 Since the NIST…

How does threat intelligence linked to the CSF help me better protect health information?

HITRUST Threat Catalogue FAQ » How does threat intelligence linked to the CSF help me better protect health information?

The working group will work with the HITRUST Cyber Threat XChange (CTX) to develop the references needed to tie granular threats identified in HITRUST CTX threat bulletins to (1) higher-level threats contained in the HITRUST Threat Catalog and (2) related HITRUST CSF…

Does the CSF take a “one-size-fits-all” approach to information security?

Frequently Asked Questions About the HITRUST Risk Management Framework » The HITRUST CSF FAQ » Does the CSF take a “one-size-fits-all” approach to information security?

The CSF is actually one of the most flexible information protection frameworks ever developed. First, the CSF was created by integrating multiple legislative, regulatory and leading practice guidelines and frameworks and tailoring the integrated requirements…

Does CSF Assurance take a compliance-based approach to information protection?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » Does CSF Assurance take a compliance-based approach to information protection?

From its inception, HITRUST chose to use a risk-based rather than compliance-based approach to information protection and help mature the healthcare industry’s approach to safeguarding information. By integrating NIST’s moderate-level control baseline into the…

What is the difference between a HITRUST practitioner and a HITRUST CSF Assessor?

CSF Assessor Program FAQ » What is the difference between a HITRUST practitioner and a HITRUST CSF Assessor?

HITRUST CSF Assessors are designated organizations qualified to provide assessments for clients seeking HITRUST Certification. HITRUST practitioners are either members of a HITRUST Assessor organization that have obtained this status through the HITRUST training class…

What is the difference between the HITRUST Scorecard of the NIST Cybersecurity Framework and the HITRUST CSF Certification?

HITRUST CSF and NIST CSF Frequently Asked Question » What is the difference between the HITRUST Scorecard of the NIST Cybersecurity Framework and the HITRUST CSF Certification?

HITRUST CSF Certification is based on an organization meeting specific scoring criteria for the assessed requirements aggregated into 19 topical domains, e.g., access control and wireless network security. The scorecard HITRUST uses to support certification of an…

Are HITRUST assessments only useful for formal certification against the CSF?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » Are HITRUST assessments only useful for formal certification against the CSF?

Certification is only one of the ways the HITRUST CSF can be used. Not all organizations need to pursue certification, and validation will provide assurances that specific controls are implemented, which ones are not or may have been changed, and how well they are…

What would prompt HITRUST to issue additional CSF implementation guidance?

HITRUST CSF Threat Catalogue FAQ » What would prompt HITRUST to issue additional CSF implementation guidance?

A HITRUST Implementation Advisory would be issued if there is additional clarification around how HITRUST CSF requirements should be implemented to effectively address one or more threats—or as an interim measure until more stringent or enhanced control requirements…

What is the difference between a HITRUST CSF Assessor and a Certified CSF Practitioner (CCSFP)?

CSF Assessor Program FAQ » What is the difference between a HITRUST CSF Assessor and a Certified CSF Practitioner (CCSFP)?

A Certified CSF Practitioner is an individual that has completed the required training, passed an exam, and meets the experience requirements for a practitioner. A HITRUST CSF Assessor is a firm that has met all the requirements to become authorized to perform HITRUST…

If I’m HITRUST CSF Certified, does that mean I’m HIPAA compliant?

CSF Assurance Program FAQ » If I’m HITRUST CSF Certified, does that mean I’m HIPAA compliant?

In principle yes, but it is not black and white. To be HIPAA-compliant, an organization must conduct a risk analysis and implement a reasonable and appropriate set of information safeguards—aka information security controls—to provide for the adequate protection of…

If I’m HITRUST CSF certified, does that mean I’m HIPAA-compliant?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » If I’m HITRUST CSF certified, does that mean I’m HIPAA-compliant?

To be HIPAA-compliant, an organization must conduct a risk analysis and implement a reasonable and appropriate set of information safeguards—aka information security controls—to provide for the adequate protection of ePHI against all reasonably anticipated threats.…

Why should my organization get a certification relating to the NIST Cybersecurity Framework?

HITRUST CSF and NIST CSF Frequently Asked Question » Why should my organization get a certification relating to the NIST Cybersecurity Framework?

