There are some big changes coming to HITRUST this year. At the end of 2022, the alliance announced the release of a new version of the framework. In January 2023, they officially launched HITRUST v11. This marks a major update to the framework and achieves one of the alliance’s goals to facilitate the attainment, maintenance, and exchange these assurances.
“There is no question that frameworks need to stay relevant with current and emerging threats so organizations can conduct assessments as efficiently as possible and provide practical, yet meaningful, assurances to stakeholders. The investments we’ve made in our AI-based standards development platform have dramatically improved our ability to assess threat-adaptive mitigations, add authoritative sources, and reduce redundancies, allowing organizations to achieve the same level of assurance with less effort.”– Andrew Russell, VP of Standards, HITRUST.
What’s New in HITRUST v11?
CSF v11 enables greater efficiency when it comes to reducing the level of effort required for HITRUST certification. For example, the level of effort needed to achieve and maintain HITRUST Implemented, 1-year (i1) Certification over two years can be reduced by up to 45%.
Cyber Threat Intelligence
Evolving from a framework that was ‘cyber threat adaptive,’ HITRUST v11 introduces more advanced ‘cyber threat intelligence.’ This means that the control selection for the HITRUST assessment framework is adapted to address real, current threats and fit every level of assurance.
AI-Infused Framework Mapping
HITRUST’s development of AI-based standards reduces the time assurance experts have to spend mapping and maintaining authoritative sources by up to 70%. CSF v11 is the first version to be developed with this enhanced function, which also allows for more accurate mappings to authoritative sources and the future inclusion of additional authoritative sources.
When applied to security mapping, threat intelligence works to keep the framework up to date and get rid of controls that are no longer relevant in this environment. This helps reduce the time and cost incurred by fieldwork and testing. In comparison to other compliance frameworks, HITRUST is setting a new gold standard for keeping up with evolving threats.
Integrated Shared Compliance
HITRUST CSF v11 is integrated with Microsoft Azure, Dynamics 365, Microsoft 365, and Power Platform. This makes it easier for compliance officers to understand what is required of them and their organizations. In addition, Microsoft is collaborating with HITRUST and other partners to develop new capabilities that will improve clarity on compliance requirements and shared responsibilities across the U.S. and worldwide.
“The HITRUST inheritance program offers tremendous value to customers who build on our platform and can inherit our controls in their HITRUST assessment. The expanded and traversable HITRUST assessment portfolio provides new flexibility enabling more organizations to leverage Microsoft’s HITRUST assessments through the shared responsibilities and inheritance program to reduce the scope, cost, and time to achieve and maintain their own HITRUST compliance.”– David Houlding, Director, Global Healthcare Business Strategy, Microsoft.
With the release of CSF v11, HITRUST has expanded the number of authoritative sources it draws from to include NIST SP 800-53 Rev 5, and Health Industry Cybersecurity Practices (HICP) standards. This update provides a more comprehensive foundation against which organizations can measure their cybersecurity posture. With this, HITRUST continues its commitment to being industry-agnostic and becoming ever more applicable for businesses in all sectors, even outside of healthcare.
New HITRUST Assessment Options
Just last year, HITRUST unveiled new assessment options and a clearer naming structure. At the 2021 HITRUST Collaborate conference, the group announced an extension of its portfolio of HITRUST assessments geared to provide varying degrees of assurance based on an organization’s needs.
HITRUST unveiled two new assessment options developed in response to the growing demand for different levels of assurance and greater ‘rely-ability’. Similar to the HITRUST CSF Validated Assessment, these new solutions are designed to guide organizations in determining control efficacy as well as cyber preparedness and resilience.
Stair-Step HITRUST Assessment Structure
The expanded HITRUST assessment options are important for another reason: they are aligned specifically to make a traversable ladder for organizations. While still providing a single framework (HTIRUST CSF) for all assurance needs across different risk levels and compliance requirements, the three types of assessments are stacked in a way that makes a clear, and easier path for organizations seeking HITRUST certification.
“This structure creates a traversable journey up the ladder. It starts with foundational cybersecurity for low-risk organizations and those who are approaching a HITRUST assessment for the first time. Then, organizations can work their way up to higher levels of assurance and program maturity. But this also reduces the level of effort involved because we can cut out a number of controls that are no longer relevant thanks to updated, threat-intelligent mapping.”– Marc Fitzpatrick, the director of product marketing at HITRUST.
The assessments are now structured as either subsets or supersets of each other. This means that engaged organizations can reuse the work done in lower-level HITRUST assessments to progressively achieve higher assurance. By sharing common control requirements and maturity levels, compliance officers will have less work to do in order to reach those higher levels of assurance.
HITRUST Essentials, 1-Year (e1) Validated Assessment Option
The HITRUST e1 Assessment is the first step this more gradual approach. It’s designed to be efficient and flexible. Because it focuses on foundational cybersecurity measures, the HITRUST e1 is a good fit for startups, small companies, organizations approaching a HITRUST assessment for the first time, business associates and third-party vendors, as well as low-risk organizations.
