New HITRUST Assessment Option Included in v11

In November 2022, HITRUST announced that HITRUST CSF v11 will be released in January 2023. HITRUST introduced a new assessment option and made changes to the assessment portfolios which were last updated in 2021.

HITRUST Essentials, 1-year (e1)

HITRUST announced a new assessment titled HITRUST Essentials (e1). The e1 is designed as a low-effort cybersecurity assessment focusing on basic cybersecurity hygiene and addressing what HITRUST identified as the most critical cybersecurity practices. The e1 is designed for vendors whose risk may not be high enough to warrant the more extensive HITRUST assessments but do need to demonstrate a verifiable commitment to basic security. The e1 evaluates controls based on the implementation of the control which reduces the amount of required policy and procedure documentation. The e1 controls are standardized and no scoping is required.

The e1 is a validated assessment that requires the organization to use a HITRUST assessor firm to evaluate their control maturity for submission to HITRUST for certification. e1 certifications must be renewed annually. The e1 has 44 controls.

HITRUST Implemented, 1-year (i1)

In 2021, HITRUST introduced the i1 which was designed to give organizations a way to demonstrate their commitment to cybersecurity without the resource requirements of HITRUST’s Risk-based 2-year assessment. As part of the v11 upgrade, HITRUST is also updating the i1. Currently, the i1 has 219 controls and, as a result of the changes to the assessment risk analysis, HITRUST expects the i1 will now have approximately 180 controls. The i1 continues to be scored based on implementation only.    

With v11, HITRUST is focused on making the assessments traversable. As a result, organizations who have completed an e1 will find those controls reflected in the i1, allowing them to progress to a more robust level of assurance more easily. The i1 will include all the e1 controls, plus controls reflecting leading cybersecurity practices and threats.

HITRUST will sunset the current version of the i1 over the coming months. All assessments must be created by March 31, 2023 and submitted by June 30, 2023. All assessments submitted after June 30, 2023, will be converted to v11.

HITRUST also implemented a Rapid Recertification process for organizations that obtain an i1 using the v11 assessment. The i1 Rapid Recertification will require the organization and their external assessor to test the following on the anniversary of the original assessment:

• All i1 requirement statements within the current version of the i1 CSF that were not included in the previous assessment
• A sample of approximately 1/3 of the requirement statements scored in the prior assessment
• Verification that any not applicable statements are still considered not applicable
• Any requirement statements that required a corrective action plan from the prior assessment

Assuming the testing does not show significant degradation in the control environment, HITRUST will issue a new validation report. Should the testing demonstrate issues with the controls, HITRUST may require additional testing or the organization to complete a full assessment instead of the Rapid Recertification.

The i1 Rapid Recertification may be performed every other year with full testing of all controls required on alternate years. The i1 Rapid Recertification is not available to organizations with a current i1.

HITRUST Risk-based, 2-year (r2)

For the traditional r2 or Validated Two Year Assessment, HITRUST made changes to clarify the requirements. The implementation guidance provided in the Illustrative Procedures has been moved into the requirement statement itself and HITRUST worked to make the guidance significantly clearer. Guidance for scoring measured and managed has also been upgraded.

Additionally, the r2 controls have been enhanced by the inclusion of the NIST 800-53 Rev5 and Health Industry Cybersecurity Practices (HICP) in the MyCSF framework. HITRUST has also continued the traversable nature of its assessments by including all controls from the i1 as the core controls for the r2 assessment. The r2 risk-based assessment is still tailored based on scoping factors designed to address risks specific to the organization. Controls will still be scored on maturity levels for policy, process, and implementation with the option to score for measured and managed implementation.

As part of the transition to v11, HITRUST announced they will be sunsetting CSF versions 9.1- 9.5.  Assessments can be created using those versions until September 30, 2023 and submitted to HITRUST through December 31, 2024. Versions 9.6 and later will remain active and usable by organizations seeking certification.

Assessment Overview

HITRUST Basic Assessment (bC)

HITRUST announced that while organizations can continue to access and use the bC assessment through 2023, this assessment will be retired upon the release of v11 in January 2023.

CompliancePoint has an experienced team of healthcare and cybersecurity professionals that can help your organization achieve and maintain HITRUST certification. Contact us at connect@compliancepoint.com to learn more about how we can help your organization.