Maximize the security, integrity and availability of your information assets with help from Baker Tilly’s HITRUST team. As an approved HITRUST CSF Assessor, we work with organizations across industries to improve data security and regulatory compliance so you can remain focused on mission-critical objectives.

    The HITRUST experience

    In response to the increased market demand for HITRUST certification, Baker Tilly applied for and received the HITRUST Common Security Framework (CSF) Assessor designation in July 2016. Since that time, we have worked with multiple organizations that successfully obtained their HITRUST certification.

    Baker Tilly continues to rapidly expand our HITRUST qualifications with our clients. Through this combined experience, we have established a strong understanding of the HITRUST CSF control requirements and HITRUST assessment methodology. Prior to and separate from becoming a HITRUST CSF assessor, Baker Tilly also has extensive experience with International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001:2013, the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, the National Institute of Standards and Technology (NIST) cybersecurity framework and other authoritative sources that are incorporated into the HITRUST CSF.

    The HITRUST Alliance

    What is HITRUST?

    HITRUST’s objective in creating the HITRUST CSF was two-fold:

    1. Develop a risk-based methodology to provide organizations with a customizable, prescriptive set of control requirements
    2. Establish a common, certifiable framework to reduce costs and inefficiencies.

    The HITRUST CSF contains a minimum set of control requirements that organizations must implement. Organizations then obtain the complete, tailored set of control requirements necessary for certification based on the following categories of risk factors:

    • General (e.g., industry, service provider)
    • Organizational (e.g., number of systems, size and complexity of operations, number of records)
    • Geographical (e.g., locations, international, multi-state)
    • System/technical (e.g., technology environment characteristics, use of mobile devices, accessible from the internet, accessible by third-party providers)
    • Regulatory (e.g., PCI-DDS, CMS, state requirements, other applicable compliance requirements)

    As service providers face increasing requirements from their customers’ vendor risk management programs, a single compliance exercise becomes more unlikely to satisfy everyone. However, a primary advantage of the HITRUST CSF is that the framework was developed from the International Organization for Standardization’s (ISO) 27001: 2005 standard, and also cross-references to several other standards (e.g., Payment Card Industry (PCI), System and Organization Controls (SOC) 2). The framework is also updated at least annually in order to address cybersecurity risks and remain aligned with industry requirements and best practices.

    It’s critical that organizations connect with an approved HITRUST CSF Assessor firm early within their preparation activities in order to understand the overall process and nuances of obtaining their HITRUST CSF certification, including:

    • Developing an overall certification project plan
    • Scoping your HITRUST CSF assessment
    • Understanding potential certification challenges and success factors
    • Selecting the right report deliverable
    Working with Baker Tilly on our HITRUST and NIST 800-53 readiness was an exceptional experience. Their efficiency and expertise conducting the assessments simultaneously was very valuable to us. The team’s professionalism and customer service really stood out.
    Landon Perry, CIA, CFE, CGFM - Director of Internal Audit, North Carolina Department of Information Technology
    bC features:
    • Low level of effort and assurance
    • Self-assessment only; verified by HITRUST Assurance Intelligence Engine
    • 71 HITRUST CSF requirements
    • 1 maturity level (implemented)
    • Provide coverage against NISTIR 7621, Small Business Information Security: The Fundamentals
    i1 features:
    • Moderate level of effort and assurance​
    • 219 pre-set (static) controls that leverage security best practices and threat intelligence
    • Targeted Coverage*: NIST SP 800-171, HIPAA Security Rule, GLBA Safeguards Rule, U.S. Department of Labor EBSA Cybersecurity Program Best Practices, Health Industry Cybersecurity Practices (HICP)
    • 1 maturity level (Implemented) ​
    • Uses an external assessor’s annual evaluation of control implementation along with HITRUST review and QA
    • i1 Readiness Assessment available

    *Targeted Coverage means substantial coverage is intended

    r2 features:
    • High level of effort and assurance​
    • Varies from 198 – 2000 requirements (360 average in scope of assessments), based on inherent risk factors and included
      authoritative sources (optional)​
    • Flexible controls selection allows tailoring
    • Scores: Policies, Procedures, Implemented, (and optionally) Measured, and Managed ​
    • Full 5x5 PRISMA evaluation using a comprehensive scoring rubric​
    • Targeted coverage*: NIST SP 800-53, HIPAA, FedRAMP, NIST CSF, AICPA TSC, PCI DSS, GDPR and 37 others
    • Includes control requirements performed by subservice providers
    • 2-year certification
    • r2 Readiness, Interim and Bridge Assessments available

    *Targeted coverage means substantial coverage is intended

    • Recommend the version of the HITRUST CSF framework that best meets the needs of the organization.
    • Initiate a readiness evaluation to develop a common understanding of scope, approach, timeframes and deliverables between project stakeholders.
    • Perform a gap analysis to evaluate the organization’s internal controls against the HITRUST CSF requirements.
    • Determine the current level of preparedness related to control implementation and provide recommendations and guidance on leading practices for certification.
    • Review results of readiness evaluation and provide guidance on remediation to prepare for the validated assessment.
    • Review newly created documentation and evidence support to ensure identified gaps are remediated.
    • Assist with the documentation of policies and supporting procedures.
    • Initiate the validated assessment with a common understanding of scope, approach, timeframes and deliverables between project stakeholders.
    • Evaluate scoping factors within the MyCSF platform and perform testing of elements and requirements within the HITRUST CSF framework.
    • Assign control maturity scoring based on implementation levels and required organization elements.
    • Review and finalize HITRUST Validated Assessment Report and Corrective Action Plans (CAPs) for applicable controls.