Cyberattacks continue to increase in frequency and scale, placing significant pressures on organizations to protect sensitive data and information. Many health care and other organizations even require vendors and contractors to have HITRUST CSF® certification from an external assessor to be eligible for, or start, engagements.

Navigating the complex components of certification, however, can drain significant time and resources that could cause your organization to lose contracts should you not be able to verify security protocols.

Assess your current cybersecurity standing, bridge potential gaps, and demonstrate your organization as a current, trustworthy protector of private data with a HITRUST CSF certification from our professionals.

How HITRUST CSF Can Support Your Organization

Though HITRUST CSF began as the set of security controls to support the federal laws protecting sensitive patient information in health care, it has now become data agnostic and focuses on any sensitive information that an organization needs to protect. The HITRUST CSF is a certifiable risk management framework for a range of organizations to demonstrate their security and compliance including:

  • Technology companies handling large amounts of sensitive data
  • Insurance companies with personally identifiable information (PII)
  • Health care organizations looking to manage information security risk and compliance
  • Any organization handling sensitive data, such as protected health information (PHI), proprietary information or PII

Based on strategic cybersecurity practices from the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST) Special Publication 800-53, HITRUST CSF can be leveraged to map out and comply with requirements and control areas of other security frameworks and standards.

A one-time assessment can also help report on information risk and compliance with:

  • HIPAA, CMS, Joint Commission, Minimal Acceptable Risk Standards for Exchanges (MARS-E), and Health Industry Cybersecurity Practices (HICP)
  • State-specific and international regulations
  • Payment card industry data security standards (PCI DSS)
  • General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other privacy regulations

Navigate the HITRUST Process

Whether your organization needs a new cybersecurity assessor or is planning its first assessment, our professionals can help guide you throughout the certification process.

Determining which of HITRUST’s three assessment types to verify your standing against is the first step.

Chart of HITRUST assesments with descriptions, certification length and more.

How the HITRUST Assessment Process Works

We preface any of the above validated assessments—e1, i1, or r2—with a readiness assessment to prepare your organization for reporting and certification.

Interim assessments are available for the i1 and r2 assessments as the organization approaches the one-year anniversary of certification.

A bridge assessment, when applicable, can be used for previous r2 assessments.

Readiness Assessment

  • Review requirements and rate your organization’s controls
  • Verify with evidence such as policies and procedures, employee interviews
  • Identify needs to remediate gaps
  • Develop timeline leading up to validation assessment
  • Prepare for validated certification assessment

Validated Assessment

  • Conduct and document testing to demonstrate effectiveness of the controls and evaluate their maturity
  • Verify that the scope of the assessment is documented appropriately
  • Submit testing and evidence to HITRUST for review, including report creation and certification

Interim Assessment

  • Complete after r2 certification and before the anniversary date of the certification to check that the scope is still valid and security controls are still effective in order to remain certified for another year
  • Limited review of at least one requirement statement from each of the 19 domains and review of any corrective action plans from the last assessment

Bridge Assessment

  • Creates a temporary 90-day certificate if the original r2 certification date can’t be met
  • Should only be considered when there are issues completing an assessment before the expiration of the current certification
  • Covers one requirement statement in each domain

Expansive HITRUST CSF and Cybersecurity Experience

With dedicated cybersecurity service lines, our professionals have extensive knowledge of cyber-risk frameworks. Our collaborative approach takes the time to understand the specifics of your organization’s needs and strategically develop unique solutions contextualized among greater industry trends and activity.

We don’t simply provide templates. We determine appropriate cybersecurity solutions, proactively, to help build foundations for long-term success—so you’re prepared to stay ahead of change and address new risks and challenges.

Our professionals understand the nuanced operations of organizations that handle secured information and the demands they require of their vendors—not only in health care, but for any industry or organization seeking to keep sensitive information safe.

Our one-firm approach allows your organization to tap into the full resources of our firm, integrating guidance and solutions related to other integral support areas.


Primary Contact