HITRUST held its annual HITRUST Collaborate conference the week of October 4th, 2021. During this conference, HITRUST announced an expansion of the portfolio of HITRUST assessments designed to help provide differing levels of assurance based on an organization’s needs.
HITRUST CSF Basic, Current State (bC) Assessment
The HITRUST CSF Basic, Current State (bC) Assessment is a new product that will allow HITRUST to provide a higher level of assurance than what is currently provided with self-assessments. This assessment will be reviewed by HITRUST using its artificial intelligence tool to help identify potential concerns, instead of simply indicating that the assessment was completed by the organization without any review by HITRUST. However, the bC Asessment is not a HITRUST Certified Assessment.
HITRUST refers to the bC Assessment as a verified self-assessment. It includes 71 HITRUST control requirement statements that are not tailored based on an organization’s business or size. The bC Assessment is based on NISTIR 7621: Small Business Information Security Fundamentals.
HITRUST CSF Implemented, 1-Year (i1) Validated Assessment
The HITRUST CSF Implemented, 1-Year (i1) Validated Assessment is a new product designed for medium-sized organizations where there is moderate risk or where a baseline risk assessment is required. This assessment has approximately 200 control requirement statements and is based on NIST SP800-171 and the HIPAA Security Rule. Organizations will be assessed against all controls (no tailoring), and after review by HITRUST, if the controls meet the HITRUST standards, the organization will receive a Validated Assessment with Certification.
HITRUST CSF Risk-based, 2-Year (r2) Assessment
HITRUST plans to begin offering the bC and i1 Assessments before the end of 2021. These assessments are designed as additions to the HITRUST assessment program and do not replace the HITRUST CSF Validated Assessment, which provides the highest level of assurance. Moving forward, the HITRUST CSF Validated Assessment will be known as the HITRUST CSF Risk-based, 2-Year (r2) Assessment.
Coming Soon: HITRUST Privacy Assessment
The HITRUST Privacy Officer also provided an update on the new HITRUST Privacy Assessment that they plan to release in 2022. HITRUST indicated that the results of their market surveys indicated an overwhelming expectation that organizations would soon be required to provide certifiable evidence of privacy compliance. The assessment is being developed using a very similar approach to the current Risk-based, 2-Year (r2) Validated Assessment. HITRUST is building the assessment using the NIST Privacy Framework, ISO 27001 Privacy Framework, APEC Framework, GDPR, CCPA, and FIPP. The identified controls will be broken down into eight domains, and organizations will be assessed against those domains.