Baker Tilly
Contact us
Technician analyzes security of data on servers

HITRUST CSF Assessment Services

HITRUST CSF Assessment Services

  1. Christopher J. Tait

    Christopher J. Tait

    MBA, CISA, CCSK, CFSA, CCSFP

    Principal

  2. Jeff Krull

    Jeff Krull

    CPA, CISA

    Partner

  3. Janice S. Ahlstrom

    Janice S. Ahlstrom

    FHIMSS, CPHIMS, CCSFP, RN, B.S.N.

    Director

Maximize the security, integrity and availability of your information assets with help from Baker Tilly’s HITRUST team. As an approved HITRUST CSF Assessor, we work with organizations across industries to improve data security and regulatory compliance so you can remain focused on mission-critical objectives.

    The HITRUST experience

    In response to the increased market demand for HITRUST certification, Baker Tilly applied for and received the HITRUST Common Security Framework (CSF) Assessor designation in July 2016. Since that time, we have worked with multiple organizations that successfully obtained their HITRUST certification.

    Baker Tilly continues to rapidly expand our HITRUST qualifications with our clients. Through this combined experience, we have established a strong understanding of the HITRUST CSF control requirements and HITRUST assessment methodology. Prior to and separate from becoming a HITRUST CSF assessor, Baker Tilly also has extensive experience with International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001:2013, the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, the National Institute of Standards and Technology (NIST) cybersecurity framework and other authoritative sources that are incorporated into the HITRUST CSF.

    Connect with our HITRUST team.arrowCreated with Sketch.

    The HITRUST Alliance

    What is HITRUST?

    HITRUST’s objective in creating the HITRUST CSF was two-fold:

    1. Develop a risk-based methodology to provide organizations with a customizable, prescriptive set of control requirements
    2. Establish a common, certifiable framework to reduce costs and inefficiencies.

    The HITRUST CSF contains a minimum set of control requirements that organizations must implement. Organizations then obtain the complete, tailored set of control requirements necessary for certification based on the following categories of risk factors:

    • General (e.g., industry, service provider)
    • Organizational (e.g., number of systems, size and complexity of operations, number of records)
    • Geographical (e.g., locations, international, multi-state)
    • System/technical (e.g., technology environment characteristics, use of mobile devices, accessible from the internet, accessible by third-party providers)
    • Regulatory (e.g., PCI-DDS, CMS, state requirements, other applicable compliance requirements)

    As service providers face increasing requirements from their customers’ vendor risk management programs, a single compliance exercise becomes more unlikely to satisfy everyone. However, a primary advantage of the HITRUST CSF is that the framework was developed from the International Organization for Standardization’s (ISO) 27001: 2005 standard, and also cross-references to several other standards (e.g., Payment Card Industry (PCI), System and Organization Controls (SOC) 2). The framework is also updated at least annually in order to address cybersecurity risks and remain aligned with industry requirements and best practices.

    It’s critical that organizations connect with an approved HITRUST CSF Assessor firm early within their preparation activities in order to understand the overall process and nuances of obtaining their HITRUST CSF certification, including:

    • Developing an overall certification project plan
    • Scoping your HITRUST CSF assessment
    • Understanding potential certification challenges and success factors
    • Selecting the right report deliverable

    Our HITRUST approach

    Baker Tilly is one of a limited number of firms that can deliver HITRUST validation services. Decades of experience providing cybersecurity assessment and related IT audit services keep us immersed and apprised of trending threats, risks and security issues that face your organization. Clients rely on our local subject matter specialists to enhance information protection practices and controls that guard ePHI and other protected information, in order to reduce security risks to acceptable levels and become compliant with a variety of frameworks and standards (e.g., NIST 800-53).

