Understanding the HITRUST CSF: A Guide for Beginners

HITRUST CSF Framework

What is HITRUST?” is typically the first question asked by organizations exploring HITRUST for the first time. Formerly, HITRUST stood for Health Information Trust Alliance but several years ago it rebranded to simply HITRUST to align with changes to the “framework,” making it industry agnostic.

Is HITRUST a Framework?

HITRUST is far more than a framework. HITRUST Alliance, Inc. (HITRUST) is the current, formal name for the industry body. Founded in 2007, HITRUST has remained a leader in the industry by continuously developing frameworks and assessment programs that allow organizations to protect sensitive information across industries and reduce third-party risk throughout supply chains.

Why is HITRUST Important?

HITRUST is an organization that develops and maintains a common security and privacy framework, known as the HITRUST CSF (“CSF”). The CSF can be leveraged to effectively manage and certify compliance with information security controls, and consolidate compliance reporting requirements.

The foundation of all HITRUST programs and services is the HITRUST CSF. This certifiable framework provides organizations across the globe with a comprehensive, flexible, and efficient approach to regulatory/standards for compliance and risk management.

 

What is HITRUST CSF?

What is the HITRUST Common Security Framework (CSF)?

The HITRUST CSF and the concept of HITRUST certification were initially developed for organizations working in the healthcare industry, which often found the vagueness of the HIPAA Security rule challenging to understand and properly implement. This often resulted in healthcare payers and providers not having an adequate way to assess the security posture of their IT vendors and the effectiveness of the controls in place to safeguard protected information.

As a framework of controls, the HITRUST CSF normalizes security and privacy requirements for organizations from a variety of sources, including but not limited to:

The CSF simplifies the challenging task of consolidating multiple sources into a single control set built to provide scalable security and privacy requirements based on a variety of risks and exposures present in each unique organization.

The goal of the HITRUST CSF is to harmonize compliance requirements and provide specific details regarding how controls are implemented. The CSF is a proprietary risk and control framework that is updated roughly annually with minor versions being released between major revisions.

 

HITRUST CSF organization

How is the HITRUST CSF Organized?

The CSF contains 14 control categories, comprising 49 control objectives and 156 control specifications. In the chart below, the CSF control categories are broken down to include control objectives and control specifications:

Control Category # Control Category Name Control Objectives Control Specifications
0 Information Security Management Program 1 1
1 Access Control 7 25
2 Human Resources Security 4 9
3 Risk Management 1 4
4 Security Policy 1 2
5 Organization of Information Security 2 11
6 Compliance 3 10
7 Asset Management 2 5
8 Physical and Environmental Security 2 13
9 Communications and Operations Management 10 32
10 Information Systems Acquisition, Development, and Maintenance 6 13
11 Information Security Incident Management 2 5
12 Business Continuity Management 1 5
13 Privacy Practices 7 21

The data from this chart, and for the bulleted section below, was obtained from this HITRUST source.

Each control category is comprised of the following architecture which includes but is not limited to:

  • Control Objective: Statement of the desired result, or purpose to be achieved, by one or more controls within the control category.” (e.g. what is the goal to be achieved?)
  • Control Reference: Control number and title.” (e.g. identifier)
  • Control Specification: Policies, procedures, guidelines, practices, or organizational structures, which can be managerial, operational, technical, or legal in nature, required to meet the control objective.” (e.g. what must be in place to achieve objectives?)
  • Risk Factor Type: Organizational, regulatory, or system risk factors that increase the inherent risk to an organization or system, necessitating a higher level of compliance.”

What are Risk Factors in the HITRUST CSF?

Risk factors can be considered the attributes by which the composition of the assessment is defined, or in other terms, they determine how many applicable requirements are to be included in each assessment. Risk factors are only used in the r2 validated assessment. Risk factors are not used in the i1 validated assessment or the bC assessment, which are not intended to provide the same level of assurance as the r2 assessment. Fundamentally, risk factors influence the number of requirements which apply to organizations based on various criteria including:

  • General Factors
  • Organizational Factors
  • Geographic Factors
  • Technical Factors
  • Regulatory Factors

The details of these scoping factors are beyond the scope of this article, but are very important in determining the number of applicable requirements in an assessment, as discussed below.

How is the HITRUST CSF Structured in an Assessment?

People often ask, “What are the 19 domains of HITRUST?” This is a great question, and ties to the way the CSF is leveraged to perform an assessment. In an assessment, the HITRUST CSF is broken out into 19 different “assessment domains,” which are aligned with common IT process areas containing various control requirements.

