Baker Tilly
Contact us
Technician analyzes security of data on servers

HITRUST CSF Assessment Services

Connect with usarrowCreated with Sketch.

HITRUST CSF Assessment Services

  1. Article
    Team members discuss strategy in a meeting

    HITRUST FAQ

  2. Webinar
    Consultants review software development code

    Strategy check: evaluating your cyber program to strengthen assurance

  3. Article
    University campus during the daytime

    How higher education and research institutions may benefit from using HITRUST to navigate research data security requirements

  4. Webinar
    Closeup of circuitry on computer

    Top cyber trends and emerging risks in the insurance industry

  5. Article
    Team collaborates on client project

    Easing cyber insurance woes using key controls 

  6. Article
    Team working to analyze data and software

    New HITRUST assessments rise to meet the need for varying assurance levels

  7. Webinar
    Woman looking at data visualization on tablet

    Demystifying HITRUST assessment types: bC, i1 and r2

  8. Article
    cybersecurity of personal health information

    COVID business shifts change but don’t stop robust HITRUST evaluations

  9. Webinar
    protected health information

    HITRUST panel: lessons learned from a year of remote HITRUST validations

  10. Case Study
    speed of technology blur

    NCDIT simultaneously undergoes HITRUST and NIST 800-53 readiness

  11. Article
    Opening between buildings

    HITRUST CSF™ Version 9: updates and impacts for certification

  12. Article
    hands typing on laptop

    Upcoming HITRUST CSF Version 9 release: Understanding the impact

  13. Webinar
    City buildings reflecting sky

    HITRUST demystified: what it means and what to expect from certification

  1. Christopher J. Tait

    Christopher J. Tait

    MBA, CISA, CCSK, CFSA, CCSFP

    Principal

  2. Emily Di Nardo

    Emily Di Nardo

    CPA, CITP, HITRUST CHQP

    Partner

  1. ConferenceOct 03
    Abstract data

    HITRUST Collaborate 2023

Maximize the security, integrity and availability of your information assets with help from Baker Tilly’s HITRUST team.

As an approved HITRUST CSF Assessor, we work with organizations across industries to improve data security and regulatory compliance so you can remain focused on mission-critical objectives.

What is HITRUST?

HITRUST, was founded in 2007 as a non-profit organization with the mission to provide a common security framework (CSF) to help organizations address and manage their information security risks. HITRUST is a leading comprehensive framework, offering a range of services and assessment types to help organizations manage their information security risks and compliance requirements. HITRUST continues to collaborate with stakeholders and government agencies to promote the adoption of multiple industry-recognized security and privacy controls and requirements, including HIPAA, NIST, and ISO, into a single framework, making it easier for organizations to demonstrate their compliance with multiple regulations and standards simultaneously. 

HITRUST assessments are conducted by independent third-party assessors and involve a thorough review of the organization's policies, procedures, and technical controls, as well as an evaluation of its risk management practices. The assessments are available in different levels of rigor and depth, including the streamlined validated assessments (e1 and i1) and the comprehensive assessment (r2). 

Connect with our HITRUST teamarrowCreated with Sketch.

Types of HITRUST Assessments

  HITRUST Essentials, 1-year (e1) Assessment Essentials HITRUST Implemented 1-year (i1) Assessment Leading Practices HITRUST Risk-based 2-year (r2) Assessment Expanded Practices
Description Validated Assessment + Certification Validated Assessment + Certification Validated Assessment + Certification
Purpose (use case) Entry-level assurance focused on essential cybersecurity hygiene controls Moderate level of assurance focused on cybersecurity leading practices and a broader range of threats than the e1 assessment High level of assurance focuses on a comprehensive risk-based specification of controls
Certifiable Assessment Yes, 1 year Yes, 1 year + Rapid Recertification in year 2 Yes, 2 years + Interim Assessment
Number of HITRUST CSF requirements on a 2-year basis and maturity levels considered 44 (year 1), 44 (year 2) implemented 182 (year 1), ~60 (year 2 with Rapid Recertification) implemented
~375 avg. (year 1), ~20 (year 2 interim assessment) policy, procedure and implemented
Policy and procedure consideration Minimal Minimal Thorough
Level of security assessment Low Moderate High
Level of assurance Low Moderate High
Evaluation approach 1x5: Implementation control maturity level 1x5: Implementation control maturity level

3x5 or 5x5: Control maturity assessment against either 4 or 5 maturity levels
Provides Targeted Coverage for one or more authoritative sources (i.e., Factors) No No Yes, if selected
Alignment with authoritative sources CISA cyber essentials, Health Industry Cybersecurity Practices (HICP) for small healthcare organizations, NIST 171’s basic requirements, NIST IR 7621 NIST SP 800-171 (basic and derived requirements), HIPAA security rule and HICP for medium-sized organizations NIST SP 800-53, HIPAA, FedRAMP, NIST CSF, PCI DSS, GDPR and dozens of others

HITRUST e1 is an assessment option under the HITRUST Assurance Program, which is designed to evaluate the information security controls of service providers that handle sensitive information. The e1 assessment enables service providers to evaluate their compliance with the HITRUST CSF controls and requirements and report their results to their customers and stakeholders. 

The e1 assessment is intended for small service providers or those with limited exposure to sensitive healthcare information. It includes a subset of the HITRUST CSF controls and requirements, focusing on the most critical security and privacy requirements. The e1 assessment is a cost-effective way for service providers to demonstrate their commitment to protecting sensitive healthcare information and provide assurance to their customers. 

