HITRUST Assessment Services
HITRUST CSF from preparation to certification
Demonstrate cybersecurity and healthcare regulatory compliance
Work with an original HITRUST external assessor to attain certification
Coalfire® is a preferred HITRUST assessor for the top five cloud service providers (CSPs), guiding clients from HITRUST preparation to certification. With expertise in all active versions and assessment types of the HITRUST Common Security Framework (CSF), Coalfire has completed hundreds of engagements and boasts a 95% client retention rate—making it a trusted choice for organizations seeking reliable HITRUST assessments.
HITRUST assessment and certification services
e1 HITRUST Essentials, 1-Year Assessment
The e1 assessment covers 44 requirement statements that encapsulate a curated set of cybersecurity controls deemed foundational or representing "essential cybersecurity hygiene." This assessment is particularly suited for lower-risk organizations seeking validation of critical cybersecurity controls. It offers a cost-effective and targeted approach, focusing on foundational cybersecurity hygiene, making it an ideal entry point for small to medium-sized organizations with basic compliance needs.
i1 HITRUST Implemented, 1-Year Assessment
The i1 assessment expands upon the e1 framework and encompasses 182 requirement statements, incorporating the initial 44 from the e1 assessment supplemented by an additional 138 statements. These additional requirements address cybersecurity best practices and a broader spectrum of active cyber threats. The i1 assessment benefits organizations with established information security programs ready to demonstrate the implementation of controls against current and emerging threats. It offers a moderate level of assurance and balances thoroughness with efficiency, making it suitable for organizations that are seeking to enhance their security posture without the extensive commitment required for the r2 assessment.
To maintain the i1 assessment, in year 2, Coalfire conducts rapid recertification of 60 requirements.
r2 HITRUST Risk-Based, 2-Year Assessment
The r2 assessment is the most comprehensive, built on the 182 i1 requirement statements with additional criteria included through a tailored process, usually resulting in a minimum of 275 requirements. This assessment is ideal for environments with higher risk exposure, such as large data volumes or stringent regulatory compliance needs. The r2 assessment provides a high level of assurance with a focusing on comprehensive risk-based control specifications, expanded risk management, and compliance evaluation. It is best suited for large organizations or those in highly regulated industries that need to demonstrate the highest level of compliance and security assurance.
To maintain HITRUST r2 certification status, an r2 interim assessment must be completed by the first anniversary of the initial certification date.
Assess Readiness
Coalfire Gap Analysis: Coalfire’s HITRUST gap analysis evaluates an organization's current policies, procedures, and control implementation against in-scope HITRUST requirements, focusing on:
Comprehensive Analysis: Documentation review, interviews, inventory gathering, evidence, and sampling requests.
Maturity Level Identification: Identifies gaps in policy, procedure, and implementation maturity levels where scores fall below 100%.
Assessment Outputs: Provides a gap analysis workbook detailing in-scope requirements, the gaps identified, and a HITRUST executive gap analysis report with summary information such as which domains are at high-risk for not achieving scores required for certification if remediation does not occur.
A gap analysis which includes an assessment of policy and procedure documentation reveals shortcomings in the documentation required for certification, in addition to the implementation gaps.
Remediate Gaps
Organizations’ needs for remediation and support differ significantly, and Coalfire’s role is to guide and assist your team through all phases of the HITRUST process. For a successful HITRUST validated assessment leading to certification, we advise enlisting our HITRUST subject matter experts to review and assist in determining remediation plans for any gaps from the initial analysis, helping to ensure robust control implementation. This foundation is crucial for aligning your organization's policies, procedures, and controls with HITRUST standards and achieving certification readiness.
HITRUST AI Risk Management Assessment
The HITRUST AI Risk Management Assessment ensures that governance associated with implementing AI solutions is in place and can be effectively communicated by companies to management teams, boards of directors, and others. The HITRUST AI Risk Management Assessment is fully supported by a complete assessment approach, SaaS platform, and ecosystem that AI-adopting companies can use to demonstrate that AI risk management outcomes are met. The offering provides an essential toolkit for benchmarking and reporting on the AI risk management efforts for any organization using or deploying AI-based technologies such as ML and LLMs.
HITRUST and coordinated assessments
Leveraging our expertise across many frameworks and Compliance Essentials, we can examine and report on controls with HITRUST and other frameworks to reduce audit fatigue and provide a combined report.
In addition to this Coalfire is a partner with HITRUST and StateRAMP for pilot testing.
Experienced external assessor with technology expertise to help achieve seamless compliance
People + Tech
Coalfire has been an external assessor firm for over 13 years and is the preferred HITRUST assessor for the top 5 cloud service providers. We deliver hundreds of engagements annually.
13 Years of experience as an external assessor firm
95% Client retention rate from our engagements
People
Our HITRUST certified experts serve on the HITRUST External Assessors Council. They maintain a strong relationship with HITRUST Alliance and regularly participate in the annual HITRUST conference.
Platform
We can help you coordinate assessments across more than 75 compliance frameworks using our Compliance Essentials compliance automation platform.
Outcome
Simplify and accelerate health care compliance by working with an experienced team and utilizing technology expertise.
Frequently asked questions
What is HITRUST Common Security Framework (CSF) assurance program?
The HITRUST Common Security Framework (CSF) assurance program offers organizations a scalable, flexible, and evolving framework to assess an organization’s security posture. HITRUST seeks to harmonize and simplify the requirements of several complex regulations and standards. To do this, HITRUST aggregates high-risk requirements from a variety of frameworks and presents them as a prescriptive set of controls that are specifically tailored to an organization.
What makes HITRUST Common Security Framework (CSF) certification different from other assessments?
On the surface, the HITRUST CSF assurance program and the HITRUST CSF may appear to be another ‘check-the-box’-style controls assessment. But in fact, the framework is more comprehensive than other assessment frameworks. The HITRUST CSF is ultimately designed to mature an organization’s security posture through a tiered approach of documentation, implementation, and continuous monitoring and management of security controls. HITRUST CSF results in the 3rd party certification through the HITRUST alliance.
Who performs validated assessments?
Validated assessments must be performed by an approved HITRUST CSF assessor organization. Per HITRUST, “CSF assessors are organizations that have been approved by HITRUST for performing assessment and services associated with the CSF Assurance Program and the HITRUST CSF, a comprehensive security framework that incorporates the existing security requirements of organizations. CSF assessors are critical to HITRUST’s efforts to provide trained resources to organizations of varying size and complexity to assess compliance with security control requirements and document corrective action plans that align with the HITRUST CSF.”
What is the difference between a validated report and a certified report?
Validated assessments that meet or exceed the HITRUST CSF scoring criteria will result in CSF certification, subject to HITRUST’s approval. A validated report is issued for organizations that fail to meet the scoring criteria. Because all validated assessments must be performed by accredited CSF assessor organizations, organizations that receive a validated report, and not certified report, should work with their assessor to determine the appropriate action plan to set up the organization for a future certified report.