There are some big changes coming to HITRUST this year. At the end of 2022, the alliance announced the release of a new version of the framework. In January 2023, they officially launched HITRUST v11. This marks a major update to the framework and achieves one of the allianceās goals to facilitate the attainment, maintenance, and exchange these assurances. Ā
āThere is no question that frameworks need to stay relevant with current and emerging threats so organizations can conduct assessments as efficiently as possible and provide practical, yet meaningful, assurances to stakeholders. The investments weāve made in our AI-based standards development platform have dramatically improved our ability to assess threat-adaptive mitigations, add authoritative sources, and reduce redundancies, allowing organizations to achieve the same level of assurance with less effort.ā
ā Andrew Russell, VP of Standards, HITRUST.Ā
Whatās New in HITRUST v11?Ā Ā
Greater EfficiencyĀ
CSF v11 enables greater efficiency when it comes to reducing the level of effort required for HITRUST certification. For example, the level of effort needed to achieve and maintain HITRUST Implemented, 1-year (i1) Certification over two years can be reduced by up to 45%.Ā
Cyber Threat IntelligenceĀ Ā
Evolving from a framework that was ācyber threat adaptive,ā HITRUST v11 introduces more advanced ācyber threat intelligence.ā This means that the control selection for the HITRUST assessment framework is adapted to address real, current threats and fit every level of assurance.Ā
AI-Infused Framework MappingĀ
HITRUSTās development of AI-based standards reduces the time assurance experts have to spend mapping and maintaining authoritative sources by up to 70%. CSF v11 is the first version to be developed with this enhanced function, which also allows for more accurate mappings to authoritative sources and the future inclusion of additional authoritative sources.Ā
When applied to security mapping, threat intelligence works to keep the framework up to date and get rid of controls that are no longer relevant in this environment. This helps reduce the time and cost incurred by fieldwork and testing.Ā In comparison to other compliance frameworks, HITRUST is setting a new gold standard forĀ keeping up with evolving threats. Ā
Integrated Shared ComplianceĀ
HITRUST CSF v11 is integrated with Microsoft Azure, Dynamics 365, Microsoft 365, and Power Platform. This makes it easier for compliance officers to understand what is required of them and their organizations. In addition, Microsoft is collaborating with HITRUST and other partners to develop new capabilities that will improve clarity on compliance requirements and shared responsibilities across the U.S. and worldwide.Ā
āThe HITRUST inheritance program offers tremendous value to customers who build on our platform and can inherit our controls in their HITRUST assessment. The expanded and traversable HITRUST assessment portfolio provides new flexibility enabling more organizations to leverage Microsoftās HITRUST assessments through the shared responsibilities and inheritance program to reduce the scope, cost, and time to achieve and maintain their own HITRUST compliance.ā
ā David Houlding, Director, Global Healthcare Business Strategy, Microsoft.Ā
More Authoritative
Ā With the release of CSF v11, HITRUST has expanded the number of authoritative sources it draws from to include NIST SP 800-53 Rev 5, and Health Industry Cybersecurity Practices (HICP) standards. This update provides a more comprehensive foundation against which organizations can measure their cybersecurity posture. With this, HITRUST continues its commitment to being industry-agnostic and becoming ever more applicableĀ forĀ businesses in all sectors, even outside ofĀ healthcare.Ā
New HITRUST Assessment OptionsĀ
Just last year, HITRUST unveiled new assessment options and a clearer naming structure.Ā At the 2021 HITRUST Collaborate conference, the groupĀ announced an extension of its portfolio of HITRUST assessments geared to provide varying degrees of assurance based on an organizationās needs.Ā Ā
HITRUSTĀ unveiledĀ two new assessmentĀ options developedĀ in response to the growing demand for differentĀ levels of assuranceĀ and greaterĀ ārely-abilityā.Ā Similar toĀ the HITRUST CSF Validated Assessment, these new solutions are designed to guide organizationsĀ in determining control efficacy as well asĀ cyberĀ preparednessĀ and resilience.Ā Ā Ā
Stair-Step HITRUST Assessment Structure
The expanded HITRUST assessment options are important for another reason: they are aligned specifically to make a traversable ladder for organizations. While still providing a single framework (HTIRUST CSF) for all assurance needs across different risk levels and compliance requirements, the three types of assessments are stacked in a way that makes a clear, and easier path for organizations seeking HITRUST certification.Ā
āThis structure creates a traversable journey up the ladder. It startsĀ with foundational cybersecurity for low-risk organizations and those who are approaching a HITRUST assessment for the first time. Then, organizations can work their way up to higher levels of assurance and program maturity. But this also reduces the level of effort involved because we can cut out a number of controls that are no longer relevant thanks to updated, threat-intelligent mapping.āĀ
ā Marc Fitzpatrick, the director of product marketing at HITRUST.