There has been a marked increase in the level of interest by corporate Boards and executive management in using the NIST Cybersecurity Framework [“Framework”], which can provide a “Rosetta Stone” for internal and external stakeholders, regardless of industry or…

HITRUST CSF Framework FAQ

HITRUST CSF Framework FAQ

Subtopics Why choose the CSF over other frameworks (NIST, ISO, etc.)? How do I get started adopting the CSF framework? How can I obtain a copy of the CSF? What is the cost to download the framework? How is the CSF structured? Is the CSF an industry standard for…

Does the use of alternate controls diminish the value of HITRUST Certification?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » Does the use of alternate controls diminish the value of HITRUST Certification?

Alternate (or compensating) controls, by definition, mitigate a similar type and amount of risk as the control it’s intended to replace. This is illustrated in the Risk Analysis Guide for HITRUST Organizations and Assessors by an example proposing the extension of…

The HITRUST CSF FAQ

Frequently Asked Questions About the HITRUST Risk Management Framework » The HITRUST CSF FAQ

Subtopics Why does healthcare need a security framework? What were the industry’s goals for the CSF? Does the CSF take a “one-size-fits-all” approach to information security? Is the scope of the CSF too large for most healthcare organizations? Why choose…

Is a HITRUST certification assessment more expensive than comparable assessments?

CSF Assurance Program FAQ » Is a HITRUST certification assessment more expensive than comparable assessments?

No, and this is a common misconception and in many cases the overall assessment costs associated with information security and privacy assessments are less than other 3rd party assessments. The alignment between the HITRUST CSF and CSF Assurance programs allows a…

Does NIST recognize HITRUST as a certifying organization?

HITRUST CSF and NIST CSF Frequently Asked Question » Does NIST recognize HITRUST as a certifying organization?

Although NIST does not have its own certification program for the Cybersecurity Framework, NIST does recognize and actually encourage third party programs that provide a “confidence mechanism” for an organization’s implementation of the Framework, which also…

How often do I need to get a report?

Third Party Assurance FAQ » How often do I need to get a report?

HITRUST CSF reports with Certification are valid for two years given the successful completion of an interim review, no breach has occurred and no significant changes have occurred relating to the scoped control environment. However, check with your business partner to…

If I’m HITRUST CSF Certified, what do I need to do to demonstrate I’m complying with the NIST CsF?

Frequently Asked Questions About the HITRUST Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » If I’m HITRUST CSF Certified, what do I need to do to demonstrate I’m complying with the NIST CsF?

If you’re HITRUST CSF Certified, you can demonstrate compliance with the NIST CsF in one of two ways. An organization can generate a NIST CsF scorecard based on the maturity1 of the HITRUST CSF control requirements that support each of the NIST CsF Core…

How does the RMF fit into the NIST CsF?

Frequently Asked Questions About the HITRUST Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » How does the RMF fit into the NIST CsF?

The HITRUST RMF, which consists of the HITRUST CSF, CSF Assurance Program and supporting tools, methods and services, is actually a model implementation of the _NIST Framework for Improving Critical Infrastructure Cybersecurity _(also known as the NIST Cybersecurity…

How do I get started adopting the CSF framework?

HITRUST CSF Framework FAQ » How do I get started adopting the CSF framework?

First, the decision to adopt the CSF should be made at the organizational level, after which organizations should perform an internal gap analysis of existing controls against the target controls in the CSF. This analysis can be done manually or in HITRUST’s online…

How can my organization utilize the HITRUST CSF framework for an AICPA SOC 2 report?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » How can my organization utilize the HITRUST CSF framework for an AICPA SOC 2 report?

HITRUST and AICPA collaborated on the mapping of HITRUST CSF controls to AICPA Trust Principles and Criteria for Security, Confidentiality and Availability. Subsequently, any AICPA firm can perform a SOC 2 examination leveraging the CSF framework. This allows the…

Does a CSF Assurance assessment weight all controls equally?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » Does a CSF Assurance assessment weight all controls equally?

Although all CSF controls placed in scope after the tailoring process must be implemented by the organization to effectively manage excessive residual risk, not all controls are assessed for a HITRUST CSF Validated or Certified Report. This is consistent with NIST…

What makes HITRUST a valid organization for issuing a certification for the NIST Cybersecurity Framework certification?

HITRUST CSF and NIST CSF Frequently Asked Question » What makes HITRUST a valid organization for issuing a certification for the NIST Cybersecurity Framework certification?

