Technician analyzes security of data on servers

HITRUST CSF Assessment Services

Secure protected health information using the HITRUST CSF

Baker Tilly’s HITRUST professionals help organizations handling personally protected health information (PHI) tap into the HITRUST CSF to secure that critical information and provide greater cybersecurity assurance.

    The HITRUST experience

    In response to the increased market demand for HITRUST certification, Baker Tilly applied for and received the HITRUST Common Security Framework (CSF) Assessor designation in July 2016. Since that time, we have worked with multiple organizations that successfully obtained their HITRUST certification.

    Baker Tilly continues to rapidly expand our HITRUST qualifications with our clients. Through this combined experience, we have established a strong understanding of the HITRUST CSF control requirements and HITRUST assessment methodology. Prior to and separate from becoming a HITRUST CSF assessor, Baker Tilly also has extensive experience with International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001:2013, the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, the National Institute of Standards and Technology (NIST) cybersecurity framework and other authoritative sources that are incorporated into the HITRUST CSF.

    The HITRUST Alliance

    What is HITRUST?

    HITRUST’s objective in creating the HITRUST CSF was two-fold:

    1. Develop a risk-based methodology to provide organizations with a customizable, prescriptive set of control requirements
    2. Establish a common, certifiable framework to reduce costs and inefficiencies.

    The HITRUST CSF contains a minimum set of control requirements that organizations must implement. Organizations then obtain the complete, tailored set of control requirements necessary for certification based on the following categories of risk factors:

    • Organizational: size and complexity of operations
    • System: technology environment characteristics
    • Regulatory: applicable compliance requirements

    As service providers face increasing requirements from their customers’ vendor risk management programs, a single compliance exercise becomes more unlikely to satisfy everyone. However, a primary advantage of the HITRUST CSF is that the framework was developed from the International Organization for Standardization’s (ISO) 27001: 2005 standard, and also cross-references to several other standards (e.g., Payment Card Industry (PCI), System and Organization Controls (SOC) 2). The framework is also updated at least annually in order to address cybersecurity risks and remain aligned with industry requirements and best practices.

    It’s critical that organizations connect with an approved HITRUST CSF Assessor firm early within their preparation activities in order to understand the overall process and nuances of obtaining their HITRUST CSF certification, including:

    • Developing an overall certification project plan
    • Scoping your HITRUST CSF assessment
    • Understanding potential certification challenges and success factors
    • Selecting the right report deliverable
    Working with Baker Tilly on our HITRUST and NIST 800-53 readiness was an exceptional experience. Their efficiency and expertise conducting the assessments simultaneously was very valuable to us. The team’s professionalism and customer service really stood out.
    Landon Perry, CIA, CFE, CGFM - Director of Internal Audit, North Carolina Department of Information Technology
    • Recommend the version of the HITRUST CSF framework that best meets the needs of the organization.
    • Initiate a readiness evaluation to develop a common understanding of scope, approach, timeframes and deliverables between project stakeholders.
    • Perform a gap analysis to evaluate the organization’s internal controls against the HITRUST CSF requirements.
    • Determine the current level of preparedness related to control implementation and provide recommendations and guidance on leading practices for certification.
    • Review results of readiness evaluation and provide guidance on remediation to prepare for the validated assessment.
    • Review newly created documentation and evidence support to ensure identified gaps are remediated.
    • Assist with the documentation of policies and supporting procedures.
    • Initiate the validated assessment with a common understanding of scope, approach, timeframes and deliverables between project stakeholders.
    • Evaluate scoping factors within the MyCSF platform and perform testing of elements and requirements within the HITRUST CSF framework.
    • Assign control maturity scoring based on implementation levels and required organization elements.
    • Review and finalize HITRUST Validated Assessment Report and Corrective Action Plans (CAPs) for applicable controls.