HITRUST CSF Assessment Services
HITRUST CSF Assessment Services
Baker Tilly’s HITRUST professionals help organizations handling personally protected health information (PHI) tap into the HITRUST CSF to secure that critical information and provide greater cybersecurity assurance.
The HITRUST experience
In response to the increased market demand for HITRUST certification, Baker Tilly applied for and received the HITRUST Common Security Framework (CSF) Assessor designation in July 2016. Since that time, we have worked with multiple organizations that successfully obtained their HITRUST certification.
Baker Tilly continues to rapidly expand our HITRUST qualifications with our clients. Through this combined experience, we have established a strong understanding of the HITRUST CSF control requirements and HITRUST assessment methodology. Prior to and separate from becoming a HITRUST CSF assessor, Baker Tilly also has extensive experience with International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001:2013, the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, the National Institute of Standards and Technology (NIST) cybersecurity framework and other authoritative sources that are incorporated into the HITRUST CSF.
The HITRUST Alliance
What is HITRUST?
HITRUST’s objective in creating the HITRUST CSF was two-fold:
- Develop a risk-based methodology to provide organizations with a customizable, prescriptive set of control requirements
- Establish a common, certifiable framework to reduce costs and inefficiencies.
The HITRUST CSF contains a minimum set of control requirements that organizations must implement. Organizations then obtain the complete, tailored set of control requirements necessary for certification based on the following categories of risk factors:
- Organizational: size and complexity of operations
- System: technology environment characteristics
- Regulatory: applicable compliance requirements
As service providers face increasing requirements from their customers’ vendor risk management programs, a single compliance exercise becomes more unlikely to satisfy everyone. However, a primary advantage of the HITRUST CSF is that the framework was developed from the International Organization for Standardization’s (ISO) 27001: 2005 standard, and also cross-references to several other standards (e.g., Payment Card Industry (PCI), System and Organization Controls (SOC) 2). The framework is also updated at least annually in order to address cybersecurity risks and remain aligned with industry requirements and best practices.
It’s critical that organizations connect with an approved HITRUST CSF Assessor firm early within their preparation activities in order to understand the overall process and nuances of obtaining their HITRUST CSF certification, including:
- Developing an overall certification project plan
- Scoping your HITRUST CSF assessment
- Understanding potential certification challenges and success factors
- Selecting the right report deliverable
Our HITRUST approach
Baker Tilly is one of a limited number of firms that can deliver HITRUST validation services. Decades of experience providing cybersecurity assessment and related IT audit services keep us immersed and apprised of trending threats, risks and security issues that face your organization. Clients rely on our local subject matter specialists to enhance information protection practices and controls that guard ePHI and other protected information, in order to reduce security risks to acceptable levels and become compliant with a variety of frameworks and standards (e.g., NIST 800-53).
Working with Baker Tilly on our HITRUST and NIST 800-53 readiness was an exceptional experience. Their efficiency and expertise conducting the assessments simultaneously was very valuable to us. The team’s professionalism and customer service really stood out.Landon Perry, CIA, CFE, CGFM - Director of Internal Audit, North Carolina Department of Information Technology
Types of HITRUST assessments
HITRUST assessment attributes
bC features:
- Low level of effort and assurance
- Self-assessment only; verified by HITRUST Assurance Intelligence Engine
- 71 HITRUST CSF requirements
- 1 maturity level (implemented)
- Provide coverage against NISTIR 7621, Small Business Information Security: The Fundamentals
i1 features:
- Moderate level of effort and assurance
- 219 pre-set (static) controls that leverage security best practices and threat intelligence
- Targeted Coverage*: NIST SP 800-171, HIPAA Security Rule, GLBA Safeguards Rule, U.S. Department of Labor EBSA Cybersecurity Program Best Practices, Health Industry Cybersecurity Practices (HICP)
- 1 maturity level (Implemented)
- Uses an external assessor’s annual evaluation of control implementation along with HITRUST review and QA
- i1 Readiness Assessment available
*Targeted Coverage means substantial coverage is intended
r2 features:
- High level of effort and assurance
- Varies from 198 – 2000 requirements (360 average in scope of assessments), based on inherent risk factors and included
authoritative sources (optional) - Flexible controls selection allows tailoring
- Scores: Policies, Procedures, Implemented, (and optionally) Measured, and Managed
- Full 5x5 PRISMA evaluation using a comprehensive scoring rubric
- Targeted coverage*: NIST SP 800-53, HIPAA, FedRAMP, NIST CSF, AICPA TSC, PCI DSS, GDPR and 37 others
- Includes control requirements performed by subservice providers
- 2-year certification
- r2 Readiness, Interim and Bridge Assessments available
*Targeted coverage means substantial coverage is intended
Types of HITRUST services
- Recommend the version of the HITRUST CSF framework that best meets the needs of the organization.
- Initiate a readiness evaluation to develop a common understanding of scope, approach, timeframes and deliverables between project stakeholders.
- Perform a gap analysis to evaluate the organization’s internal controls against the HITRUST CSF requirements.
- Determine the current level of preparedness related to control implementation and provide recommendations and guidance on leading practices for certification.
- Review results of readiness evaluation and provide guidance on remediation to prepare for the validated assessment.
- Review newly created documentation and evidence support to ensure identified gaps are remediated.
- Assist with the documentation of policies and supporting procedures.
- Initiate the validated assessment with a common understanding of scope, approach, timeframes and deliverables between project stakeholders.
- Evaluate scoping factors within the MyCSF platform and perform testing of elements and requirements within the HITRUST CSF framework.
- Assign control maturity scoring based on implementation levels and required organization elements.
- Review and finalize HITRUST Validated Assessment Report and Corrective Action Plans (CAPs) for applicable controls.
Featured insights
Baker Tilly HITRUST leadership team
Our industries
Financial Services
The financial services industry continues to diversify, but competition and more complex vendor relationships make determining business strategy more complicated.
Healthcare & Life Sciences
Baker Tilly helps organizations win now, and explore the options for tomorrow, through an orchestrated approach and understanding encompassing all facets of the healthcare ecosystem.
Higher Education
Higher education and research institutions ensure student and institutional success by balancing competing priorities and effectively aligning limited resources.
Not-for-Profit
We have a deep understanding of the issues not-for-profit organizations face, and the creativity and humanity required to thrive in your world.