Understanding the HITRUST CSF: A Guide for Beginners

HITRUST CSF Framework

What is HITRUST?” is typically the first question asked by organizations exploring HITRUST for the first time. Formerly, HITRUST stood for Health Information Trust Alliance but several years ago it rebranded to simply HITRUST to align with changes to the “framework,” making it industry agnostic.

Is HITRUST a Framework?

HITRUST is far more than a framework. HITRUST Alliance, Inc. (HITRUST) is the current, formal name for the industry body. Founded in 2007, HITRUST has remained a leader in the industry by continuously developing frameworks and assessment programs that allow organizations to protect sensitive information across industries and reduce third-party risk throughout supply chains.

Why is HITRUST Important?

HITRUST is an organization that develops and maintains a common security and privacy framework, known as the HITRUST CSF (“CSF”). The CSF can be leveraged to effectively manage and certify compliance with information security controls, and consolidate compliance reporting requirements.

The foundation of all HITRUST programs and services is the HITRUST CSF. This certifiable framework provides organizations across the globe with a comprehensive, flexible, and efficient approach to regulatory/standards for compliance and risk management.

 

What is HITRUST CSF?

What is the HITRUST Common Security Framework (CSF)?

The HITRUST CSF and the concept of HITRUST certification were initially developed for organizations working in the healthcare industry, which often found the vagueness of the HIPAA Security rule challenging to understand and properly implement. This often resulted in healthcare payers and providers not having an adequate way to assess the security posture of their IT vendors and the effectiveness of the controls in place to safeguard protected information.

As a framework of controls, the HITRUST CSF normalizes security and privacy requirements for organizations from a variety of sources, including but not limited to:

The CSF simplifies the challenging task of consolidating multiple sources into a single control set built to provide scalable security and privacy requirements based on a variety of risks and exposures present in each unique organization.

The goal of the HITRUST CSF is to harmonize compliance requirements and provide specific details regarding how controls are implemented. The CSF is a proprietary risk and control framework that is updated roughly annually with minor versions being released between major revisions.

 

HITRUST CSF organization

How is the HITRUST CSF Organized?

The CSF contains 14 control categories, comprising 49 control objectives and 156 control specifications. In the chart below, the CSF control categories are broken down to include control objectives and control specifications:

Control Category #Control Category NameControl ObjectivesControl Specifications
0Information Security Management Program11
1Access Control725
2Human Resources Security49
3Risk Management14
4Security Policy12
5Organization of Information Security211
6Compliance310
7Asset Management25
8Physical and Environmental Security213
9Communications and Operations Management1032
10Information Systems Acquisition, Development, and Maintenance613
11Information Security Incident Management25
12Business Continuity Management15
13Privacy Practices721

Control Category #

0

Information Security Management Program

Control Objectives

1

Control Specifications

1

Control Category #

1

Access Control

Control Objectives

7

Control Specifications

25

Control Category #

2

Human Resources Security

Control Objectives

4

Control Specifications

9

Control Category #

3

Risk Management

Control Objectives

1

Control Specifications

4

Control Category #

4

Security Policy

Control Objectives

1

Control Specifications

2

Control Category #

5

Organization of Information Security

Control Objectives

2

Control Specifications

11

Control Category #

6

Compliance

Control Objectives

3

Control Specifications

10

Control Category #

7

Asset Management

Control Objectives

2

Control Specifications

5

Control Category #

8

Physical and Environmental Security

Control Objectives

2

Control Specifications

13

Control Category #

9

Communications and Operations Management

Control Objectives

10

Control Specifications

32

Control Category #

10

Information Systems Acquisition, Development, and Maintenance

Control Objectives

6

Control Specifications

13

Control Category #

11

Information Security Incident Management

Control Objectives

2

Control Specifications

5

Control Category #

12

Business Continuity Management

Control Objectives

1

Control Specifications

5

Control Category #

13

Privacy Practices

Control Objectives

7

Control Specifications

21

The data from this chart, and for the bulleted section below, was obtained from this HITRUST source.

