HITRUST expands assessment portfolio

Breaking down the new options

Jared Hamilton
HITRUST expands assessment portfolio

Since its founding in 2007, HITRUST has released many updates to its HITRUST CSF®, such as adding additional regulatory factors and incorporating new compliance reporting packs. The detail and robustness of the CSF has elevated it so that many consider it the gold standard for an in-depth, prescriptive, and certifiable assessment solution.

What has stayed consistent throughout this time has been the HITRUST CSF Validated Assessment, the only option available to organizations that want to gain HITRUST certification. The robustness of the CSF requires a rigorous evaluation approach. As a result, becoming certified involves great effort. Regardless of the level of assurance needed by an organization, this has been the only option – one that is not favorable in every situation.

However, HITRUST has recognized the need to expand its assurance portfolio and has recently announced two new assessment options to be available by the end of 2021. These new options are for instances that require only low or moderate assurance. The existing assessment option has been renamed and will continue to serve where the highest level of assurance is needed.

What are the HITRUST assessment options?

  • The Basic, Current-State (bC) Assessment. This new streamlined self-assessment option focuses on a fixed set of 71 requirement statements. It is suitable for organizations with low assurance needs seeking to quickly provide relying parties with nonvalidated information about their information protection program.
  • The Implemented, 1-Year (i1) Validated Assessment. This new validated assessment focuses on best practices (such as National Institute of Standards and Technology, Health Insurance Portability and Accountability Act, and Gramm-Leach-Bliley Act standards) and addresses approximately 200 requirement statements. It is suitable for organizations that wish to obtain or maintain their HITRUST certification and provide a moderate level of assurance to relying parties, but it requires a more practical level of effort than the existing assessment option to manage the universe of control requirements and undergo the assessment process.

    Key differences between the i1 and the traditional validated assessment (now r2) include: 
  • Focus is solely on the implemented maturity level – the policy, process, measured, and managed maturity levels are excluded.
  • HITRUST requirements managed by a third party can be excluded. Inheritance or reliance through an independent attestation (for example, SOC 2) is not required.
  • Assessment is conducted on an annual basis by an External Assessor.
  • A lower fixed number of requirement statements (219)
  • The HITRUST Risk-Based, 2-Year (r2) Validated Assessment. The rebranded equivalent of the current HITRUST CSF Validated Assessment, the r2 continues to use a risk-based approach to scope requirement statements. It includes all five maturity levels and operates on a two-year certification cycle.

What should I consider when choosing a HITRUST assessment?

Three key factors should be considered when choosing a HITRUST assessment: coverage, effort and assurance level, and certification and deliverable.

  • Coverage. What should be included in scope? The bC and i1 have static controls, while the r2 is fully customizable with all regulatory factors available to choose from.
  • Effort and assurance. What level of assurance is needed, and how much effort can be handled? These factors tie together, as the more effort put in, the more assurance the report will provide.
  • Certification and deliverable. Is certification required? If so, then an i1 or r2 assessment must be obtained. The i1 leads to a one-year certification, which must be fully reassessed annually, while the r2 leads to a two-year certification with interim assessment.

Differences in the HITRUST assessments: What to consider

  Basic (bC) Implemented (i1) Risk-based (r2)
Controls (requirement statements) 71 Approximately 200 Approximately an average of 360
Coverage NISTIR 7621: “Small Business Information Security: The Fundamentals” NIST SP 800-171, FTC/GLBA, HIPAA Security Rule NIST SP 800-53, HIPAA, FedRAMP, NIST CSF, CMMC, PCI DSS, GDPR, and 37 others
Effort and assurance Low (nonvalidated) Moderate (validated) High (validated)
Certification and deliverable Report only Report with certification (1-year) Report with certification (2-year)

The Crowe perspective  

The new bC and i1 assessments both fulfill a highly recognized need for organizations with low and moderate assurance requirements to get started and over the finish line with a HITRUST assessment. In addition, the i1 leads to certification when validated by a third-party assessor. Both of these HITRUST assessment options are limited in scope, but they also greatly reduce the time and effort required to execute.

The i1 in particular likely will be very popular for many organizations that are new to HITRUST or that have considered HITRUST in the past but were unable to meet the effort required for certification. For smaller organizations or for situations where only low assurance is needed, the bC is a great option for organizations to get controls documented and position themselves to advance into higher levels of assurance with the i1 and r2 as their businesses grow, their information security programs mature, and their compliance expectations increase.

Establish extra credibility with our HITRUST certification services.

Contact us

Jared Hamilton
Jared Hamilton
Managing Director, IT Assurance Services