Consulting Services • Published 10/21/2021 Determining if the HITRUST CSF Certification® is Right for Your Organization

With the number of breaches across industries continuing to rise, cybersecurity remains a top concern for organizations today. Adopting a formal control framework helps to address cyber risks and can increase trust and transparency among both internal and external stakeholders. However, this can present its own challenges, as organizations must select a framework that is appropriate for their environment, industry, and compliance needs.

Because of the unique IT risk landscape at each organization, the HITRUST CSF® was developed to help organizations protect their systems and data, while providing a framework for achieving compliance with various IT laws and regulations. Below, we outline the basics of HITRUST® and how to determine if this certification could benefit your organization.

What is HITRUST?

HITRUST collaborates with privacy, information security, and risk management leaders across numerous industries to develop, maintain, and provide access to its framework, the HITRUST CSF. The HITRUST CSF covers generally accepted standards, such as ISO and NIST, and industry-specific standards and regulations, such as HIPAA, PCI, CCPA, and GDPR.

A HITRUST CSF Assessment provides organizations the ability to assess their security, privacy, and compliance as well as provide transparency to internal stakeholders and external organizations. HITRUST CSF Validated Assessments and the associated Validated Assessment Reports provide the assessed organization and any relying third-party entities with visibility into the current state of security, privacy, and compliance of the assessed organization. The HITRUST CSF can help demonstrate and communicate your security, privacy, and compliance posture to stakeholders.       

HITRUST CSF Assessment: What to expect

A HITRUST CSF Validated Assessment is adapted to organizations based on regulatory factors and the organization’s environment and risks, and testing must be performed by a HITRUST Authorized External Assessor. Based on the responses to the risk factors for your organization and in-scope systems, a HITRUST CSF Assessment is created with each of the in-scope requirement statements spread out across 19 domains. To achieve HITRUST CSF Certification, an organization must score at least a “3” in each domain.

HITRUST CSF Validated Assessments that meet scoring requirements are issued HITRUST CSF Certifications, which are valid for two years. At the one-year mark, organizations with HITRUST CSF Certifications will need a HITRUST CSF Interim Assessment performed by the External Assessor on a subset of controls. Corrective Action Plans (CAPs) are required for controls related to deficient requirement statements and will be reassessed as part of the interim assessment.

Organizations must select a framework that is appropriate for their environment, industry, and compliance needs.

Benefits of a HITRUST Certification

A HITRUST CSF Certification demonstrates that your organization maintains a robust cybersecurity risk and compliance program that can provide the necessary affirmation and transparency to both internal and external stakeholders. A HITRUST CSF Certification can differentiate your organization from competitors during vendor selection processes, and in some cases, third parties may require HITRUST Certification for business partners.

Preparing for a HITRUST CSF Assessment

The path to HITRUST CSF Certification can be a daunting and complicated task. To prepare for this journey, a HITRUST CSF Readiness Assessment should be performed to determine the organization’s current state of security, privacy, and compliance controls and to identify potential remediation efforts in preparation for a future HITRUST CSF Validated Assessment. Although not required for a readiness assessment, it is recommended that you have an External Assessor guide you through the process.

As an established HITRUST Authorized External Assessor, P&N often helps organizations understand their risk factors prior to a HITRUST CSF Assessment. The answers to these key questions will drive the corresponding controls, or requirement statements, that are reviewed during the readiness assessment and tested in the validated assessment. This can also help an organization during the quality assurance process performed by HITRUST after a validated assessment is submitted.

P&N can work with your organization to identify compliance with each requirement statement based on current policies, processes and procedures, including what procedures should be implemented to resolve any gaps. When you are ready for the HITRUST CSF Validated Assessment, it can be instrumental to perform the assessment in partnership with an Authorized External Assessor organization that is familiar with your organization, systems, and processes.

If you are contemplating the journey to HITRUST Certification, P&N is here to help you every step of the way. Contact us to discuss your organization’s needs.