What is the HITRUST CSF?

HITRUST was developed based on ISO 27001, but incorporates several additional regulatory requirements, standards, and frameworks. Some important points HITRUST CSF addresses are the following:

  • Increase risks of breaches, regulatory enforcement, and public concerns by facilitating compliance requirements measurements to increase trust with partners/consumers;
  • Inefficiencies of the different interpretations of control objectives by obtaining consensus on practices most effectively addressing information security and privacy concerns;
  • Increase costs due to regulatory environment changes by unifying the compliance approach through providing the ability to “assess once and report many times” on compliance activities; and,
  • Inconsistency in implementing minimum acceptable controls by leveraging existing standards to fit any size organization with prescriptive requirements as well as establish a single benchmark approach.

Why should my organization get HITRUST CSF Validated?

Want to build trust with your customers? Want to validate your security posture through an independent review against the ‘gold standard’ of compliance? Want to save time and money? Then participating in the HITRUST CSF validation process is right for you!

Obtaining a HITRUST CSF Validation with Certification can provide a competitive advantage opening up paths to larger enterprise organizations and meeting contractual obligations when selling to large healthcare insurance companies (or obtaining cybersecurity insurance).

If you want to eliminate the need to complete vendor due diligence questionnaires or self-assessment questionnaires, HITRUST CSF Validation could save your team hours in resource allocation to these tasks. If your organization needs to comply with several different standards, regulations, or frameworks, HITRUST CSF can be leveraged to integrate these compliance requirements into one comprehensive framework.

Before beginning down the HITRUST assurance path, ask yourself: what will be the ultimate purpose to obtaining a HITRUST CSF Validation with Certification and why are we performing this activity? It might be for internal (audit) or external (regulatory) requirements, third-party requirements (contractual obligations), to demonstrate compliance, to improve the organization’s security posture, and/or to create a competitive advantage for the organization.

Is it difficult to get HITRUST CSF Validated?

The HITRUST CSF is a prescriptive framework with several control requirements scored against five (5) different categories:

  • policy
  • process
  • implemented
  • measured
  • managed. 

An organization must meet all the elements of a control requirement to score a full 100% for each of the individual categories.

For example, an organization must have a formal policy in place to meet all the criteria of a control requirement, must have a formal process in place to implement the policy, and must have solutions in place to implement the policy and process. The organization must further establish measures and metrics as well as manage overall performance of the solutions in place to score within the measured and managed categories.

What are the differences between HITRUST, SOC, and HIPAA?

The HITRUST CSF Validation with Certification is a ‘gold standard’ certification where an organization is assessed by an independent, qualified assessor to an average of 360 control requirements covering specific industry security standards.

SOC 2 Type II is an internal controls report determining the organization’s effectiveness in safeguarding their customer data. A SOC 2 Type II report is prepared by a CPA rendering an opinion or attestation of the trusted service criteria in scope assessed during a certain time period under the AICPA standards.

The Health Insurance Portability and Accountability Act (HIPAA) is a federal regulation covering the safeguards implemented over the use and disclosure of protected health information. There is no formal HIPAA certification; however, organizations look to HITRUST to provide validation of their HIPAA compliance efforts.

How much time does it take to get HITRUST CSF Validated?

The HITRUST CSF Validation requires a few steps. The total time may vary based on the complexity of an organization.

Generally, we see organizations complete their readiness review within 3 to 4 months.

An organization may take another 3 to 4 months to implement all gaps identified during the readiness review. The validation assessment, performed by a HITRUST Approved External Assessor firm, will be completed in 90 days to ensure all evidence and testing is kept recent prior to submitting the validation work to HITRUST.

HITRUST will perform a thorough QA review of the validation activities and provide a report. The HITRUST r2 Validation is valid for two years and an interim review will be performed on the organization 30 to 90 days from the validation report anniversary date in order to maintain the r2 validation.

What are the costs? (Direct/Indirect)

The following are only rough estimates and approved assessors as well as HITRUST sets their own pricing models:

Some of the direct costs for HITRUST CSF validation with certification include the following:

  • Readiness Assessment performed by a qualified assessor = $20,000 to $50,000
  • Validated Assessment performed by a HITRUST approved assessor = $30,000 to $70,000
  • Interim Review performed by a HITRUST approved assessor = $15,000 to $25,000

HITRUST Fees for MyCSF Subscription to include validated reports can range between $15,000 to $60,000.