The e1 assessment includes a set of questions that cover the following areas: 

  1. Organization and policies: This area focuses on the service provider's organizational structure, policies and procedures related to information security. 
  2. Physical security: This area covers the service provider's physical security controls, such as access controls, security monitoring and environmental controls. 
  3. Technical security: This area covers the service provider's technical security controls, such as access controls, encryption, network security and vulnerability management. 
  4. Incident management and response: This area covers the service provider's incident management and response processes, including incident detection, response and reporting.  
  5. Business continuity and disaster recovery: This area covers the service provider's business continuity and disaster recovery processes, including backup and recovery procedures and testing. 

Overall, the e1 assessment provides a streamlined and cost-effective way for small service providers or those with limited exposure to sensitive healthcare information to demonstrate their compliance with the HITRUST CSF controls and requirements. 

HITRUST i1 is an assessment option under the HITRUST Assurance Program, which is designed to evaluate the information security controls of service providers that handle sensitive healthcare information. The i1 assessment is a streamlined, low-cost assessment that enables service providers to evaluate their compliance with the HITRUST CSF controls and requirements and report their results to their customers and stakeholders. 

The i1 assessment is intended for service providers with limited exposure to sensitive healthcare information or those that provide non-core services to the healthcare industry. It includes a subset of the HITRUST CSF controls and requirements, focusing on the most critical security and privacy requirements. The i1 assessment is a cost-effective way for service providers to demonstrate their commitment to protecting sensitive healthcare information and provide assurance to their customers.

The i1 assessment includes a set of questions that cover the following areas: 

  1. Organization and policies: This area focuses on the service provider's organizational structure, policies and procedures related to information security. 
  2. Physical security: This area covers the service provider's physical security controls, such as access controls, security monitoring and environmental controls. 
  3. Technical security: This area covers the service provider's technical security controls, such as access controls, encryption, network security and vulnerability management. 

Overall, the i1 assessment provides a streamlined and cost-effective way for service providers with limited exposure to sensitive healthcare information or those that provide non-core services to demonstrate their compliance with the HITRUST CSF controls and requirements. 

HITRUST r2 is an assessment option under the HITRUST Assurance Program, which is designed to evaluate the information security controls of service providers that handle sensitive healthcare information. The r2 assessment is a rigorous, comprehensive and independent assessment that evaluates an organization's compliance with the HITRUST CSF controls and requirements. 

The r2 assessment is intended for service providers that handle large volumes of sensitive healthcare information and are required to demonstrate a high level of information security and privacy controls. The assessment involves a thorough review of the organization's information security policies, procedures, and technical controls, as well as an evaluation of its risk management practices. 

The r2 assessment covers all of the HITRUST CSF controls and requirements, including the privacy and regulatory requirements, and is conducted by a qualified and independent HITRUST assessor. The assessment includes an onsite audit, interviews with key personnel, and testing of the organization's technical controls and processes. 

The r2 assessment provides a comprehensive evaluation of an organization's information security controls and practices, and enables the organization to demonstrate its compliance with the HITRUST CSF controls and requirements to its customers and stakeholders. The assessment also helps organizations identify areas for improvement and prioritize their information security investments to better protect sensitive healthcare information.

Our approach

Five benefits of HITRUST

  1. computer security icon

    Robust approach to information security

    The HITRUST CSF incorporates multiple frameworks and standards to provide a comprehensive and standardized approach to managing information security risks.

  2. lock cyber icon

    Improved cybersecurity posture

    By adopting the HITRUST CSF, organizations can improve their cybersecurity posture and demonstrate their commitment to protecting sensitive information. The HITRUST CSF includes a set of control requirements that can help organizations identify and mitigate their security risks.

  3. Streamlined approach to compliance

    The HITRUST CSF is a certifiable framework that provides organizations with a comprehensive, flexible and consistent approach to regulatory compliance and risk management.

  4. money icon

    Cost-effective tiered assessments

    HITRUST offers cost-effective assessments that can help organizations manage their information security risks efficiently and effectively.

  5. digital fingerprint icon

    Increased trust and confidence

    HITRUST certification can help organizations demonstrate their commitment to protecting sensitive information, which can increase trust and confidence among patients, partners, and stakeholders.

Working with Baker Tilly on our HITRUST and NIST 800-53 readiness was an exceptional experience. Their efficiency and expertise conducting the assessments simultaneously was very valuable to us. The team’s professionalism and customer service really stood out.
Landon Perry, CIA, CFE, CGFM – Director of Internal Audit, North Carolina Department of Information Technology

Our industries

  1. Two advisors reviewing financial services dashboard data

    Financial Services

    The financial services industry continues to diversify, but competition and more complex vendor relationships make determining business strategy more complicated.
  2. Life sciences presentation on data dashboard

    Healthcare & Life Sciences

    Baker Tilly helps organizations win now, and explore the options for tomorrow, through an orchestrated approach and understanding encompassing all facets of the healthcare ecosystem.
  3. Students review schedules on campus

    Higher Education

    Balance competing priorities. Effectively align limited resources. Advance student and institutional success.
  4. circle of hands at a not-for-profit organization

    Not-for-Profit

    We have a deep understanding of the issues not-for-profit organizations face, and the creativity and humanity required to thrive in your world.