New HITRUST Assessments Give Companies More Options for Security Reporting
- David Mills
After years of hoping for a simpler data security assessment option, organizations’ wishes have finally been granted. On January 1, 2022, HITRUST (formerly known as the Healthcare Information Trust Alliance) introduced two new assessments, giving organizations more flexibility in choosing an information assurance option tailored to their specific needs.
HITRUST’s Risk-Based, 2-Year Validated Assessment—previously called the CSF Validated Assessment and commonly known as the r2—has been the gold standard for organizations that need to prove their data security is top-notch. However, it is time-consuming, and the number of controls often put it out of reach for entities with less specific security reporting requirements.
For some companies, it remains the best option, as it leads to confirmed compliance with HIPAA regulations and the ISO/IEC 27000 series. The r2 assessment works well for organizations dealing with large amounts of sensitive data and significant regulatory scrutiny, giving those entities the highest level of assurance on their security practices.
Midsize and smaller organizations in the healthcare industry, as well as entities with less complex data systems, have long desired a less rigorous option, and HITRUST has finally delivered. Its new HITRUST Implemented, 1-Year Validated Assessment (called the i1 for short) takes less time and is significantly simpler than the r2, while still offering a moderate level of assurance and confirmation of best practices.
While less robust in coverage than the r2, the i1 still covers NIST SP 800-171, HIPAA Security Rule, GLBA Safeguards Rule, U.S. Department of Labor EBSA Cybersecurity Program Best Practices, and Health Industry Cybersecurity Practices (HICP). Organizations that balked at the effort and expense of the r2 may take a second look at HITRUST assessments due to the i1 release.
In addition to the i1, HITRUST also debuted its Basic, Current-State Assessment (bC) this year. The bC offers organizations a low-level self-assessment of their security strength at the time of the test. Users of the bC access the HITRUST Assurance Intelligence Engine, which calls out omissions, errors, and potential fraud. The bC works best for smaller entities with simpler structures that generate less data to protect.
The table below offers a breakdown of the three assessment options now available through HITRUST:
|HITRUST Assessments||Description||Level of Assurance||Coverage|
|R2 – Risk-Based, 2-Year Validated Assessment||Established gold-standard; validated assessment and risk-based certification||High||NIST SP 800-53, HIPAA, FedRAMP, NIST CSF, AICPA TSC, PCI DSS, GDPR, and 37 others|
|I1 – Implemented, 1-Year Validated Assessment||NEW; validated assessment and certification||Moderate||NIST SP 800-171, HIPAA Security Rule, GLBA Safeguards Rule, U.S. Department of Labor EBSA Cybersecurity Program Best Practices, HICP|
|BC – Basic, Current-State Assessment||NEW; self-assessment||Low||NISTIR 7621|
At CRI, our professionals recognize how important it is to assure clients that their data will be kept safe and secure. We can help you find the security assessment that works best for your organization and be there throughout the assessment process. To learn more about HITRUST’s assessments and CRI’s IT audit services, get in touch with us today!
Subscribe to our e-communications to receive the latest accounting and advisory news and updates impacting you and your business.