In December of 2021, HITRUST announced an expansion of the HITRUST assessment portfolio to help organizations of all sizes demonstrate a commitment to cybersecurity. The portfolio now includes the new HITRUST Implemented, 1-year (i1) Validated Assessment. The i1 Assessment is a Validated Assessment that offers an organization the opportunity to obtain HITRUST Certification with less effort than the traditional Validated Assessment, now referred to as the HITRUST Risk-Based, 2-year (r2) Validated Assessment.
The i1 Assessment has a standard 219 controls based on NIST SP-800, HIPAA Security Rule, GLBA Safeguards, and the US Department of Labor EBSA Cybersecurity Control Best Practices. The 219 controls are standard for all organizations and are not scoped to your organization’s specific environment, as occurs with the r2 Assessment. Additionally, the i1 assesses an organization against only the implementation of these controls and does not require formal policy and procedure documentation to be assessed.
Like the r2, the i1 requires that the organization first have their assessment tested by a HITRUST External Assessor Firm who submits the assessment to HITRUST for final validation and certification. Also, like the r2, HITRUST recommends doing a Readiness Assessment prior to submitting your Validated i1 evidence to HITRUST.
What to keep in mind when considering the i1 Assessment
The i1 is a one-year assessment versus the r2 two-year assessment. While the i1 has a more limited number of controls, the cost savings from testing the more limited controls may be offset by the added expense of doing a full assessment annually instead of bi-annually.
The HITRUST i1 Implemented, 1-year (i1) Validated Assessment appears to be a great steppingstone to the HITRUST Risk-Based 2-year (r2) Validated Assessment. For smaller organizations or start-ups with good security practices, it allows them to certify those practices without requiring extensive policy and procedure documentation that often slows down the certification process. However, organizations will need to have some documented policies and procedures to meet the standards.
Doing the i1 as your first assessment should reduce the time required to perform both your Readiness and Validated Assessments and allow you to have a HITRUST Certification sooner. However, over the long term, continuing to enhance your policy and procedures and controls to obtain the r2 Certification will demonstrate more control maturity to your stakeholders.
If you are seeking to obtain HITRUST Certification to meet a request of your client, you will need to make sure that the i1 will satisfy that requirement.
For either certification, it is vital to do a Readiness Assessment prior to submitting your assessment to HITRUST for certification. Unlike other control frameworks, HITRUST does not allow any remediation after the assessment is submitted. As a result, it’s important to make sure that your controls are functioning as required and do any remediation prior to your validated assessment.