The HITRUST CSF is a certifiable security and privacy framework that helps organizations secure, comply, and assess against several security and privacy-related standards, regulations, and recommended practices.
HITRUST is used by organizations in many different highly regulated industries, such as health care organizations, technology companies, insurance plan providers, and any organization that handles different classifications of sensitive data.
With its version 11 update, HITRUST has maintained its commitment to improve the framework. The latest version helps organizations better manage risk by staying updated on the current cyberthreat landscape.
HITRUST CSF Version 11
HITRUST recently launched version 11, and is available to use. Version 10 was skipped.
HITRUST is decommissioning the version 9.x series. Organizations currently using version 9.1 through 9.4 must switch over to version 11 or a higher version of 9.x—either 9.5 or 9.6—by 2024.
Timing and Deadlines
Organizations have until December 31, 2024, to submit assessments using versions 9.1 through 9.4, but any new assessment objects using these versions must be created by September 30, 2023.
Additionally, any organizations using version 9.6.2 or earlier for one-year (i1) assessments must create the assessment object before April 30, 2023, and submit by July 31, 2023.
Organizations currently using versions 9.5 or 9.6 for r2 assessments can continue to use those versions, but they will also be decommissioned in the future.
Three HITRUST Certification Assessment Types
The following is a cursory explanation of each assessment type. For more details on each assessment, visit HITRUST Assurance Advisories.
HITRUST Essentials One-Year (e1) Assessment and Certification
The e1 assessment is a new assessment type for organizations that want an initial assessment of essential cybersecurity controls to evaluate the implementation and maturity of their controls and provide a means for certification. It’s meant to help lower risk entities evaluate their cyber hygiene and cybersecurity practices and for organizations still developing their cybersecurity program.
The assessment includes 44 requirement statements that address fundamental recommended practices across 19 domains. HITRUST assessments always include those same 19 domains.
The certification is good for one year.
HITRUST Implemented One-Year (i1) Assessment and Certification
The i1 assessment builds on the e1 certification. The assessment includes 182 requirement statements, 44 of which are included in the e1 assessment. 182 requirement statements are based on the latest ongoing cybersecurity threats. All requirement statements within each assessment type may change as the cybersecurity threats change.
This assessment is for organizations that have a cybersecurity program built out and want to evaluate their maturity against the 182 requirements. It may be used as an initial assessment for organizations that know their implementation is strong but don’t have or aren’t sure of the policies and procedure requirements for the r2 assessment.
Organizations can be certified for one year following a validated i1 assessment.
HITRUST Risk-Based, Two-Year (r2) Assessment and Certification
The r2 assessment can have any number of requirement statements and it all depends on the scope of the assessment. Most assessments are around 300–350 statements, but could be over 1,500. At a minimum, the r2 assessments will assess maturity levels for:
- Policy
- Procedures
- Implementation of each requirement statement
With an r2 HITRUST assessment, the maturity of the organization has been scored, gaps and corrective action plans have been identified, and the organization is moving toward said corrective action plan and increased maturity.
The r2 certification is valid for two years as long as the organization passes their interim assessment, which must be done within one year of obtaining certification.