HITRUST CSF Assurance sets benchmark for assessment of security and privacy controls and NIST Cybersecurity Framework

Frisco, TX – January 18, 2017 – HITRUST announced today the expansion of the HITRUST CSF Assessor Council and the creation of a Quality Subcommittee. This development supports HITRUST’s commitment to ensuring the integrity and reliability of the HITRUST CSF Assessment process as adoption and reliance increases across healthcare and other industries for the assessment of security and privacy controls, NIST Cybersecurity Framework attestation and GDPR reporting.

“The implications are significant for professional services firms, assessed entities, those who rely on assessment reports, and HITRUST. The HITRUST CSF Assessor Council has proven to be an integral partner to the HITRUST CSF Assurance program, serving as a vehicle to maintain the quality of the assessment and the assurance level while considering the costs to the assessed entity,” said Ken Vander Wal, Chief Compliance Officer, HITRUST. “With the addition of the Quality Subcommittee, we are going further to give the CSF Assessors a more active role.”

Now in its second year, the HITRUST CSF Assessor Council has grown to 20 appointees, representing a broad range of experience in information security and privacy. The council provides a forum to ensure that HITRUST CSF Assessors can directly submit input to HITRUST thereby influencing the HITRUST CSF Assurance program to continually ensure and evolve its integrity, effectiveness, and efficiency. The creation of the Quality Subcommittee further upholds the continued focus on maintaining a standard of excellence.

The following individuals, who have been appointed to the 2018 HITRUST CSF Assessor Council, have also been selected to serve on the 2018 Quality Subcommittee:

  •  Steve Simmons, Director of Compliance, A-LIGN
  • Andrew Hicks, Managing Principal, Coalfire
  • Allen Foster Bradley, Advisory Senior Manager, Deloitte
  • Nancy Spizzo, Managing Director, Fortrex
  • Todd Bialick, Partner, PwC

“I am excited for the HITRUST community to continue to receive the value that comes from instilling discipline and uniformity in the execution of assessments as the adoption of the CSF continues to expand. The industry has sent clear signals that they rely significantly on assessor work, and as a trusted resource we always try to improve upon our delivery,” said Nancy Spizzo, Managing Director, Healthcare and Risk Assurance, Fortrex Technologies, Inc.

“The continued adoption of the HITRUST CSF hinges on the ability of stakeholders throughout the industry to understand and rely on the quality and integrity of the work supporting a validated assessment. The industry clearly understands the value of consistent and high-quality reporting on information security imperatives, and we are aligned with that goal. We are excited to invest our time and expertise in this initiative to maintain and enhance the HITRUST assurance program,” said Todd Bialick, U.S. Trust and Transparency Solutions Leader, PwC.

The additional 2018 HITRUST CSF Assessor Council appointees are:

  • Blaise Wabo, Managing Consultant, A-LIGN
  • Josh Ayers, Managing Director, BDO
  • Deepak Chaudhry, Director, BDO
  • Mark Ferrari, VP & CISO, BluePrint Healthcare IT
  • Keith Kenna, Manager, Compliance Programs, BluePrint Healthcare IT
  • Abe Dress, Director, Coalfire
  • Erika Del Guidice, Senior Manager, Crowe Horwath
  • Arshad Ahmed, Partner, Crowe Horwath
  • Doug Ochs, President, Fortrex
  • Powell Jones, Senior Manager, Grant Thornton
  • Brad Barrett, Senior Manager, Grant Thornton
  • Jessica Skibbe, VP & Chief Compliance Officer, Kirkpatrick Price
  • Brian Hukriede, Manager IT Security, Optum
  • Dennis Quandt, Director, PwC
  • Gary Nelson, Principal, Schellman & Co.

“It is vital that HITRUST maintains a process for ensuring quality and compliance with the CSF Assurance program,” said John P. Houston, Esq., Vice President, Privacy and Information Security & Associate Counsel, Information Security Group, University of Pittsburgh Medical Center (UPMC). He added, “The value of the program lies in my ability to rely on the findings contained in a CSF Assessment report regardless of which CSF Assessor issued it.”

The HITRUST CSF is a comprehensive security framework that addresses the multitude of security, privacy, and regulatory challenges facing organizations in healthcare and other industries in order to comply with industry (HIPAA, FFIEC), third-party (PCI, COBIT), and government (NIST, FTC, GDPR) regulations and standards.

HITRUST CSF Assessors are critical to helping uphold information security and privacy standards and a core component of the HITRUST CSF program by providing trained resources to organizations of varying size and complexity to assess compliance with security control requirements and document corrective action plans that align with the HITRUST CSF.

The HITRUST CSF Assurance Program includes the risk management oversight and assessment methodology governed by HITRUST and designed for the unique regulatory and business needs of various industries.

About HITRUST

Founded in 2007, HITRUST Alliance is a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain. In collaboration with privacy, information security and risk management leaders from both the public and private sectors, HITRUST develops, maintains and provides broad access to its widely adopted common risk and compliance management and de-identification frameworks; related assessment and assurance methodologies; and initiatives advancing cyber sharing, analysis, and resilience.

HITRUST actively participates in many efforts in government advocacy, community building, and cybersecurity education.

View the official press release here.