Key Takeaways

1. HITRUST Explained: HITRUST certification combines multiple industry standards into one of the most rigorous frameworks for proving data security maturity.

2. Why Gap Assessments Matter: A HITRUST gap assessment highlights weaknesses before the formal audit, helping organizations avoid costly surprises.

3. Common Pitfalls Uncovered: Gaps often include incomplete risk assessments, weak access controls, inconsistent patching, and underdeveloped incident response plans.

Few frameworks carry as much weight as HITRUST when it comes to proving your organization takes cybersecurity and compliance seriously. Built on the HITRUST CSF, it brings together dozens of industry standards like ISO, NIST, HIPAA, and PCI DSS into a single, certifiable program. For healthcare providers, financial institutions, and any organization that handles sensitive data, achieving HITRUST certification signals to customers, partners, and regulators that your security practices meet the highest benchmarks.

But HITRUST certification is also known for being rigorous. The controls are detailed, the evidence requirements are strict, and the scoring model demands consistency across policy, procedure, and implementation. That’s why many organizations start with a HITRUST gap assessment. A gap assessment functions as a trial run: it highlights where your current controls align with the HITRUST CSF and where gaps exist. By surfacing weaknesses early—before you begin the formal HITRUST assessment—you can build a clear remediation roadmap, avoid costly surprises, and increase your chances of certification success.

Check Your Compliance Status Now!

Don’t know where to start? Answer a few questions and get free, personalized framework recommendations in 1 minute.

CHECK COMPLIANCE REQUIREMENTS HERE

Where a Gap Assessment Fits in the HITRUST Lifecycle

A HITRUST gap assessment is the fastest way to see how your current controls stack up against HITRUST CSF requirements before you invest time and money in the formal HITRUST assessment. It validates scope, surfaces weak spots early, and converts findings into a prioritized remediation plan so your validated assessment goes smoothly. 

In the HITRUST journey, organizations typically start with a readiness exercise and then pursue one of HITRUST’s three validated assessments depending on assurance needs:

  • e1 (Essentials, 1-year Validated Assessment): Entry-level certification focused on foundational cybersecurity practices, designed for low-risk organizations or organizations just starting their HITRUST journey.
  • i1 (Implemented, 1-year Validated Assessment): Best-practice assessment that evaluates whether required security controls are implemented, without scoring policy or procedure maturity.
  • r2 (Risk-based, 2-year Validated Assessment): The most comprehensive assessment, requiring evidence across all five maturity levels (Policy, Procedure, Implemented, Measured, Managed).

HITRUST’s assessment portfolio is designed to be “traversable,” meaning organizations can start at e1, then progress to i1 or r2 over time, carrying forward much of the work they’ve already done.

Why CSA STAR Level 2 CeThe HITRUST Gap Assessment Process (Step-by-Step)

The HITRUST gap assessment process generally follows these steps:

  1. Scope Precisely (Systems, Data, Locations, Vendors): The top driver of HITRUST efficiency is scoping. Under- or over-scoping inflates effort and risk.
  2. Collect Artifacts and Evidence in MyCSF: Pull policies, procedures, diagrams, inventories, logs, scan results, tickets, and training records. Use e1 or internal reviews to benchmark against CSF requirement statements.
  3. Map Controls and Score: For i1, you’re evaluated on implementation only. For r2, assessors consider the full maturity stack (Policy, Procedure, Implemented, Measured, Managed). HITRUST provides guidance and a scoring calculator aligned to MyCSF logic.
  4. Leverage Shared Responsibility and Inheritance: Pull in inheritable controls from cloud/service providers to reduce your in-scope effort. 
  5. Risk-Rank Findings and Build a Remediation/CAP Plan: Convert gaps into time-bound corrective actions, owners, and evidence requirements. For r2, low scores often require corrective action plans (CAPs).
  6. Remediate and Re-test: Close gaps, harden documentation, and confirm that measurements/metrics exist where required (particularly for r2).
  7. Roll into the Validated Assessment: With gaps closed and inheritance applied, you’ll reduce surprises in fieldwork and QA. IS Partners’ clients follow this same path for a smoother HITRUST review.