The assessments are now structured as either subsets or supersets of each other. This means that engaged organizations can reuse the work done in lower-level HITRUST assessments to progressively achieve higher assurance. By sharing common control requirements and maturity levels, compliance officersĀ will have less work to do in order to reach those higher levels of assurance.Ā
HITRUST Essentials, 1-Year (e1) Validated AssessmentĀ Option
The HITRUST e1 Assessment is the first step this more gradual approach. Itās designed to be efficient and flexible. Because it focuses on foundational cybersecurity measures, the HITRUST e1 is a good fit for startups, small companies, organizations approaching a HITRUST assessment for the first time, business associates and third-party vendors, as well as low-risk organizations. Ā
The HITRUST e1 validates that the most critical cyber security controls are in place and that the risk management program is built on solid ground. Itās also a faster way to get the assurances you need, establish benchmarks, and identify coverage gaps.Ā
Validated Assessment + CertificationĀ
TheĀ Implemented, 1-Year (i1) Validated AssessmentĀ is a ābest practicesā assessmentĀ meantĀ forĀ medium- to large-sized businesses andĀ situationsĀ involving moderate risk or the necessity for a baseline risk assessment. With the equivalent time, effort, and expense the i1Ā achievesĀ the goal of increasing transparency, integrity, and reliability than theĀ moderate assurance reportsĀ currently available.Ā Ā
TheĀ i1 Validated Assessments will be validated byĀ HITRUST Authorized External Assessors. This has twoĀ mainĀ benefits for the assessed entityĀ that were not previously possible together; itās certifiable andĀ provides a moderate level of assurance.Ā Ā
Validated Assessment + Risk-Based CertificationĀ
TheĀ HITRUST CSF Validated AssessmentĀ continues to be the mostĀ comprehensiveĀ standardĀ for multiple industries asĀ a risk-based andĀ customizableĀ assessment. It willĀ representĀ the highest degree of assuranceĀ going forward as well, although it will go by a new name:Ā HITRUST Risk-Based, 2-Year (r2) Validated Assessment.Ā The r2 isĀ designed for situations withĀ high-riskĀ exposure owing to data quantities, regulatory compliance, or other risk considerations.Ā
| Assessment Type |
HITRUST Essentials (e1) |
HITRUST Implemented (i1) |
HITRUST Risk-Based (r2) |
| Description | |||
| Goal | Foundational Cybersecurity |
Leading Practices |
Expanded Practices |
| Validated Assessment + Certification |
|
|
|
Targeted Coverage | NIST IR 7621: Small Business Information Security Fundamentals | NIST SP 800-171, HIPAA Security Rule | NIST SP 800-53, HIPAA, FedRAMP, NIST CSF, AICPA TSC, PCI DSS, GDPR, and 37 others |
| # of Control Requirements | 44 |
200 |
2000+ |
| Advantages | |||
| Flexible Control Selection |
|
||
| High Degree of Assurance |
|
||
| Low Effort Required |
|
||
| Certification Valid for: | |||
| 1 Year | 1 Year | 2 Years |
Risk-Based Readiness AssessmentĀ
HITRUSTāsĀ Risk-Based, 2-year (ār2ā) Readiness AssessmentĀ is specifically to helpĀ organizations as theyĀ prepareĀ for a future HITRUSTĀ assessment. ItāsĀ a self-attested assessmentĀ that is designed toĀ establishĀ theirĀ security posture andĀ identify anyĀ necessaryĀ remediationĀ measures.Ā This self-assessmentĀ is available for organizations that are approaching theĀ r2 Validated AssessmentĀ and theĀ i1 Validated Assessment.Ā
Interim AssessmentĀ
To maintainĀ HITRUST r2 Certification, each organization must complete anĀ interim engagementĀ 12 months after certification.Ā TheĀ HITRUST Interim AssessmentĀ allows organizations to keep their certification valid for the fullĀ 24 months, whenĀ re-certificationĀ is required.Ā Ā
Bridge AssessmentĀ
Ā TheĀ HITRUST Bridge AssessmentĀ enablesĀ organizations toĀ maintain their HITRUST r2 CertificationĀ reportĀ for an extra 90 days.Ā This certificate extends the period for which the report is validĀ even if the re-certification submission due dateĀ has lapsed.Ā Knowing that preparing for an r2 is a long process, the stair-step structure allows you to start with the essentials and then move up to industry-leading security practices and running a robust cybersecurity program. Ā
What Other Changes Can We Anticipate from HITRUST in 2023?Ā Ā
Thatās not all! HITRUST has more than hinted at a few additional upcoming changes.Ā The HITRUST Assurance Intelligence Engine will leverage AI to make the assessment process faster and more precise for all three types of assessment options.Ā This automated tool provides real-time feedback to external assessors and directly to assessed entities. It works to discover mistakes and omissions in order to increase the accuracy of the information submitted and, in turn, decreasing the turnaround time needed for HITRUSTāsĀ centralized oversightĀ body to issue official assessment reports.Ā Ā
TheĀ newĀ HITRUSTĀ Results Distribution SystemĀ (RDS) will also be available for all HITRUST assessment types.Ā The RDS streamlines theĀ lengthyĀ process ofĀ collecting,Ā analyzing, and evaluating assessment data from third-party vendors.Ā It also replaces the clunkyĀ andĀ insecureĀ practiceĀ of sharing third-party attested security and privacy assessment reports as PDFs between the attestation body, the assessed entity, and their relying parties. Rather than requiring customers, trading partners,Ā andĀ regulators to manually review the report and look for the information they need, businesses canĀ shareĀ assessment findingsĀ with interested parties through a secure web portal or API.Ā This makes it faster and easier to glean the information needed to make risk-related decisions.Ā Ā Ā
Are You Ready forĀ the New HITRUST v11 Certification Requirements?Ā Ā
Thatās where IS Partners comes in; fill out our contact form for an initial consultation and free estimate.Ā