 

Each control category is comprised of the following architecture which includes but is not limited to:

  • “Control Objective: Statement of the desired result, or purpose to be achieved, by one or more controls within the control category.” (e.g. what is the goal to be achieved?)
  • “Control Reference: Control number and title.” (e.g. identifier)
  • “Control Specification: Policies, procedures, guidelines, practices, or organizational structures, which can be managerial, operational, technical, or legal in nature, required to meet the control objective.” (e.g. what must be in place to achieve objectives?)
  • “Risk Factor Type: Organizational, regulatory, or system risk factors that increase the inherent risk to an organization or system, necessitating a higher level of compliance.”

What are Risk Factors in the HITRUST CSF?

Risk factors can be considered the attributes by which the composition of the assessment is defined, or in other terms, they determine how many applicable requirements are to be included in each assessment. Risk factors are only used in the r2 validated assessment. Risk factors are not used in the i1 validated assessment or the bC assessment, which are not intended to provide the same level of assurance as the r2 assessment. Fundamentally, risk factors influence the number of requirements which apply to organizations based on various criteria including:

  • General Factors
  • Organizational Factors
  • Geographic Factors
  • Technical Factors
  • Regulatory Factors

The details of these scoping factors are beyond the scope of this article, but are very important in determining the number of applicable requirements in an assessment, as discussed below.

How is the HITRUST CSF Structured in an Assessment?

People often ask, “What are the 19 domains of HITRUST?” This is a great question, and ties to the way the CSF is leveraged to perform an assessment. In an assessment, the HITRUST CSF is broken out into 19 different “assessment domains,” which are aligned with common IT process areas containing various control requirements.

HITRUST Assessment Domains
01 Information Protection Program08 Network Protection15 Incident Management
02 Endpoint Protection09 Transmission Protection16 Business Continuity & Disaster Recovery
03 Portable Media Security10 Password Management17 Risk Management
04 Mobile Device Security11 Access Control18 Physical & Environmental Security
05 Wireless Security12 Audit Logging & Monitoring19 Data Protection & Privacy
06 Configuration Management13 Education, Training, and Awareness
07 Vulnerability Management14 Third-Party Assurance

HITRUST Assessment Domains

01 Information Protection Program

02 Endpoint Protection

03 Portable Media Security

04 Mobile Device Security

05 Wireless Security

06 Configuration Management

07 Vulnerability Management

08 Network Protection

09 Transmission Protection

10 Password Management

11 Access Control

12 Audit Logging & Monitoring

13 Education, Training, and Awareness

14 Third-Party Assurance

15 Incident Management

16 Business Continuity & Disaster Recovery

17 Risk Management

18 Physical & Environmental Security

19 Data Protection & Privacy

These 19 assessment domains are broken into 135 Security Controls and 14 Privacy Controls controls can map back to multiple domains. Controls are then broken down into control requirements. It is important to note organizations can only certify against the HITRUST Security Assessment (vs. Comprehensive Assessment and Privacy Assessment), and there are only 75 controls in-scope of the baseline security assessment.

For organizations that elect to conduct comprehensive security and privacy examinations, if they achieve certification, the certification only covers the 75 required security controls. The remaining 60 controls are optional and are only included in Comprehensive Assessments. Privacy is currently not certifiable by HITRUST. For this reason, clients are encouraged to focus their certification efforts on the baseline security assessment.

 

HITRUST CSF Assessments

Types of HITRUST CSF Assessments

There are multiple types of assessment organizations that can elect to perform the HITRUST CSF. As noted above, HITRUST certification only includes the control requirements in-scope for the 75 key controls required for certification.

  • Self Assessment: This type of assessment allows the organization to obtain access to the HITRUST CSF via the myCSF tool. Organizations can scope their assessment and conduct gap assessments against the framework. It is highly recommended that organizations work with a HITRUST assessor firm to conduct the self-assessment to ensure control requirements are appropriately interpreted and evaluated. This provides a stepping stone to a validated assessment and ensures controls are properly designed prior to seeking CSF validation. Organizations that complete a self-assessment are not HITRUST-certified. The bC discussed below is most commonly performed as a self-assessment.
  • Validated Assessments: A validated assessment must be successfully completed to achieve HITRUST certification. Organizations are required to use an authorized HITRUST assessor firm to conduct the assessment. Unlike self-assessment, remediation is not allowed during a validated assessment. The i1 and the r2 are performed as validated assessments when certification is the end goal.

To conduct a HITRUST assessment, organizations must purchase access to the HITRUST framework from HITRUST. There are various pricing packages and it is recommended that organizations communicate directly with HITRUST to obtain the latest pricing.

How Many Different HITRUST Assessments are Available?

Beyond the differences between self-assessments and validated assessments, there are currently three different HITRUST assessments available to organizations pursuing HITRUST compliance:

  1. The HITRUST Basic, Current-state (bC) Assessment – The bC can be described as a “good hygiene” self-assessment that offers higher reliability than other self-assessments and questionnaires through the usage of automation to perform basic quality checks of responses. The bC does not require the usage of an external assessor organization. The bC is new to the HITRUST assessment portfolio and was introduced in late 2021.
  2. HITRUST Implemented, 1-Year (i1) Validated Assessment + Certification – The i1 can be described as a “best practices” assessment recommended for situations that present moderate risk. The i1 is a fixed-scope assessment and does not leverage scoping factors. The i1 requires the usage of an external assessor organization to perform an assessment as part of certification. The i1 is new to the HITRUST assessment portfolio and was introduced in late 2021.
  3. HITRUST Risk-based, 2-Year (r2) Validated Assessment + Certification – Formerly known as the HITRUST CSF Validated Assessment which carries the industry vernacular of “HITRUST certification,” the r2 is tailored through the usage of scoping factors. Like the i1, the r2 requires the usage of an external assessor organization to perform an assessment as part of certification.

For the i1 validated assessment, the number of included requirements is fixed at 219, though it may vary as HITRUST adds and removes requirements as part of its commitment to maintaining a comprehensive and industry-relevant assessment.

For the r2 validated assessment, the number of controls included in an organization’s assessment is driven by “scoping factors” as previously discussed. Each organization must scope its object (HITRUST assessment) and should do so in collaboration with its external assessor if HITRUST certification is the goal of the organization. Scoping consists of answering a variety of questions that are used to determine how many controls are in-scope for an assessment. The largest driving factor in scope is the number of sensitive records maintained by an organization, typically defined as the number of breach notification letters which would need to be sent in the event of a catastrophic breach (not discrete pieces of data). As a rough estimate, we see the number of control requirements similar to the following:

  • Under 10 Million Records: Assessment size of ~300 control requirements,
  • Between 10 to 60 Million Records:  Assessment size of ~375+ control requirements,
  • Over 60 Million Records: Assessment size of ~450+ requirements.

 

Achieving HITRUST certification

How Do Organizations Achieve HITRUST Certification?

For both the i1 and r2 validated assessments, to achieve HITRUST certification organizations must achieve a passing score in each of the 19 HITRUST domains. Each control requirement is scored and evaluated against one (i1) of five (r2) “Maturity Level(s)” based on the degree to which the control is implemented.

  • Policy: Are there policies in place that directly address the requirements of the controls?
  • Procedure: Formal documentation for non-automated controls which outlines the who, what, when, where, and how of a process. For example, if you conduct a risk assessment, is there a procedure that defines how the risk assessment is conducted in addition to a policy that simply states one will be performed?
  • Implementation: Are all elements of the requirement statement implemented?
  • Measured and Managed: The last two maturity levels are highly interrelated and are akin to continuous monitoring. There is an extensive evidence and documentation threshold for the measured and managed maturity levels. As a result, they are typically not included by organizations in their HITRUST assessments as they are not needed to achieve certification.

In an r2 validated assessment, each control requirement is evaluated against all five maturity levels to determine the score. The score for each maturity level is based on the degree of implementation, and the weighting of the maturity level. The policy, procedure, and implementation maturity are weighted at 15%, 20%, and 40% respectively — meaning organizations can obtain 75 out of 100 points from these maturity levels, which is more than enough to achieve certification. The measured and managed maturity levels are weighted at 10 and 15% respectively.