The 18 Most Common Gaps We See in HITRUST Readiness By Domain

When going through the HITRUST gap assessment process, here are some of the most common weaknesses we find across each domain:

  • Information Protection Program
    • No formally documented information security program.
    • Lack of governance or accountability (e.g., no security steering committee).
    • Policies exist but are not reviewed or updated annually.
  • Endpoint Protection
    • Missing endpoint detection and response (EDR) or outdated antivirus tools.
    • Weak enforcement of disk encryption across laptops and workstations.
    • Inconsistent patching of endpoint devices.
  • Portable Media Security
    • Lack of policies for encrypting or restricting USB drives.
    • No process for secure disposal of portable media.
    • Users are permitted to copy sensitive data without controls.
  • Third-Party Audit: An Mobile Device Security
    • No Mobile Device Management (MDM) solution for bring-your-own-device (BYOD) programs.
    • Inconsistent application of encryption and multifactor authentication (MFA).
    • Limited visibility into lost/stolen device reporting.
  • Wireless Security
    • Use of outdated Wi-Fi protocols (e.g., WPA2 without enterprise authentication).
    • Guest networks are not properly segmented.
    • Weak monitoring of rogue access points.
  • Configuration Management
    • Missing baseline configurations for servers, databases, and cloud instances.
    • No formal process for reviewing and approving configuration changes.
    • Inconsistent vulnerability hardening (e.g., default accounts still active).
  • Vulnerability Management
    • Scans are performed infrequently (e.g. quarterly instead of monthly or continuous).
    • Lack of defined remediation timelines based on risk/criticality.
    • No follow-up to verify patches are applied.
  • Network Protection
    • Flat network architecture with limited segmentation.
    • Firewalls are in place, but rule sets are outdated or not reviewed regularly.
    • No intrusion detection or prevention system (IDS/IPS) monitoring east-west traffic.
  • Transmission Protection
    • Sensitive data is transmitted without enforced TLS 1.2+ or equivalent encryption.
    • APIs lack proper authentication and encryption mechanisms.
    • Email encryption is not applied consistently to sensitive communications.
  • Password Management
    • Weak password complexity and length requirements.
    • Passwords are not rotated or reviewed regularly.
    • No enforcement of MFA for privileged accounts.
  • Access Control
    • Delayed deprovisioning of terminated employees.
    • Excessive permissions (“admin creep”) from role changes.
    • No periodic access recertification or least-privilege enforcement.
  • Audit Logging and Monitoring
    • Logs are not centralized in a security information and event management (SIEM) solution.
    • Gaps in log retention (not meeting policy or regulatory timelines).
    • Alerts are not tied to use cases (lots of “noise,” little action).
  • Education, Training, and Awareness
    • Annual training is not completed by all employees.
    • No role-based training for privileged users.
    • Lack of phishing simulations or measurable security awareness outcomes.
  • Incident Management
    • Incident response (IR) plan is not documented or tested annually.
    • No post-incident lessons learned or metrics tracking.
    • IR roles and responsibilities are unclear.
  • Business Continuity and Disaster Recovery (BC/DR)
    • BC/DR plans are outdated or untested.
    • Backups are not encrypted or tested for restoration integrity.
    • No alignment of recovery time objectives (RTOs) or recovery point objectives (RPOs) with business needs.
  • Risk Management
    • Risk assessments are performed ad hoc instead of annually.
    • No formal risk methodology or scoring model.
    • Risks are identified but not tracked with mitigation plans.
  • Physical and Environmental Security
    • Data center access is not logged or reviewed.
    • Insufficient visitor controls (e.g., no escort or sign-in logs).
    • Environmental controls (HVAC, fire suppression) are not tested.
  • Data Protection and Privacy
    • Inconsistent data classification scheme (e.g., PII not labeled).
    • Retention and disposal policies are not enforced.
    • Lack of consent management or privacy notices for data subjects.

