This year marks some significant changes for HITRUST Certification. Until now, HITRUST provided only one path for organizations seeking certification. Now, organizations have an entirely new option that has some valuable advantages.
Why Is HITRUST Introducing New Certification Options?
The need for flexibility in the HITRUST certification process has been growing for some time. There has been a single mode for reaching certification, which was previously called the HITRUST CSF Validated Assessment. Though the validated assessment ensured a very high level of assurance, it was not always the right fit for every organization seeking certification. The long list of control requirements and supporting assurance program, but naturally to achieve this high level of assurance requires a lot of effort on the part of the organization’s compliance team.
Learn more about the New HITRUST Assessment Options launched in 2022.
What Does the HITRUST i1 Cover?
This is why HITRUST decided to make a wider range of assessment options available. The new, HITRUST i1validated assessment should also fill the gap between the low-level assurance provided by readiness assessments and the high-level assurance of the validated assessment. It’s been designed in response to the demands of organizations requiring a moderate level of assurance in comparison to what is now called the HITRUST Risk-Based 2-Year Validated Assessment—or r2 for short.
The i1 control selection covers:
- NIST 171
- HIPAA Security Rule
- GLBA Safeguards Rule (both current and 2021 proposed updated versions)
- DOL EBSA Cybersecurity Program Best Practices
- NAIC Data Security Law
- NIST Interagency Report 7621, Small Business Information Security Fundamentals
- Health Industry Cybersecurity Practices (HICP)
What Types of Organizations Can Benefit from the HITRUST i1?
A lot of our clients are asking us about the new HITRUST assessment option and whether it makes sense for their organization.
The i1 meets the needs of organizations which are ready to seek a medium-level third-party assurance. It fits organizations which are ready to dedicate a moderate level of effort and investment to the compliance and reporting process. The i1 focuses more narrowly than the risk-based r2 assessment, targeting cybersecurity hygiene and best practices.
What Are the Advantages of the HITRUST, Implemented, 1-Year (i1) Validated Assessment?
There are some new benefits that come with the latest assessment options, as well as some timeless values that come as part of the HITRUST genetics.
Threat-Adaptive Controls
The i1 was also designed to close the gaps present in existing cybersecurity standards. Specifically, it works to address emerging threats, while also eliminating controls that are no longer relevant or applicable. Using threat intelligence data, the control section is threat-adaptive with enterprise-level mitigation mapped to HITRUST CSF requirements.
Continually Updated Control Requirements
Unlike other assurance programs, HITRUST has centralized oversight and works to stay up to date with the current threat landscape. Going forward, the threat selection of the i1 will be reviewed quarterly and updated as needed. This won’t interfere with engagements that have already been validated or which are underway, however. Any updates will not go into effect until the next HITRUST effort.
Relief from Outdated Control Requirements
According to HITRUST, “In addition to adding requirements in response to new and emerging cyber threats, we will also sunset requirements that are no longer justifiable (risk mitigation exceeds costs of incident), which reduces unnecessary assessment effort.”
Quality Assurance
The assessment still lives up to the reputation for gold-standard level of quality and Rely-ability™ that HITRUST certifications have earned. Unlike other third-party assessments, the HITRUST framework is industry agnostic, comprehensive, standardized, and verified through a quality assurance review process.
Like the other HITRUST validated assessment, the i1 delivers a consistent level of assessment quality. This shorter assessment is also overseen by an Authorized HITRUST External Assessor in the control implementation phase and the results are checked by six levels of independent and objective quality assurance reviews. In addition, HITRUST leverages the power of their Assurance Intelligence Engine (AIE) to speed up testing with more than 150 automated checks.
Quality Deliverables
Successfully completing the i1 also results in a shareable, final report with certification issued by HITRUST. Validated reports and certification can be easily shared with stakeholders via the HITRUST RDS and Assessment XChange.
Prescriptive & Practical
The i1 provides effective information protection assurances of the assessed entity’s scoped control environment. And, as with all HITRUST assessments, it is also prescriptive to facilitate organizations as they determine suitability and applicability.
In Line with the Full HITRUST CSF
For organizations approaching the r1, the i1 is a helpful foundation. All of the controls contained in the i1 are resident in the HITRUST CSF. As organizations work through the readiness and validated assessments for i1 certification, they are simultaneously preparing for full r2 certification. Plus, engaged entities can still use the HITRUST MyCSF portal as a guide through the compliance process.
Authorized External HITRUST Assessors – I.S. Partners
Contact I.S. Partners for expert assistance choosing the right HITRUST assessment for your organization this year. We can walk you through the process of defining the scope, preparing for assessment, gap analysis and remediation, as well as the ongoing process of certification and re-certification.