ANSI estimates there are hundreds of ‘traditional’ standards developing organizations (or “SDOs”) in the United States and hundreds more ‘non-traditional’ standards development bodies, such as consortia. The HITRUST Alliance is one of these industry SDOs…

HITRUST CSF and NIST CSF Frequently Asked Question

HITRUST CSF and NIST CSF Frequently Asked Question

Subtopics Why should my organization get a certification relating to the NIST Cybersecurity Framework? How can an organization communicate it has obtained a HITRUST certification for the NIST Cybersecurity Framework? Does NIST recognize HITRUST as a certifying…

Can any CPA firm issue a joint SOC 2/HITRUST CSF Certified report?

Third Party Assurance FAQ » Can any CPA firm issue a joint SOC 2/HITRUST CSF Certified report?

No. While a CPA firm can perform a SOC2 based on the HITRUST CSF, per the requirements of the HITRUST CSF Assurance Program, only authorized assessors can issue reports that grant HITRUST CSF certification. We currently have a growing list of over 30 assessor firms. …

Is a HITRUST CSF validated assessment more expensive than comparable assessments?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » Is a HITRUST CSF validated assessment more expensive than comparable assessments?

No, and this is a common misconception. In many cases the overall assessment costs associated with information security and privacy assessments conducted under the HITRUST CSF Assurance Program are less than other third-party assessments. The alignment between the…

Is the HITRUST CSF Assurance Program a one-size-fits-all approach?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » Is the HITRUST CSF Assurance Program a one-size-fits-all approach?

As we’ve seen, the CSF is not a one-size-fits-all approach due to (1) an organization’s ability to tailor the initial selection of the control baseline in accordance with defined risk factors and (2) the requirement for additional tailoring based on unique threats,…

Who will accept HITRUST CSF Assurance Reports?

CSF Assurance Program FAQ » Who will accept HITRUST CSF Assurance Reports?

Many organizations accept CSF Assurance reports as a means of evaluating a business partner’s privacy and security controls and in fact a growing number of organizations require their business partners obtain a CSF Certification.. Reference: HITRUST CSF Assurance…

Do HITRUST Certification programs provide safe harbor in the event of a breach?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » Do HITRUST Certification programs provide safe harbor in the event of a breach?

Certification is not required by any regulatory body, nor has any regulatory body sanctioned certification as a mechanism to provide safe harbor in the event of a breach. This is true not just for the HITRUST CSF but for other standards and frameworks as they apply to…

CSF Assurance Program and Certification FAQ

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ

Subtopics What is the HITRUST CSF Assurance Program? What types of assessments are available in the CSF Assurance Program? What is the process for an organization to achieve HITRUST CSF Certification? Is a HITRUST CSF validated assessment more expensive than…

What is the HITRUST CSF Assurance Program?

CSF Assurance Program FAQ » What is the HITRUST CSF Assurance Program?

The HITRUST CSF Assurance program is a common, standardized methodology to effectively and consistently measure compliance and risk via simplified information collection and reporting, consistent testing procedures and scoring, and demonstrable efficiencies and…

What is the HITRUST CSF Assurance Program?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » What is the HITRUST CSF Assurance Program?

Designed to meet the unique regulatory and business needs of the healthcare industry, the HITRUST CSF Assurance Program provides a common, standardized methodology to effectively and consistently measure compliance and risk via simplified information collection and…

How can I obtain a copy of the CSF?

HITRUST CSF Framework FAQ » How can I obtain a copy of the CSF?

The latest version of the CSF framework is available on our website for qualified organizations. A qualified organization is defined as any organization employing a function or activity involving the use or disclosure of individually identifiable health information,…

HITRUST CSF and SOC 2® Frequently Asked Questions

HITRUST CSF and SOC 2® Frequently Asked Questions

Subtopics Currently, a SOC 2 + HITRUST assesses all 135 HITRUST controls. Does a SOC 2 + HITRUST CSF Certification assess all 135 or only the 66 required for HITRUST certification? Do you have an ETA for when the updating of the Practitioner Document and Reporting…

Do I need to attend HITRUST training every year to maintain my status as a HITRUST Practitioner?

CSF Assessor Program FAQ » Do I need to attend HITRUST training every year to maintain my status as a HITRUST Practitioner?

HITRUST practitioners will complete the onsite training during the first year. The second and third year they are required to complete a refresher. The CSF Practitioner Refresher Course is a self-paced online course available for download from the HITRUST Academy. The…

How can my organization utilize the CSF framework for a SOC 2 report?

HITRUST CSF Framework FAQ » How can my organization utilize the CSF framework for a SOC 2 report?

HITRUST and AICPA collaborated on the mapping of HITRUST CSF controls to AICPA Trust Principles and Criteria for Security, Confidentiality and Availability. Subsequently, any AICPA firm can perform a SOC 2 examination leveraging the CSF framework which allows the…

How can my organization utilize the CSF framework for a SOC 2 report?

CSF Assurance Program FAQ » How can my organization utilize the CSF framework for a SOC 2 report?

HITRUST and AICPA are collaborating on the mapping of HITRUST CSF controls to AICPA Trust Principles and Criteria, and work has been completed on the Trust Services Principles for Security, Confidentiality and Availability. Subsequently, any AICPA firm can perform a…

How is the CSF structured?

HITRUST CSF Framework FAQ » How is the CSF structured?

HITRUST recognized the global nature of healthcare and the need to gain assurances around the protection of covered information from non-U.S. business associates, which led to the International Organization for Standardization and International Electrotechnical…

Can I provide my ISO 27001 certification in lieu of CSF certification for third-party assurance?

Third Party Assurance FAQ » Can I provide my ISO 27001 certification in lieu of CSF certification for third-party assurance?

Organizations accepting ISO 27001 in lieu of CSF certification must still go through the traditional and demonstrably laborious process of comparing and contrasting what’s in the ISO report with what it expects from the comprehensive, prescriptive and often granular…

If I am HITRUST CSF Certified, am I also certified for the NIST Cybersecurity Framework?

HITRUST CSF and NIST CSF Frequently Asked Question » If I am HITRUST CSF Certified, am I also certified for the NIST Cybersecurity Framework?

HITRUST CSF Certification will generally result in certification of an organization’s information security program against the NIST Cybersecurity Framework because the control requirements for both frameworks are essentially the same; they’re just mapped and…

Frequently Asked Questions About the HITRUST Risk Management Framework

Frequently Asked Questions About the HITRUST Risk Management Framework

Founded in 2007, HITRUST Alliance is a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain. In…

How does the threat catalogue help me perform a risk analysis?

HITRUST CSF Threat Catalogue FAQ » How does the threat catalogue help me perform a risk analysis?

By understanding how HITRUST CSF controls address specific threats to ePHI, an organization can demonstrate the results of the risk analyses used by the underlying control frameworks in the HITRUST CSF, e.g., ISO 27002,1 NIST SP 800-53,2 and PCI-DSS,3 as well as other…

How many organizations have adopted the CSF? Do you have a breakdown by type, size, location, etc.?

HITRUST CSF Framework FAQ » How many organizations have adopted the CSF? Do you have a breakdown by type, size, location, etc.?

The HITRUST CSF is the most widely adopted security framework in the healthcare industry: 81 percent of hospitals and 80 percent of health plans have adopted the framework in some way, either as a best practices resource or as the basis for their information protection…

How many organizations have adopted the CSF? Do you have a breakdown by type, size, location, etc.?

Frequently Asked Questions About the HITRUST Risk Management Framework » The HITRUST CSF FAQ » How many organizations have adopted the CSF? Do you have a breakdown by type, size, location, etc.?

The HITRUST CSF is the most widely adopted security framework in the healthcare industry: 83 percent of hospitals and 82 percent of health plans with over 500,000 members have adopted the framework. HITRUST can provide detailed benchmarking data by request. If you have…

Is the HITRUST certification for the NIST Cybersecurity Framework just for healthcare?

HITRUST CSF and NIST CSF Frequently Asked Question » Is the HITRUST certification for the NIST Cybersecurity Framework just for healthcare?

No, HITRUST certification of an organization’s implementation of the NIST Cybersecurity Framework—just like HITRUST CSF certification—can be obtained by any organization, regardless of industry or whether they are US-based or international.

Does HITRUST rely too heavily on the Assessor’s opinion of control effectiveness?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » Does HITRUST rely too heavily on the Assessor’s opinion of control effectiveness?

Assessors and auditors generally determine control effectiveness regardless of what controls are specified, albeit there is usually a negotiation between the auditor/assessor and the organization before the final report is issued. However, assessors actually have more…

What is the relationship between the controls categories of the HITRUST CSF and the assessment domains found in MyCSF?

HITRUST CSF Framework FAQ » What is the relationship between the controls categories of the HITRUST CSF and the assessment domains found in MyCSF?

The simple answer is that there is no relationship between the HITRUST CSF control categories and the assessment domains. The HITRUST CSF control categories were derived from ISO and provide the structure for the framework. The assessment domains take the control…

How is HITRUST and covered entities engaging with the HITRUST Third Party Assurance?