Many of these gaps are repeat offenders—they appear across industries and organization sizes. A HITRUST gap assessment helps you pinpoint which domains need the most work so remediation can be prioritized before the validated assessment.

What to Expect During Your HITRUST Gap Assessment 1

Compliance questions? Get answers!

Book a free 30-minute consultation with a specialist to find your path to compliance. Secure your spot today.

SPEAK TO AN EXPERT

How IS Partners Streamlines Your HITRUST Assessment

Earning HITRUST certification is one of the most effective ways to demonstrate that your organization protects sensitive data with the highest level of rigor. But the path to certification doesn’t have to be overwhelming. A HITRUST gap assessment gives you the visibility and structure you need to identify weaknesses, prioritize remediation, and enter the validated HITRUST assessment process with confidence.

By taking the time to evaluate your scope, policies, procedures, and technical controls before the audit begins, you set your team up for a smoother certification journey—and send a powerful signal to customers and regulators that security is a top priority.

At IS Partners, we help organizations streamline this process with clear guidance, practical remediation strategies, and proven audit methodologies. Our team guides you through scoping, readiness, remediation, and validated assessment—reducing effort and shortening timelines by getting scope right, structuring evidence, and maximizing inheritance where appropriate. With the right preparation, you’ll not only be ready for HITRUST certification—you’ll strengthen your overall cybersecurity posture along the way. Want to learn more about how we can help you prep for your upcoming HITRUST assessment? Check out our full list of HITRUST certification services.

What Should You Do Next?

  1. Scope Your Environment Early: Ensure systems, data, and vendors are properly defined before starting the HITRUST process.

  2. Conduct a HITRUST Gap Assessment: Benchmark your policies, procedures, and technical controls against the CSF.

  3. Work With an Experienced HITRUST Assessor: IS Partners can help you build a remediation roadmap and prepare for a successful certification.

Get a Quote Try our Compliance Checker

About The Author

Author - Robert Goddard, IS Partners
Robert is a Principal with IS Partners, LLC’s Business Process/Advisory Services practice in Horsham, PA. Robert has conducted a variety of Financial Statement Audits for a range of industries such as banking, healthcare, payroll, employee benefit plans (Pension, Health and Welfare), Unions and Construction.

Robert’s specialty is in audits of IT Controls and Infrastructure, Financial Statements, SOC 1 and SOC 2 audits, HITRUST CSF Assessments, Model Audit Rule (MAR), including evaluating business process as well as IT General Controls surrounding the reporting of financial information. He also has experience with analyzing Health Insurance information from AmeriHealth, Blue Cross Blue Shield, Express Scripts and Delta Dental. Additionally, Robert has performed audits for Construction and Special Tax related credits (Historical Tax Credits). He has prior work experience using ISSI, Great Plains and Peach Tree.

Prior to joining IS Partners, LLC, Robert was employed with Novak Francella in the Financial Statement Audit division, where he worked as an associate on external audit engagements in accordance with GAAP and DOL requirements.

Robert has a Bachelor of Science degree in Finance and Accounting from LaSalle University, Philadelphia, PA.

Related Content

Gain Deeper Insights

Get started

Get a quote today!

Fill out the form to schedule a free, 30-minute consultation with a senior-level compliance expert today!

Benefit from:

ioc-checkAnalysis of your compliance needs
ioc-checkTimeline, cost, and pricing breakdown
ioc-checkA strategy to keep pace with evolving regulations

Want to speak to us now?

Call us at (866) 642-2230

or

Start a live chat

Great companies think alike.

Join hundreds of other companies that trust IS Partners for their compliance, attestation and security needs.

xeal logoaffinity logopresort logoclient-doelegal-2-2 (1)healthwaresystems logonlex-logo

Scroll to Top