    Working with Baker Tilly on our HITRUST and NIST 800-53 readiness was an exceptional experience. Their efficiency and expertise conducting the assessments simultaneously was very valuable to us. The team’s professionalism and customer service really stood out.
    Landon Perry, CIA, CFE, CGFM - Director of Internal Audit, North Carolina Department of Information Technology
    bC features:
    • Low level of effort and assurance
    • Self-assessment only; verified by HITRUST Assurance Intelligence Engine
    • 71 HITRUST CSF requirements
    • 1 maturity level (implemented)
    • Provide coverage against NISTIR 7621, Small Business Information Security: The Fundamentals
    i1 features:
    • Moderate level of effort and assurance​
    • 219 pre-set (static) controls that leverage security best practices and threat intelligence
    • Targeted Coverage*: NIST SP 800-171, HIPAA Security Rule, GLBA Safeguards Rule, U.S. Department of Labor EBSA Cybersecurity Program Best Practices, Health Industry Cybersecurity Practices (HICP)
    • 1 maturity level (Implemented) ​
    • Uses an external assessor’s annual evaluation of control implementation along with HITRUST review and QA
    • i1 Readiness Assessment available

    *Targeted Coverage means substantial coverage is intended

    r2 features:
    • High level of effort and assurance​
    • Varies from 198 – 2000 requirements (360 average in scope of assessments), based on inherent risk factors and included
      authoritative sources (optional)​
    • Flexible controls selection allows tailoring
    • Scores: Policies, Procedures, Implemented, (and optionally) Measured, and Managed ​
    • Full 5x5 PRISMA evaluation using a comprehensive scoring rubric​
    • Targeted coverage*: NIST SP 800-53, HIPAA, FedRAMP, NIST CSF, AICPA TSC, PCI DSS, GDPR and 37 others
    • Includes control requirements performed by subservice providers
    • 2-year certification
    • r2 Readiness, Interim and Bridge Assessments available

    *Targeted coverage means substantial coverage is intended

    • Recommend the version of the HITRUST CSF framework that best meets the needs of the organization.
    • Initiate a readiness evaluation to develop a common understanding of scope, approach, timeframes and deliverables between project stakeholders.
    • Perform a gap analysis to evaluate the organization’s internal controls against the HITRUST CSF requirements.
    • Determine the current level of preparedness related to control implementation and provide recommendations and guidance on leading practices for certification.
    • Review results of readiness evaluation and provide guidance on remediation to prepare for the validated assessment.
    • Review newly created documentation and evidence support to ensure identified gaps are remediated.
    • Assist with the documentation of policies and supporting procedures.
    • Initiate the validated assessment with a common understanding of scope, approach, timeframes and deliverables between project stakeholders.
    • Evaluate scoping factors within the MyCSF platform and perform testing of elements and requirements within the HITRUST CSF framework.
    • Assign control maturity scoring based on implementation levels and required organization elements.
    • Review and finalize HITRUST Validated Assessment Report and Corrective Action Plans (CAPs) for applicable controls.

    Featured insights

    Webinar
    Demystifying HITRUST assessment types: bC, i1 and r2

    Demystifying HITRUST assessment types: bC, i1 and r2

    Article
    HITRUST FAQ

    HITRUST FAQ

    Article
    Opening between buildings

    HITRUST CSF™ Version 9: updates and impacts for certification

    Article
    Upcoming HITRUST CSF Version 9 release: Understanding the impact

    Upcoming HITRUST CSF Version 9 release: Understanding the impact

    Webinar
    Healthcare HIPAA and cybersecurity update

    Healthcare HIPAA and cybersecurity update

    Webinar
    HITRUST demystified: what it means and what to expect from certification

    HITRUST demystified: what it means and what to expect from certification

    Our industries

    1. Two advisors reviewing financial services dashboard data

      Financial Services

      The financial services industry continues to diversify, but competition and more complex vendor relationships make determining business strategy more complicated.
    2. Life sciences presentation on data dashboard

      Healthcare & Life Sciences

      Baker Tilly helps organizations win now, and explore the options for tomorrow, through an orchestrated approach and understanding encompassing all facets of the healthcare ecosystem.
    3. Students review schedules on campus

      Higher Education

      Higher education and research institutions advance student and institutional success by balancing competing priorities and effectively aligning limited resources.
    4. circle of hands at a not-for-profit organization

      Not-for-Profit

      We have a deep understanding of the issues not-for-profit organizations face, and the creativity and humanity required to thrive in your world.