Third Party Assurance FAQ » How is HITRUST and covered entities engaging with the HITRUST Third Party Assurance?

HITRUST formed a Business Associate Council in March 2016. The Council was established to ensure healthcare industry business associates and other key vendors are able to influence and directly engage with HITRUST, healthcare organization relating to the HITRUST Third…

Does the CSF Assurance Program support an “assess once, report many” approach?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » Does the CSF Assurance Program support an “assess once, report many” approach?

HITRUST has recognized for some time that the current model used in the industry for Third-Party Assurance is fraught with inefficiencies and unnecessary costs by requiring duplicative questionnaires and assessments, which tend to distract organizations from monitoring…

How many questions, and how long will it take?

Third Party Assurance FAQ » How many questions, and how long will it take?

The HITRUST CSF Security Assessment Questionnaire generally includes between 120 and 328 questions, depending on how the risk factors are configured for the organization being assessed. The amount of time it will take to complete the assessment varies depending on the…

How can I confirm an organizations certification status?

CSF Assurance Program FAQ » How can I confirm an organizations certification status?

To confirm an organizations certification status, please complete and submit the Certification Status Request form. HITRUST will validate the request release information with the approval of the certified organization.

Is the CSF a compliance-based or risk-based framework?

HITRUST CSF Framework FAQ » Is the CSF a compliance-based or risk-based framework?

The CSF is a risk-based framework. To understand why, one must understand the intent of selecting and implementing any specified set of controls, whether it’s a custom set developed from a traditional risk analysis or one tailored from a pre-defined control baseline…

Why does healthcare need a security framework?

Frequently Asked Questions About the HITRUST Risk Management Framework » The HITRUST CSF FAQ » Why does healthcare need a security framework?

For better or worse, the HIPAA Security Rule (HSR) applies to all covered entities and business associates regardless of their size, location or resources. Fortunately, the federal government recognized there is no ‘one-size-fits-all’ approach to securing sensitive…

How do I understand the CSF Assessment report I have received?

Third Party Assurance FAQ » How do I understand the CSF Assessment report I have received?

HITRUST has created a document that explains the assessment report, how to interpret, and how it can be used to compliment and enhance your current processes. Reference: Leveraging HITRUST CSF Assessment Reports: A Guide for New Users

CSF Assurance Program FAQ

CSF Assurance Program FAQ

Subtopics What is the HITRUST CSF Assurance Program? What are the various types of CSF Assessments? Is a HITRUST certification assessment more expensive than comparable assessments? What is the length of time it takes to become HITRUST CSF Certified? Who will…

How can I use the CSF Assurance Program for third-party risk management?

Third Party Assurance FAQ » How can I use the CSF Assurance Program for third-party risk management?

The HITRUST CSF Assurance Program is specifically designed to streamline the third-party risk management process by using a single comprehensive framework harmonizing multiple standards and leading practices to support a single assessment that may be reported out in…

How can I use the CSF Assurance Program for third-party risk management?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » How can I use the CSF Assurance Program for third-party risk management?

The HITRUST CSF Assurance Program is specifically designed to streamline the third-party risk management process by using a single comprehensive framework harmonizing multiple standards and leading practices to support a single assessment that may be reported out in…

How can I receive notification when the HITRUST Threat Catalogue is available?

HITRUST Threat Catalogue FAQ » How can I receive notification when the HITRUST Threat Catalogue is available?

If you would like to be notified when the HITRUST Threat Catalogue is available, fill out the form on the Threat Catalogue Notification Sign-Up page.

Can I get a trial subscription or demo?

MyCSF FAQ » Can I get a trial subscription or demo?

HITRUST does offer a 2-week trial access into the MyCSF tool. This access is provided in a sandbox environment. This environment does not contain all of the functionality found in the production version of MyCSF and information input into this system will not transfer…

How long is HITRUST’s certification for the NIST Cybersecurity Framework valid?

HITRUST CSF and NIST CSF Frequently Asked Question » How long is HITRUST’s certification for the NIST Cybersecurity Framework valid?

HITRUST’s certification of the organization’s implementation of the NIST Cybersecurity Framework is for two (2) years, commensurate with the HITRUST CSF Assessment Report.

What methods are used to evaluate the effectiveness of CSF controls?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » What methods are used to evaluate the effectiveness of CSF controls?