HITRUST Assessment Domains
01 Information Protection Program 08 Network Protection 15 Incident Management
02 Endpoint Protection 09 Transmission Protection 16 Business Continuity & Disaster Recovery
03 Portable Media Security 10 Password Management 17 Risk Management
04 Mobile Device Security 11 Access Control 18 Physical & Environmental Security
05 Wireless Security 12 Audit Logging & Monitoring 19 Data Protection & Privacy
06 Configuration Management 13 Education, Training, and Awareness
07 Vulnerability Management 14 Third-Party Assurance

These 19 assessment domains are broken into 135 Security Controls and 14 Privacy Controls controls can map back to multiple domains. Controls are then broken down into control requirements. It is important to note organizations can only certify against the HITRUST Security Assessment (vs. Comprehensive Assessment and Privacy Assessment), and there are only 75 controls in-scope of the baseline security assessment.

For organizations that elect to conduct comprehensive security and privacy examinations, if they achieve certification, the certification only covers the 75 required security controls. The remaining 60 controls are optional and are only included in Comprehensive Assessments. Privacy is currently not certifiable by HITRUST. For this reason, clients are encouraged to focus their certification efforts on the baseline security assessment.

 

HITRUST CSF Assessments

Types of HITRUST CSF Assessments

There are two primary types of assessments organizations may choose from within the HITRUST ecosystem, a self-assessment or a validated assessment:

  • Self Assessment: This type of assessment allows the organization to obtain access to the HITRUST CSF via the myCSF tool. Organizations can scope their assessment and conduct gap assessments against the framework. It is highly recommended that organizations work with a HITRUST assessor firm to conduct the self-assessment to ensure control requirements are appropriately interpreted and evaluated. This provides a stepping stone to a validated assessment and ensures controls are properly designed prior to seeking CSF validation. Organizations that complete a self-assessment are not HITRUST-certified. The bC discussed below is most commonly performed as a self-assessment.
  • Validated Assessments: A validated assessment must be successfully completed to achieve HITRUST certification. Organizations are required to use an authorized HITRUST assessor firm to conduct the assessment. Unlike self-assessment, remediation is not allowed during a validated assessment. The i1 and the r2 are performed as validated assessments when certification is the end goal.

To conduct a HITRUST assessment, organizations must purchase a subscription to MyCSF, which grants access to the various assessment types. There are various pricing packages and it is recommended that organizations communicate directly with HITRUST to obtain the latest pricing.

How Many Different HITRUST Assessments are Available?

Beyond the differences between self-assessments and validated assessments, there are currently three different HITRUST assessments available to organizations pursuing HITRUST compliance:

  1. HITRUST Essentials, 1-Year (e1) Assessment + Certification – The HITRUST e1 Assessment is designed to cover fundamentals of basic cyber-hygiene that address the assurance needs of lower-risk organizations. The e1 requires less effort, but also provides a lesser level of assurance compared to the HITRUST i1 and r2 Assessments. The e1 is new to the HITRUST assessment portfolio and was introduced in early 2023.
  2. HITRUST Implemented, 1-Year (i1) Validated Assessment + Certification – The i1 can be described as a “best practices” assessment recommended for situations that present moderate risk. The i1 is a fixed-scope assessment and does not leverage scoping factors. The i1 requires the usage of an external assessor organization to perform an assessment as part of certification. The i1 is new to the HITRUST assessment portfolio and was introduced in late 2021 and underwent the first major revision in early 2023.
  3. HITRUST Risk-based, 2-Year (r2) Validated Assessment + Certification – Formerly known as the HITRUST CSF Validated Assessment which carries the industry vernacular of “HITRUST certification,” the r2 is tailored through the usage of scoping factors. Like the e1 and i1, the r2 requires the usage of an external assessor organization to perform an assessment as part of certification.

For the e1 and  i1 validated assessments, the number of included requirements is fixed for all organizations pursuing a given version. As part of the commitment by HITRUST to maintain the threat-adaptive nature of HITRUST assessments, requirements are added and removed as part of its commitment to maintaining a comprehensive and industry-relevant assessment.

For the r2 validated assessment, the number of controls included in an organization’s assessment is driven by “scoping factors” as previously discussed. Each organization must scope its object (HITRUST assessment) and should do so in collaboration with its external assessor if HITRUST certification is the goal of the organization. Scoping consists of answering a variety of questions that are used to determine how many controls are in-scope for an assessment. The largest driving factor in scope is the number of sensitive records maintained by an organization, typically defined as the number of breach notification letters which would need to be sent in the event of a catastrophic breach (not discrete pieces of data). As a rough estimate, we see the number of control requirements similar to the following:

  • Under 10 Million Records: Assessment size of ~300 control requirements,
  • Between 10 to 60 Million Records:  Assessment size of ~375+ control requirements,
  • Over 60 Million Records: Assessment size of ~450+ requirements.

 

Achieving HITRUST certification

How Do Organizations Achieve HITRUST Certification?

For the e1, i1 and r2 validated assessments, to achieve HITRUST certification organizations must achieve a passing score in each of the 19 HITRUST domains. Each control requirement is scored and evaluated against one (e1/i1) of five (r2) “Maturity Level(s)” based on the degree to which the control is implemented.

  • Policy: Are there policies in place that directly address the requirements of the controls?
  • Procedure: Formal documentation for non-automated controls which outlines the who, what, when, where, and how of a process. For example, if you conduct a risk assessment, is there a procedure that defines how the risk assessment is conducted in addition to a policy that simply states one will be performed?
  • Implementation: Are all elements of the requirement statement implemented?
  • Measured and Managed: The last two maturity levels are highly interrelated and are akin to continuous monitoring. There is an extensive evidence and documentation threshold for the measured and managed maturity levels. As a result, they are typically not included by organizations in their HITRUST assessments as they are not needed to achieve certification.

In an r2 validated assessment, each control requirement is evaluated against all five maturity levels to determine the score. The score for each maturity level is based on the degree of implementation, and the weighting of the maturity level. The policy, procedure, and implementation maturity are weighted at 15%, 20%, and 40% respectively — meaning organizations can obtain 75 out of 100 points from these maturity levels, which is more than enough to achieve certification. The measured and managed maturity levels are weighted at 10 and 15% respectively.

Note: For the r2, organizations seeking certification can obtain passing scores only by evaluating their in-scope requirements against the policy, procedure, and implementation maturity levels. There is no requirement to pursue scores for the Measured and Managed areas. As such, organizations new to HITRUST should consider avoiding evaluation of the measured and managed maturity levels.

In an e1 and i1 validated assessment, only implementation maturity is scored on a scale of 0-100% as referenced below.

How is Implementation Maturity Scored?

Each requirement can achieve a score of 0 to 100% for each maturity level based on the degree the control is implemented. HITRUST defines the implementation maturity as follows:

Maturity Requirement
Non-Compliant (NC) – 0% Very few, if any, of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured, or managed).
Somewhat Compliant (SC) – 25% Some of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured, or managed).
Partially Compliant (PC) – 50% About half of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured, or managed).
Mostly Compliant (MC) – 75% Many but not all of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured, or managed.)
Fully Compliant (FC) – 100% Most if not all of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured, or managed).

The key takeaway is that scores for each domain are based on a large weighted average for each control requirement and associated maturity level.

It is also worth noting that the e1 and i1 assessment only includes scoring of the “implementation” element of maturity, and also includes a different minimum score for certification. This does not mean policies and procedures are not important, but the evaluative elements are different in how policies and procedures are evaluated.

For specific details on HITRUST Scoring across assessment types please see How to Score HITRUST CSF Controls.

How Does the HITRUST CSF Compare to Other Security Frameworks?

One of the main differences between HITRUST and other security frameworks is the focus on security governance activities. This is achieved on multiple levels.

The first method requires organizations to have current and approved information security policies and procedures that address the HITRUST requirement specifications. These requirements go beyond simply stating an organization encrypts data, but rather require the organization to specify how data is encrypted at rest in all types of IT mediums and in transit.

The second way this is achieved is through numerous review controls that many consider routine IT operations activities. For example, most information security frameworks, including HITRUST, require organizations to deploy firewalls or similar protections to restrict inbound traffic to their networks.

In addition, HITRUST also requires that a review of firewall rules is performed and documented at least annually.

What Frameworks Are Included in the HITRUST CSF?

When comparing HITRUST to other security frameworks, it is easy to see the similarities and differences. At the end of the day, HITRUST is a certifiable framework, unlike HIPAA, which is a regulation. The HITRUST CSF is foundationally built on ISO27001. If properly implemented, the baseline security assessment is considered to address all HIPAA security rule requirements. In addition, the HITRUST CSF currently integrates 44 major security and privacy-related standards, regulations, and frameworks as authoritative sources.

 

Is HITRUST internationally recognized?

Is HITRUST an International Standard?

The HITRUST CSF is an international standard and includes several security and privacy frameworks from countries and regions around the world as authoritative sources, including but not limited to the Asia-Pacific Economic Cooperation (APEC) Privacy Framework and General Data Protection Regulation (GDPR).

How Do I Get the HITRUST CSF?

The HITRUST CSF is freely available with certain limitations related to usage of the CSF for non-qualified individuals. The HITRUST CSF can be downloaded from HITRUST.

Conclusion

The HITRUST Common Security Framework is unique and can be challenging to understand. Hopefully, this article has provided clarity on the framework and how it is structured. Linford & Co. is an approved HITRUST Assessor firm, with deep expertise in HITRUST audits and HIPAA assessments.

Lastly, please contact us with any HITRUST-related questions. We are happy to consult about providing a HITRUST assessment or discuss one of the many other audit and certification services we can provide for your organization.

This article was originally published on 1/22/2020 and was updated on 3/15/2023.