What are the Two Different Types of CSF Assessments that HITRUST Offers?
- A HITRUST Self-Assessment allows an organization to conduct a review and assessment of its internal control environment using the standard methodology, requirements, and tools provided under the CSF Assurance Program. The self-assessment option removes any potential barriers for organizations that lack the resources for an onsite assessment, but nonetheless must still implement data protection controls, maintain HIPAA/HITECH compliance, and report to external parties.
- A Validated Assessment is conducted by a HITRUST approved CSF Assessor, such as I.S. Partners, LLC. Using the CSF Assurance methodology, an organization’s internal controls are scored accordingly. Assessments meeting or exceeding the current CSF Assurance scoring requirements for certification will be indicated as “HITRUST CSF Certified” on the certification report from HITRUST.
Why Should You Choose the HITRUST CSF Over Other Available Frameworks (NIST, ISO, etc.)?
The HITRUST CSF includes and embodies requirements from various authoritative sources such as ISO, NIST, PCI DSS, HIPAA and others, and tailors the requirements to healthcare organizations based on specific organizational, system and regulatory risk factors. The level of integration and prescription in the framework, along with the quality and rigor of the CSF Assurance Program and supporting HITRUST products and services, makes the HITRUST CSF the easy choice for healthcare organizations.
How Can My Organization Utilize the CSF Framework for a SOC 2 Report?
HITRUST and the American Institute of Certified Public Accountants (AICPA) have joined together to map HITRUST CSF controls to the Service Organization Controls (SOC) 2 Trust Principles and Criteria, specifically the Trust Services Principles of Security, Confidentiality and Availability. I.S. Partners, LLC, as both a CPA firm and a HITRUST CSF Assessor, can perform a SOC 2 audit leveraging the CSF framework. If an organization requires both a SOC 2 and a HITRUST certification report, the two reports can be combined into a singular report.
Given the positive fulfillment of an interim review, where no breach has occurred and no significant changes have developed relating to the scoped control environment, HITRUST CSF reports with Certification are valid for two years. However, at the one-year anniversary of the Certification, I.S. Partners, LLC can assist your organization’s reassessment by:
- Requesting your organization to update the scoping questions
- Reviewing the updated questionnaire for any changes to original questionnaire
- Testing at least one control/statement in each domain
- Reviewing the status of any Corrective Action Plan (CAP) from the original assessment to ensure that satisfactory progress/milestones are being met