Note: For the r2, organizations seeking certification can obtain passing scores only by evaluating their in-scope requirements against the policy, procedure, and implementation maturity levels. There is no requirement to pursue scores for the Measured and Managed areas. As such, organizations new to HITRUST should consider avoiding evaluation of the measured and managed maturity levels.

In an i1 validated assessment, only implementation maturity is scored on a scale of 0-100% as referenced below.

How is Implementation Maturity Scored?

Each requirement can achieve a score of 0 to 100% for each maturity level based on the degree the control is implemented. HITRUST defines the implementation maturity as follows:

MaturityRequirement
Non-Compliant (NC) – 0%Very few, if any, of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured, or managed).
Somewhat Compliant (SC) – 25%Some of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured, or managed).
Partially Compliant (PC) – 50%About half of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured, or managed).
Mostly Compliant (MC) – 75%Many but not all of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured, or managed.)
Fully Compliant (FC) – 100%Most if not all of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured, or managed).

Maturity

Non-Compliant (NC) – 0%

Requirement

Very few, if any, of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured, or managed).

Maturity

Somewhat Compliant (SC) – 25%

Requirement

Some of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured, or managed).

Maturity

Partially Compliant (PC) – 50%

Requirement

About half of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured, or managed).

Maturity

Mostly Compliant (MC) – 75%

Requirement

Many but not all of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured, or managed.)

Maturity

Fully Compliant (FC) – 100%

Requirement

Most if not all of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured, or managed).

The key takeaway is that scores for each domain are based on a large weighted average for each control requirement and associated maturity level.

It is also worth noting that the i1 assessment only includes scoring of the “implementation” elements of maturity, and also includes a different minimum score for certification. This does not mean policies and procedures are not important, but the evaluative elements are different in how policies and procedures are evaluated.

For specific details on HITRUST Scoring across assessment types please see How to Score HITRUST CSF Controls.

How Does the HITRUST CSF Compare to Other Security Frameworks?

One of the main differences between HITRUST and other security frameworks is the focus on security governance activities. This is achieved on multiple levels.

The first method requires organizations to have current and approved information security policies and procedures that address the HITRUST requirement specifications. These requirements go beyond simply stating an organization encrypts data, but rather require the organization to specify how data is encrypted at rest in all types of IT mediums and in transit.

The second way this is achieved is through numerous review controls that many consider routine IT operations activities. For example, most information security frameworks, including HITRUST, require organizations to deploy firewalls or similar protections to restrict inbound traffic to their networks.

In addition, HITRUST also requires that a review of firewall rules is performed and documented at least annually.

What Frameworks Are Included in the HITRUST CSF?

When comparing HITRUST to other security frameworks, it is easy to see the similarities and differences. At the end of the day, HITRUST is a certifiable framework, unlike HIPAA, which is a regulation. The HITRUST CSF is foundationally built on ISO27001. If properly implemented, the baseline security assessment is considered to address all HIPAA security rule requirements. In addition, the HITRUST CSF currently integrates 44 major security and privacy-related standards, regulations, and frameworks as authoritative sources.

 

Is HITRUST internationally recognized?

Is HITRUST an International Standard?

The HITRUST CSF is an international standard and includes several security and privacy frameworks from countries and regions around the world as authoritative sources, including but not limited to the Asia-Pacific Economic Cooperation (APEC) Privacy Framework and General Data Protection Regulation (GDPR).

How Do I Get the HITRUST CSF?

The HITRUST CSF is freely available with certain limitations related to usage of the CSF for non-qualified individuals. The HITRUST CSF can be downloaded from HITRUST.

Conclusion

The HITRUST Common Security Framework is unique and can be challenging to understand. Hopefully, this article has provided clarity on the framework and how it is structured. Linford & Co. is an approved HITRUST Assessor firm, with deep expertise in HITRUST audits and HIPAA assessments.

Lastly, please contact us with any HITRUST-related questions. We are happy to consult about providing a HITRUST assessment or discuss one of the many other audit and certification services we can provide for your organization.

This article was originally published on 1/22/2020 and was updated on 11/2/2022.

Leave a Reply

Your email address will not be published. Required fields are marked *