Indirect costs may includes:

  • Resource: Minimum of one full time employee to coordinate the validation process
  • Money: Depending on the complexity of the organization and implementation solutions required = $20,000 to $135,000

Laika is proud to be an approved HITRUST external assessor!

Laika is proud to be the first automated compliance solution to become a HITRUST approved external assessor. Laika is one of the first fully integrated and consolidated compliance platforms available on the market offering our customers the ability to achieve multiple attestations, certifications, and audits from one source.

Laika now has the capability to prepare for and certify against the HITRUST CSF, all from a single platform. The platform saves countless hours of time and precious resources by providing the ability to pivot into other attestations/certifications without losing or having to add additional work to obtain evidence already obtained for previous assessments/audits.

Assessments will be performed in parallel or separately based on the needs of the organization. Attestations and certifications can be achieved through our integrated partners (or through Laika ourselves in the case of HITRUST) leveraging our platform.

To add your organization to the HITRUST waitlist, click here.

What will your organization get with Laika’s HITRUST Core and Audit Subscriptions?

Once you’re approved to receive Laika’s service for HITRUST, your organization will receive:

  • Predefined policy and procedure templates drafted to meet HITRUST requirements.
  • Step-by-step guidance to ensure your organization properly implements the prescriptive HITRUST CSF control requirements
  • Instructions necessary to ensure your evidence meets the thresholds set by HITRUST.
  • Concierge services with automated off-line assessment functionality to ease the work involved in packaging the assessment and preparing it for HITRUST submission through the HITRUST MyCSF portal along with all required QA.
  • Laika will perform the readiness review, assist our customer in preparing for validation, conduct the validation assessment, and conduct the interim review for a HITRUST r2 Assessment.

To add yourself to the waitlist and find out if your organization is approved, click here.

What are the different types of assessments offered by HITRUST?

HITRUST currently offers the following types of assessments:

  • Basic, Current-State (bC) – This assessment consists of 71 static controls providing a ‘good hygiene’ assessment. This assessment provides a higher assurance than a self-assessment or questionnaire by utilizing the HITRUST Assurance Intelligence Engine (AI Engine) to identify errors or omissions in the work products provided.  This assessment does not provide a certification.
  • Implemented, 1-year (i1) – This assessment consists of 219 static controls providing ‘best practices for organizations where moderate risk is present and where a baseline risk assessment is required. In addition, this assessment provides a higher level of transparency, integrity, and reliability with a comparable level of time, effort, and cost. This assessment requires a HITRUST Authorized External Assessor to validate and is valid for one (1) year.
  • Risk-Based, 2-year (r2) Validated Assessment – This assessment consists of a varied number of controls with an average of around 360 controls per organization. Formerly known as the HITRUST CSF Validated Assessment, it is still the ‘gold standard’ assessment providing the highest level of assurance. This assessment is recommended for organizations with greater risk exposure due to the volume of data, regulatory compliance, and other factors. This assessment requires a HITRUST Authorized External Assessor to validate and is valid for two (2) years as long as the organization successfully completes their annual interim review.

What can be certified under the HITRUST CSF?

The HITRUST CSF can only be certified against implemented systems, applications, or platforms having been fully installed and configured for at least ninety (90) days. The scope of the assessment will include ALL sensitive/covered information and could apply to any implemented system (irrelevant of classification or function). 

HTRUST DOES NOT certify facilities, people, services, or products.

What is the general process of a HITRUST assessment?

An assessor will work with the organization to determine the scope of the assessment. From there, the assessor will utilize HITRUST’s illustrative procedures as the minimum criteria to develop test plans to evaluate the effectiveness of implemented controls to meet the HITRUST requirement statements. The assessor will examine or review documents, interview personnel or subject matter experts, and perform testing and sampling as part of the validation process. All fieldwork must be performed within ninety (90) days of the HITRUST validation submission and an assessor does maintain their own judgment when it comes to any exceptions (or deviations) to a control requirement. To avoid any conflict of interests, assessors performing validation assessments can not be the same assessors assisting a customer during a readiness assessment. A Quality Assurance (QA) assessment will be performed on assessment work prior to submission and HITRUST will perform their own QA prior to issuing any validation with certification.

Interested in getting HITRUST CSF Validated?

Request a demo to learn how to become HITRUST CSF Validated.

Share this post with your network: