HITRUST CSF Assessment Services
MBA, CISA, CCSK, CFSA, CCSFP
Principal
CPA, CISA
Partner
FHIMSS, CPHIMS, CCSFP, RN, B.S.N.
Director
In response to the increased market demand for HITRUST certification, Baker Tilly applied for and received the HITRUST Common Security Framework (CSF) Assessor designation in July 2016. Since that time, we have worked with multiple organizations that successfully obtained their HITRUST certification.
Baker Tilly continues to rapidly expand our HITRUST qualifications with our clients. Through this combined experience, we have established a strong understanding of the HITRUST CSF control requirements and HITRUST assessment methodology. Prior to and separate from becoming a HITRUST CSF assessor, Baker Tilly also has extensive experience with International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001:2013, the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, the National Institute of Standards and Technology (NIST) cybersecurity framework and other authoritative sources that are incorporated into the HITRUST CSF.
HITRUST’s objective in creating the HITRUST CSF was two-fold:
The HITRUST CSF contains a minimum set of control requirements that organizations must implement. Organizations then obtain the complete, tailored set of control requirements necessary for certification based on the following categories of risk factors:
As service providers face increasing requirements from their customers’ vendor risk management programs, a single compliance exercise becomes more unlikely to satisfy everyone. However, a primary advantage of the HITRUST CSF is that the framework was developed from the International Organization for Standardization’s (ISO) 27001: 2005 standard, and also cross-references to several other standards (e.g., Payment Card Industry (PCI), System and Organization Controls (SOC) 2). The framework is also updated at least annually in order to address cybersecurity risks and remain aligned with industry requirements and best practices.
It’s critical that organizations connect with an approved HITRUST CSF Assessor firm early within their preparation activities in order to understand the overall process and nuances of obtaining their HITRUST CSF certification, including:
Baker Tilly is one of a limited number of firms that can deliver HITRUST validation services. Decades of experience providing cybersecurity assessment and related IT audit services keep us immersed and apprised of trending threats, risks and security issues that face your organization. Clients rely on our local subject matter specialists to enhance information protection practices and controls that guard ePHI and other protected information, in order to reduce security risks to acceptable levels and become compliant with a variety of frameworks and standards (e.g., NIST 800-53).
Working with Baker Tilly on our HITRUST and NIST 800-53 readiness was an exceptional experience. Their efficiency and expertise conducting the assessments simultaneously was very valuable to us. The team’s professionalism and customer service really stood out.Landon Perry, CIA, CFE, CGFM - Director of Internal Audit, North Carolina Department of Information Technology
*Targeted Coverage means substantial coverage is intended
*Targeted coverage means substantial coverage is intended