The HITRUST assessment methodology specifically requires: Assessors to gather and examine documentation (e.g., policies, procedures, records, logs, vulnerability assessment reports, risk assessment reports) Examine configuration settings, physical surroundings,…

HITRUST Threat Catalogue FAQ

HITRUST Threat Catalogue FAQ

Subtopics How do I explain the threat catalogue to my executives? How does the threat catalogue make the HITRUST CSF better or improve its ability to help manage risk? Can I get involved in the working group and, if so, how? When will cyber threat intelligence by…

CSF Assessor Program FAQ

CSF Assessor Program FAQ

Subtopics How does my firm become a HITRUST Assessor? What are the costs associated with the Assessor program? What is the difference between a HITRUST practitioner and a HITRUST CSF Assessor? Do I need to attend HITRUST training every year to maintain my status…

Can I get involved in the working group and, if so, how?

HITRUST Threat Catalogue FAQ » Can I get involved in the working group and, if so, how?

The Threat Catalog is overseen by a governing board comprised of John Riggi, Managing Director, Cybersecurity & Financial Crimes, BDO Consulting; Kevin Charest, Ph.D., DSVP and CISO, HCSC; Roy Mellinger, VP, IT Security and CISO, Anthem, Inc.; and Bryan Cline, Ph.D.,…

HITRUST and the NIST Cybersecurity Framework FAQ

Frequently Asked Questions About the HITRUST Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ

Subtopics Can risk be calculated based on a control’s maturity level? Do non-contextual impact ratings for controls provide any real value? How does the RMF fit into the NIST CsF? Why can’t I just adopt the NIST CsF without leveraging additional guidance or…

How do I explain the threat catalogue to my executives?

HITRUST CSF Threat Catalogue FAQ » How do I explain the threat catalogue to my executives?

The threat catalogue provides a comprehensive list of threats to ePHI and other types of PII and maps these threats to the HITRUST CSF control requirements intended to address them. It allows HITRUST to better align CSF requirements with emerging threats, increasing…

Will HITRUST incorporate the NIST Cybersecurity Practice Guides into the HITRUST RMF?

Frequently Asked Questions About the HITRUST Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » Will HITRUST incorporate the NIST Cybersecurity Practice Guides into the HITRUST RMF?

HITRUST works closely with NIST and we constantly analyze their documentation to see what additional guidance can be utilized. Many guidelines—most often those that are very technical or technology-specific—are typically outside the scope of the HITRUST CSF;…

Has the CSF been adopted internationally?

HITRUST CSF Framework FAQ » Has the CSF been adopted internationally?

Yes, organizations outside of the U.S.—typically business associates providing services to U.S. healthcare organizations—have implemented the CSF. However, other countries have expressed an interest in HITRUST in the past, and we expect this interest to grow as…

What are the various types of CSF Assessments?

CSF Assurance Program FAQ » What are the various types of CSF Assessments?

HITRUST offers two types of CSF Assessments: a self-assessment and a validated assessment. Self-assessment allows organizations to self-assess using the standard methodology, requirements, and tools provided under the CSF Assurance Program. HITRUST will then perform…

Will HITRUST Assessors be assessing against the NIST Cybersecurity Framework?

HITRUST CSF and NIST CSF Frequently Asked Question » Will HITRUST Assessors be assessing against the NIST Cybersecurity Framework?

Yes, this is done automatically because the same control requirements evaluated by the HITRUST Assessor for HITRUST CSF Certification are also used for certification of the organization’s NIST Cybersecurity Framework implementation. The control requirements are…

Why choose the CSF over other frameworks (NIST, ISO, etc.)?

HITRUST CSF Framework FAQ » Why choose the CSF over other frameworks (NIST, ISO, etc.)?

The CSF integrates and harmonizes requirements from many authoritative sources such as ISO, NIST, PCI, HIPAA and others, and tailors the requirements to a healthcare organization based on specific organizational, system and regulatory risk factors. The level of…

What were the industry’s goals for the CSF?

Frequently Asked Questions About the HITRUST Risk Management Framework » The HITRUST CSF FAQ » What were the industry’s goals for the CSF?

Through HITRUST, the healthcare industry sought to create a control framework that was: Built specifically for the unique needs of healthcare Relevant through regular maintenance of supporting authoritative sources and changes in the threat environment Scalable to…

What happens if I don’t meet the requirements for certification against the NIST Cybersecurity Framework?

HITRUST CSF and NIST CSF Frequently Asked Question » What happens if I don’t meet the requirements for certification against the NIST Cybersecurity Framework?

If an organization does not meet HITRUST CSF requirements for certification against the NIST Cybersecurity Framework, HITRUST will issue an assessment report with a Letter of Validation in lieu of a Letter of Certification.

