New HITRUST Assessment Options for 2022
There are some big changes on the horizon for HITRUST. We can expect to see some new assessment options and the release of the most up-to-date HITRUST CSF® version—which will also be renamed the HITRUST Risk-based, 2-year (“r2”) Validated assessment–by the end of 2021.
The HITRUST Collaborate conference was held recently, during the week of October 4th, 2021. HITRUST used this opportunity to announce an extension of its portfolio of HITRUST assessments geared to provide varying degrees of assurance based on an organization’s needs.
At the conference event, HITRUST unveiled two new assessment options that were developed in response to the growing demand for different levels of assurance and greater ‘rely-ability’. Similar to the HITRUST CSF Validated Assessment, these new solutions will guide organizations in determining control efficacy as well as cyber preparedness and resilience.
What HITRUST Assessment Options Are Being Introduced?
Starting later this year, the expanded HITRUST assessment portfolio will also include:
Termed the Basic, Current-State (bC) Evaluation, this assessment is considered a “good hygiene” check for organizations of virtually any size. It provides a great degree of reliability than a regular self-assessment or questionnaire because it is validated with the assistance of the HITRUST Assurance Intelligence Engine™ (AI Engine).
Validated Assessment + Certification
The Implemented, 1-Year (i1) Validated Assessment is a “best practices” assessment meant for medium- to large-sized businesses and situations involving moderate risk or the necessity for a baseline risk assessment. With the equivalent time, effort, and expense, the i1 achieves the goal of increasing transparency, integrity, and reliability than the moderate assurance reports currently available.
The i1 Validated Assessments will be validated by HITRUST Authorized External Assessors. This has two main benefits for the assessed entity that were not previously possible together; it’s certifiable and provides a moderate level of assurance.
Validated Assessment + Risk-Based Certification
The HITRUST CSF Validated Assessment continues to be the most comprehensive standard for multiple industries as a risk-based and customizable assessment. It will represent the highest degree of assurance going forward as well, although it will go by a new name: HITRUST Risk-Based, 2-Year (r2) Validated Assessment. The r2 is designed for situations with high-risk exposure owing to data quantities, regulatory compliance, or other risk considerations.
|HITRUST Basic, |
Current-State Assessment (bC)
|HITRUST Implemented, |
1-Year (i1) Validated Assessment
2-Year (r2) Validated Assessment
(Formerly: HITRUST CSF Validated Assessment)
|Description||Verified Self-Assessment||Validated Assessment + Certification||Validated Assessment + Risk-Based Certification|
|Purpose (Use Case)||Focus on good security hygiene controls in virtually any size organization with a simple approach to evaluation, which is suitable for rapid and/or low assurance requirements||Focus on security best practices in medium-sized and larger organizations with a more rigorous approach to evaluation, which is suitable for moderate assurance requirements||Focus on a comprehensive risk-based specification of controls suitable for most organizations with a very rigorous approach to evaluation, which is suitable for high assurance requirements|
|Number of Control Requirement Statements||71 Static||Approximately 200 Static||2000+ based on tailoring; (360 average in scope of assessments)|
|Flexibility of Control Selection||No Tailoring||No Tailoring||Tailoring|
|Targeted Coverage||NISTIR 7621: Small Business Information Security Fundamentals||NIST SP 800-171, HIPAA Security Rule||NIST SP 800-53, HIPAA, FedRAMP, NIST CSF, AICPA TSC, PCI DSS, GDPR, and 37 others|
|Level of Assurance||Low||Moderate||High|
|Certifiable Assessment||No||Yes, 1-Year||Yes, 2-Year|
|Complementary Assessments||None||Readiness||Readiness, Interim, Bridge|
Risk-Based Readiness Assessment
HITRUST’s Risk-Based, 2-year (“r2”) Readiness Assessment is specifically to help organizations as they prepare for a future HITRUST assessment. It’s a self-attested assessment that is designed to establish their security posture and identify any necessary remediation measures. This self-assessment is available for organizations that are approaching the r2 Validated Assessment and the i1 Validated Assessment.
To maintain HITRUST r2 Certification, each organization must complete an interim engagement 12 months after certification. The HITRUST Interim Assessment allows organizations to keep their certification valid for the full 24 months, when re-certification is required.
The HITRUST Bridge Assessment enables organizations to maintain their HITRUST r2 Certification report for an extra 90 days. This certificate extends the period for which the report is valid even if the re-certification submission due date has lapsed.
