Baker Tilly
Contact us
Technician analyzes security of data on servers

HITRUST CSF Assessment Services

Secure protected health information using the HITRUST CSF

HITRUST CSF Assessment Services

Baker Tilly’s HITRUST professionals help organizations handling personally protected health information (PHI) tap into the HITRUST CSF to secure that critical information and provide greater cybersecurity assurance.

    The HITRUST experience

    In response to the increased market demand for HITRUST certification, Baker Tilly applied for and received the HITRUST Common Security Framework (CSF) Assessor designation in July 2016. Since that time, we have worked with multiple organizations that successfully obtained their HITRUST certification.

    Baker Tilly continues to rapidly expand our HITRUST qualifications with our clients. Through this combined experience, we have established a strong understanding of the HITRUST CSF control requirements and HITRUST assessment methodology. Prior to and separate from becoming a HITRUST CSF assessor, Baker Tilly also has extensive experience with International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001:2013, the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, the National Institute of Standards and Technology (NIST) cybersecurity framework and other authoritative sources that are incorporated into the HITRUST CSF.

    Connect with our HITRUST team.arrowCreated with Sketch.

    The HITRUST Alliance

    What is HITRUST?

    HITRUST’s objective in creating the HITRUST CSF was two-fold:

    1. Develop a risk-based methodology to provide organizations with a customizable, prescriptive set of control requirements
    2. Establish a common, certifiable framework to reduce costs and inefficiencies.

    The HITRUST CSF contains a minimum set of control requirements that organizations must implement. Organizations then obtain the complete, tailored set of control requirements necessary for certification based on the following categories of risk factors:

    • Organizational: size and complexity of operations
    • System: technology environment characteristics
    • Regulatory: applicable compliance requirements

    As service providers face increasing requirements from their customers’ vendor risk management programs, a single compliance exercise becomes more unlikely to satisfy everyone. However, a primary advantage of the HITRUST CSF is that the framework was developed from the International Organization for Standardization’s (ISO) 27001: 2005 standard, and also cross-references to several other standards (e.g., Payment Card Industry (PCI), System and Organization Controls (SOC) 2). The framework is also updated at least annually in order to address cybersecurity risks and remain aligned with industry requirements and best practices.

    It’s critical that organizations connect with an approved HITRUST CSF Assessor firm early within their preparation activities in order to understand the overall process and nuances of obtaining their HITRUST CSF certification, including:

    • Developing an overall certification project plan
    • Scoping your HITRUST CSF assessment
    • Understanding potential certification challenges and success factors
    • Selecting the right report deliverable

    Our HITRUST approach

    Baker Tilly is one of a limited number of firms that can deliver HITRUST validation services. Decades of experience providing cybersecurity assessment and related IT audit services keep us immersed and apprised of trending threats, risks and security issues that face your organization. Clients rely on our local subject matter specialists to enhance information protection practices and controls that guard ePHI and other protected information, in order to reduce security risks to acceptable levels and become compliant with a variety of frameworks and standards (e.g., NIST 800-53).

    Working with Baker Tilly on our HITRUST and NIST 800-53 readiness was an exceptional experience. Their efficiency and expertise conducting the assessments simultaneously was very valuable to us. The team’s professionalism and customer service really stood out.
    Landon Perry, CIA, CFE, CGFM - Director of Internal Audit, North Carolina Department of Information Technology
    • Recommend the version of the HITRUST CSF framework that best meets the needs of the organization.
    • Initiate a readiness evaluation to develop a common understanding of scope, approach, timeframes and deliverables between project stakeholders.
    • Perform a gap analysis to evaluate the organization’s internal controls against the HITRUST CSF requirements.
    • Determine the current level of preparedness related to control implementation and provide recommendations and guidance on leading practices for certification.
    • Review results of readiness evaluation and provide guidance on remediation to prepare for the validated assessment.
    • Review newly created documentation and evidence support to ensure identified gaps are remediated.
    • Assist with the documentation of policies and supporting procedures.
    • Initiate the validated assessment with a common understanding of scope, approach, timeframes and deliverables between project stakeholders.
    • Evaluate scoping factors within the MyCSF platform and perform testing of elements and requirements within the HITRUST CSF framework.
    • Assign control maturity scoring based on implementation levels and required organization elements.
    • Review and finalize HITRUST Validated Assessment Report and Corrective Action Plans (CAPs) for applicable controls.

    Featured insights

    Article
    Opening between buildings

    HITRUST CSF™ Version 9: updates and impacts for certification

    Article

    Upcoming HITRUST CSF Version 9 release: Understanding the impact

    Webinar
    Healthcare HIPAA and cybersecurity update

    Healthcare HIPAA and cybersecurity update

    Webinar

    HITRUST demystified: what it means and what to expect from certification

    Our industries

    1. Two advisors reviewing financial services dashboard data

      Financial Services

      The financial services industry continues to diversify, but competition and more complex vendor relationships make determining business strategy more complicated.
    2. Life sciences presentation on dashboard

      Healthcare & Life Sciences

      We deliver innovative and sustainable results through our collaborative approach across the provider, health plan and life sciences spectrum.
    3. Students review schedules on campus

      Higher Education

      Higher education and research institutions ensure student and institutional success by balancing competing priorities and effectively aligning limited resources.

    4. Not-for-Profit

      We have a deep understanding of the issues not-for-profit organizations face, and the creativity and humanity required to thrive in your world.