Is the CSF an industry standard for healthcare?

HITRUST CSF Framework FAQ » Is the CSF an industry standard for healthcare?

The CSF is not a standard in the same sense as ISO/IEC 27001:2013 and other, similar security standards given the CSF is a derivative work based on such standards. However, the CSF provides a consensus-driven standard of due care and due diligence for the protection of…

Why can’t I just adopt the NIST CsF without leveraging additional guidance or frameworks?

Frequently Asked Questions About the HITRUST Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » Why can’t I just adopt the NIST CsF without leveraging additional guidance or frameworks?

For an industry sector or organization to implement the _NIST Framework for Improving Critical Infrastructure Cybersecurity _(also known as the NIST Cybersecurity Framework, or NIST CsF), one must understand that it relies on existing standards, guidance, and leading…

What is the best approach for implementing the NIST CsF in the healthcare industry?

Frequently Asked Questions About the HITRUST Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » What is the best approach for implementing the NIST CsF in the healthcare industry?

The best approach for implementing the NIST Framework for Improving Critical Infrastructure Cybersecurity,1 or Cybersecurity Framework (CsF), is the approach outlined in the Healthcare Sector Cybersecurity Framework Implementation Guide,2 produced and published under…

Is the scope of the CSF too large for most healthcare organizations?

Frequently Asked Questions About the HITRUST Risk Management Framework » The HITRUST CSF FAQ » Is the scope of the CSF too large for most healthcare organizations?

Although HITRUST specifically provides for significant tailoring of the CSF based on an organization’s specific risk factors, any framework can be applied inappropriately. An organization should not apply the CSF broadly unless it is scoped and tailored to the…

What types of assessments are available in the CSF Assurance Program?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » What types of assessments are available in the CSF Assurance Program?

HITRUST offers two types of CSF Assessments – a self-assessment and a validated assessment. Self-assessments allow organizations to assess themselves using HITRUST’s standard methodology, requirements, and tools provided under the CSF Assurance Program. HITRUST…

Will HITRUST be incorporating the NIST Cybersecurity Practice Guides on Security Electronic Health Records on Mobile Devices?

HITRUST CSF Framework FAQ » Will HITRUST be incorporating the NIST Cybersecurity Practice Guides on Security Electronic Health Records on Mobile Devices?

HITRUST works closely with NIST and we constantly analyze their documentation to see what additional guidance can be utilized. Many guidelines—most often those that are very technical or technology-specific—are typically outside the scope of the HITRUST CSF,…

What are HITRUST’s requirements for certification of an organization’s information security program against the NIST Cybersecurity Framework?

HITRUST CSF and NIST CSF Frequently Asked Question » What are HITRUST’s requirements for certification of an organization’s information security program against the NIST Cybersecurity Framework?

Consistent with the certification requirements for the HITRUST CSF, an organization must achieve a minimum score for each NIST Cybersecurity Framework Core Category, which is aggregated from the scores for individual HITRUST CSF control requirements as they are mapped…

What’s included in HITRUST’s certification report for the NIST Cybersecurity Framework?

HITRUST CSF and NIST CSF Frequently Asked Question » What’s included in HITRUST’s certification report for the NIST Cybersecurity Framework?

HITRUST will issue a Letter of Certification for the NIST Cybersecurity Framework with a NIST CSF scorecard in the HITRUST CSF Assessment Report. HITRUST will also issue a separate Letter of Certification and scorecard that can be distributed separately from the…

Why choose the CSF over other control frameworks like NIST SP 800-53 and ISO/IEC 27001?

Frequently Asked Questions About the HITRUST Risk Management Framework » The HITRUST CSF FAQ » Why choose the CSF over other control frameworks like NIST SP 800-53 and ISO/IEC 27001?

Many of the elements for the argument are presented in FAQs throughout this section. But more specifically, the HITRUST CSF is specific to the healthcare industry, built and maintained by the healthcare industry, and simply better for the healthcare industry. Many of…

Third Party Assurance FAQ

Third Party Assurance FAQ

Subtopics How can I use the CSF Assurance Program for third-party risk management? How much does it cost to get a HITRUST CSF certification? How often do I need to get a report? How many questions, and how long will it take? How do I understand the CSF…

How often will the threat catalogue be updated?

HITRUST CSF Threat Catalogue FAQ » How often will the threat catalogue be updated?

