HITRUST® Significantly Streamlines i1 Assessments with Version 11

On January 18, 2023, HITRUST announced the release of HITRUST CSF version 11 (v11) to “improve mitigations against evolving cyber threats, broaden the coverage of authoritative sources, and streamline the journey to higher levels of assurance.” In addition to addressing emerging threats, this major update to HITRUST CSF reduces redundancies and streamlines processes allowing organizations to achieve the same level of assurance with less effort. The HITRUST v11 changes can reduce certification efforts by up to 45%. 

Three assessment types will be available with HITRUST CSF v11 to accommodate organizations with varying levels of risk and to ensure that the level of effort required for assessment and certification matches the level of assurance needed, all of which come with the credibility of HITRUST certification. Here’s a summary of the three assessment types:

 

HITRUST CSF v11 Assessment Types

HITRUST Assessment	# of HITRUST CSF Requirements	Subject Matter / Focus	Control Maturity Levels	Level of Assurance	Level of Effort
HITRUST Essentials, 1-year (e1) Validated Assessment	Less than 50	Foundational Cybersecurity Hygienefor lower-risk organizations validating the most critical cybersecurity controls. Provides a starting point for all organizations including those in the early stages of implementing their program.	Implemented only(But: Some requirements are P&P focused)	Low	Low
HITRUST Implemented, 1-year (i1) Validated Assessment	Approximately 182	Leading Security Practices for organizations with robust information security programs ready to demonstrate controls that protect against current and emerging threats.​	Implemented only(But: Some requirements are P&P focused)	Medium	Medium
HITRUST Risk-Based, 2-Year (r2) Validated Assessment	Varied based on risk and compliance factors (average 400+)	Expanded Capabilities for organizations to demonstrate regulatory compliance against authoritative sources such as HIPAA and the NIST Cybersecurity Framework or expanded tailoring of controls based on identified risk factors.	Must: Policy, Procedure, Implemented Optional: Measured & Managed	High	High

In this blog post, we’ll focus on the significant changes being made to the i1 assessment type under v11.

What is HITRUST CSF?

The HITRUST organization provides a framework that safeguards sensitive information and can help manage information risk for organizations across all industries. Its programs have been widely adopted in the healthcare industry. 

HITRUST CSF addresses the multitude of security, privacy, and regulatory challenges facing healthcare organizations today. With a comprehensive framework of security requirements, HITRUST incorporates a risk-based approach to federal and state regulations and common standards and frameworks to help organizations address these challenges. 

How are the i1 Assessment Requirements Changing with HITRUST CSF Version 11?

The HITRUST CSF v11 i1 assessment requirements have been significantly streamlined relative to the previous version (v9). HITRUST estimates that the level of effort to achieve and maintain HITRUST Implemented, 1-year (i1) certification over two years can be reduced by up to 45%.

Reduced Requirements

The number of requirements statements included in i1 assessments has been reduced from 219 in v9 to approximately 182 in v11. Factors contributing to this reduction include:

• Refreshing authoritative source mappings. 
• Continual threat adaptive control analysis.

The reduced number of requirements significantly streamlines the HITRUST CSF assessment and certification processes for organizations.

Rapid Recertification

A new i1 rapid recertification approach has been introduced with v11. This provides an accelerated way to get to your next certification by demonstrating that your control environment has not materially changed since the previous assessment was performed. Organizations will be required to perform a full i1 assessment in the first year. In year 2 they will be allowed to perform a rapid recertification assessment involving a significantly-reduced number of requirements if certain criteria are met. We anticipate that for most organizations, the rapid recertification will require a much smaller effort than is required for the full assessment.

In year 3 and beyond, a full assessment will be required every other year, with rapid recertifications required in the years between full assessments.

i1 Rapid Recertification Timeline

An i1 rapid recertification assessment results in the same full assessment report as a full i1 assessment. 

Who Can Use the i1 Rapid Recertification?

To be eligible to use the i1 Rapid Recertification assessment, organizations must meet all of the following criteria:

• The Assessed Entity currently holds an i1 Certification resulting from the performance of a standard i1 assessment that utilized CSF v11 or later. 
• The Assessed Entity intends to assess the same scope that was assessed through the previous standard i1 assessment. 
• No significant changes have occurred since the previous i1 Certification date in the Assessed Entity’s business or security policies, processes, controls, hosting locations, or technologies that may impact the Assessed Entity’s ability to meet the i1 Certification criteria.
• The control environment has not materially degraded since the previous standard i1 assessment was performed. 
• The Assessed Entity has an available assessment object in MyCSF. 

What Requirements Must Be Assessed in the i1 Rapid Recertification?

The criteria for requirements that must be covered in the i1 rapid recertification are summarized below:

1. All i1 requirement statements within the current version of the CSF that were not included in the previous i1 assessment.
2. A sample of approximately 1/3 of the requirement statements that were scored in the previous i1 assessment.
3. Review of requirement statements that were marked as N/A during the previous i1 assessment.
4. Requirement statements that required a CAP during the previous i1 assessment.

All remaining i1 requirement statements within the current CSF i1 requirements selection are not required to be assessed.

The diagram below illustrates the i1 rapid recertification assessment requirements.

I1 Rapid Recertification Assessment Requirements

Detection of Control Degradation

Organizations must submit the results of the initial full i1 assessment, and all subsequent annual assessments, to the HITRUST MyCSF portal for review. 

When reviewing the sample of requirements statements included in a rapid recertification, MyCSF compares the scoring of the sample requirements with the previously submitted requirements to detect if control degradation has occurred. 

• If 2 or fewer scores have been lowered due to an issue in the operation of the controls, the Assessed Entity may carry over scores from their previous i1 assessment for the remaining requirement statements. 
• If 3 or more scores have been lowered, the Assessed Entity will either be presented with the option to assess an additional sample of controls or will be informed that a full i1 assessment must be completed.

The diagram below provides additional detail on the control degradation logic used by MyCSF:

MyCSF Control Degradation Logic

Additional Resources

Below are additional resources that provide a deeper dive into the topics covered in this blog post:

• HITRUST CSF v11 Announcement
• Tevora Selected for the 2022 HITRUST Assessor Council

Contact Us

If you have questions about HITRUST CSF v11, or would like help bringing your organization into compliance, our team of experienced HITRUST and healthcare security experts can help. Just give us a call at (833) 292-1609 or email us at sales@tevora.com.