The HITRUST e1 validates that the most critical cyber security controls are in place and that the risk management program is built on solid ground. It’s also a faster way to get the assurances you need, establish benchmarks, and identify coverage gaps.
Validated Assessment + Certification
The Implemented, 1-Year (i1) Validated Assessment is a “best practices” assessment meant for medium- to large-sized businesses and situations involving moderate risk or the necessity for a baseline risk assessment. With the equivalent time, effort, and expense the i1 achieves the goal of increasing transparency, integrity, and reliability than the moderate assurance reports currently available.
The i1 Validated Assessments will be validated by HITRUST Authorized External Assessors. This has two main benefits for the assessed entity that were not previously possible together; it’s certifiable and provides a moderate level of assurance.
Validated Assessment + Risk-Based Certification
The HITRUST CSF Validated Assessment continues to be the most comprehensive standard for multiple industries as a risk-based and customizable assessment. It will represent the highest degree of assurance going forward as well, although it will go by a new name: HITRUST Risk-Based, 2-Year (r2) Validated Assessment. The r2 is designed for situations with high-risk exposure owing to data quantities, regulatory compliance, or other risk considerations.
HITRUST Essentials 1-Year
(e1) Validated Assessment (New)
1-Year (i1) Validated Assessment (New)
HITRUST Risk-Based,2-Year (r2) Validated Assessment
(Formerly: HITRUST CSF Validated Assessment)
|Validated Assessment +Certification||+ Risk-Based Certification|
|Purpose (Use Case)|
|Focus on good security hygiene controls in virtually any size organization with a simple approach to evaluation, which is suitable for rapid and/or low assurance requirements|
|Focus on security best practices in medium-sized and larger organizations with a more rigorous approach to evaluation, which is suitable for moderate assurance requirements|
|Focus on a comprehensive risk-based specification of controls suitable for most organizations with a very rigorous approach to evaluation, which is suitable for high assurance requirements|
|Number of Control Requirement Statements|
|Lean set of 44 controls|
|Approximately 200 Static|
|2000+ based on tailoring; (360 average in scope of assessments)|
|Flexibility of Control Selection|
|NISTIR 7621: Small Business Information Security Fundamentals|
|NIST SP 800-171, HIPAA Security Rule|
|NIST SP 800-53, HIPAA, FedRAMP, NIST CSF, AICPA TSC, PCI DSS, GDPR, and 37 others|
|Level of Assurance|
|Level of Effort Required|
|Certification Valid for:|
|1 Year||1 Year||2 Years|
Risk-Based Readiness Assessment
HITRUST’s Risk-Based, 2-year (“r2”) Readiness Assessment is specifically to help organizations as they prepare for a future HITRUST assessment. It’s a self-attested assessment that is designed to establish their security posture and identify any necessary remediation measures. This self-assessment is available for organizations that are approaching the r2 Validated Assessment and the i1 Validated Assessment.
To maintain HITRUST r2 Certification, each organization must complete an interim engagement 12 months after certification. The HITRUST Interim Assessment allows organizations to keep their certification valid for the full 24 months, when re-certification is required.
The HITRUST Bridge Assessment enables organizations to maintain their HITRUST r2 Certification report for an extra 90 days. This certificate extends the period for which the report is valid even if the re-certification submission due date has lapsed. Knowing that preparing for an r2 is a long process, the stair-step structure allows you to start with the essentials and then move up to industry-leading security practices and running a robust cybersecurity program.
What Other Changes Can We Anticipate from HITRUST in 2023?
That’s not all! HITRUST has more than hinted at a few additional upcoming changes. The HITRUST Assurance Intelligence Engine will leverage AI to make the assessment process faster and more precise for all three types of assessment options. This automated tool provides real-time feedback to external assessors and directly to assessed entities. It works to discover mistakes and omissions in order to increase the accuracy of the information submitted and, in turn, decreasing the turnaround time needed for HITRUST’s centralized oversight body to issue official assessment reports.
The new HITRUST Results Distribution System (RDS) will also be available for all HITRUST assessment types. The RDS streamlines the lengthy process of collecting, analyzing, and evaluating assessment data from third-party vendors. It also replaces the clunky and insecure practice of sharing third-party attested security and privacy assessment reports as PDFs between the attestation body, the assessed entity, and their relying parties. Rather than requiring customers, trading partners, and regulators to manually review the report and look for the information they need, businesses can share assessment findings with interested parties through a secure web portal or API. This makes it faster and easier to glean the information needed to make risk-related decisions.
Are You Ready for the New HITRUST v11 Certification Requirements?
That’s where I.S. Partners comes in; fill out our contact form for an initial consultation and free estimate.