We anticipate updates to occur annually, shortly after each HITRUST CSF release, or – upon recommendation of the HITRUST CSF Threat Working –when significant changes in the threat environment would warrant an interim release.

How will the threat catalogue evolve over time?

HITRUST CSF Threat Catalogue FAQ » How will the threat catalogue evolve over time?

HITRUST anticipates the Threat Catalogue will be a “living document” due to the constantly changing threat environment, including planned improvements to better facilitate risk analyses and the consumption of threat intelligence. Changes will likely include…

Can assessors use sampling to improve the efficiency of the assessment?

Frequently Asked Questions About the HITRUST Risk Management Framework » CSF Assurance Program and Certification FAQ » Can assessors use sampling to improve the efficiency of the assessment?

Sampling methodologies can be a bit arcane, but sampling is actually very commonly used in the healthcare industry, especially by auditors. HITRUST also provides guidance to CSF Assessor organizations on the use of sampling in the HITRUST CSF Assessment Methodology…

Will all the threats to health information be listed in the catalogue?

HITRUST Threat Catalogue FAQ » Will all the threats to health information be listed in the catalogue?

The Working Group is focused on ensuring the threat list provided in the HITRUST Threat Catalogue’s initial release will be as comprehensive as possible. However, users of the Threat Catalogue should keep in mind that the threats are enumerated at a level consistent…

Is a current SOC 2 acceptable for meeting the third party assurance requirements?

Third Party Assurance FAQ » Is a current SOC 2 acceptable for meeting the third party assurance requirements?

It depends. The accepting organization will need to make a determination based on the scope of the review and the trust principals involved. While the current SOC2 may be granted a waiver and accepted in the first year, it will be necessary to base future SOC2…

Why should I purchase a MyCSF subscription if I just need a report?

MyCSF FAQ » Why should I purchase a MyCSF subscription if I just need a report?

Those purchasing a report and not a subscription to MyCSF will only have access to the MyCSF Assessment and Dashboard functions. This will not include a full, customizable view of the HITRUST CSF, benchmarking data or ability to leverage the functionality to support…

What types of questions are there, and what information will we need to provide?

Third Party Assurance FAQ » What types of questions are there, and what information will we need to provide?

The HITRUST CSF Assessment questionnaire will ask about your organization’s information security practices in 19 major topical domains such as information protection program, endpoint protection, portable media security, third party assurance and risk management.…

When will cyber threat intelligence by linked to the threats in the catalogue?

HITRUST CSF Threat Catalogue FAQ » When will cyber threat intelligence by linked to the threats in the catalogue?

Once the mappings between threats and CSF controls is completed, HITRUST will begin working with the HITRUST Cyber Threat XChange (CTX)1 to relate these mappings to the more granular threats identified in HITRUST CTX threat bulletins. HITRUST anticipates this work…

Can risk be calculated based on a control’s maturity level?

Frequently Asked Questions About the HITRUST Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » Can risk be calculated based on a control’s maturity level?

HITRUST evaluates likelihood based on an assessment of the control’s maturity level. To understand the approach, one must understand that a control framework is based on a broad risk analysis that considers threats to similar types of organizations for specific…

Do non-contextual impact ratings for controls provide any real value?

Frequently Asked Questions About the HITRUST Risk Management Framework » HITRUST and the NIST Cybersecurity Framework FAQ » Do non-contextual impact ratings for controls provide any real value?

The term “non-contextual” is used to indicate that the rating does not consider the state of existing controls in a particular organization’s environment. The problem HITRUST is addressing with the non-contextual ratings is that many, if not most, organizations…

Will the threat catalogue help me with HIPAA(1) compliance?

HITRUST CSF Threat Catalogue FAQ » Will the threat catalogue help me with HIPAA(1) compliance?

By enumerating common threats and common vulnerabilities, an organization will have additional information in support of a risk analysis consistent with NIST2 and HHS3 recommendations, which requires an “accurate and thorough assessment of the potential risks and…

What are the costs associated with the Assessor program?

CSF Assessor Program FAQ » What are the costs associated with the Assessor program?

The initial costs to join the Assessor program is a one-time application fee of $2,500, onsite training for 5 practitioners at $3,000 per student and the first annual fee ranging between $30,000-$115,000 (fee outlined in the CSF Assessor Agreement and determined by the…

MyCSF FAQ

MyCSF FAQ

Subtopics What is the difference between MyCSF and a GRC tool? Why should I purchase a MyCSF subscription if I just need a report? What is the cost to my organization? What are the modules, and why would I be interested? Can I get a trial subscription or…