When Will the Expanded HITRUST Assessment Portfolio Be Released?
HITRUST is expected to officially roll out these new assessment options before the end of 2021. And that is just around the corner!
What Other Changes Can We Anticipate from HITRUST Going Towards 2022?
That’s not all! HITRUST has more than hinted at a few additional upcoming changes.
Increased Efficiency and Accuracy
The HITRUST Assurance Intelligence Engine will leverage AI to make the assessment process faster and more precise for all three types of assessment options. This automated tool provides real-time feedback to external assessors and directly to assessed entities. It works to discover mistakes and omissions in order to increase the accuracy of the information submitted and, in turn, decreasing the turnaround time needed for HITRUST’s centralized oversight body to issue official assessment reports.
The new HITRUST Results Distribution System (RDS) will also be available for all HITRUST assessment types. The RDS streamlines the lengthy process of collecting, analyzing, and evaluating assessment data from third-party vendors. It also replaces the clunky and unsecure practice of sharing third-party attested security and privacy assessment reports as PDFs between the attestation body, the assessed entity, and their relying parties. Rather than requiring customers, trading partners, and regulators to manually review the report and look for the information they need, businesses can share assessment findings with interested parties through a secure web portal or API. This makes it faster and easier to glean the information needed to make risk-related decisions.
Updated HITRUST Framework
We have been anticipating the release of HITRUST CSF v10.0 that had been scheduled for release in 2020. This would be the first update since HITRUST CSF v9.3 took affect at the beginning of 2020. Experts predicted that this newer version would further expand the cybersecurity framework to be more easily applicable for businesses working in industries outside of healthcare.
At this point, we are anxiously waiting to hear what new improvements will be ushered in with HITRUST r2. This will likely take the place of the scheduled CSF version and is slated for release before the end of this year.
Overview of HITRUST CSF Versions
Here’s a quick overview of how HITRUST has changed over time and shaped the current risk management and compliance environment.
HITRUST CSF v8 (2016)
The updates for HITRUST Version 8 included “a more granular support for cybersecurity, AICPA SOC2 reporting, contextual data de-identification, cloud services, and expanded requirement details.”
- It integrates the AICPA’s Trust Principles and Criteria for security, confidentiality and availability. The closer ties to this auditing principle – associated with SOC 2 reporting – makes applying regulations and compliance standards easier for busy IT teams.
- It allows for contextual data de-identification when necessary, according to HITRUST De-Identification Framework’s assessment protocol. A set of 12 characteristics help assess controls, risks and potential outcomes to guide IT professionals in data de-identification.
- It incorporates CIS CSC protections related to emerging digital security threats, recent cybersecurity guidance from the Precision Medicine Initiative, and key controls from the NIST Cybersecurity Framework.
- It has updates to improve practices related to PCI and cloud security.
HITRUST CSF v9.1 (2018)
This version introduced substantial modifications with far-reaching implications for businesses working with clients nationally and internationally.
- It incorporates standards set by the European Union GDPR and the New York State Cybersecurity Requirements for Financial Services Companies (NY-CRFSC).
HITRUST CSF v9.2 (2019)
There are two key changes in this update, and they focus on the shift to an agnostic framework, along with the integration of international regulatory requirements.
- It removes healthcare-specific regulatory requirements from all three implementation levels and places them in a different industry control segment. This change ensures that non-healthcare entities are not required to address these particular requirements in their assessment.
- For greater clarity, it provides plain-language versions of the EU’s General Data Protection Regulation (GDPR) requirements, as well as Singapore’s Personal Data Protection Act (PDPA).
HITRUST CSF v9.3 (2020)
The most recent version went into effect on January 1, 2020. HITRUST CSF v9.3 added new and updated requirements adopted from:
- California Consumer Privacy Act,
- Insurance Data Security Act of South Carolina,
- NIST SP 800-171 R2 (DFARS),
- NIST Framework for Improving Critical Infrastructure Cybersecurity,
- CMS ARS 3.1,
- IRS Publication 1075: Safeguards for Protecting Federal Tax Returns and Return Information,
- CIS CSC v7.1, and
- ISO 27799:2016 Health informatics.
Are You Ready for the New HITRUST Certification Requirements?
That’s where I.S. Partners comes in; fill out our contact form for an initial consultation and free estimate.