So Many HITRUST Offerings: Which Option Is Right For You?

Understanding the nuances of the new HITRUST assessment portfolio can be difficult, especially when trying to determine which assessment is right for you. In this blog we will outline the types of HITRUST assessments, their differences, key characteristics, and possible use cases for each. Starting with the highest level of assurance:

r2 Validated Assessment

The 2-year risk-based (r2) validated assessment – This is the industry-standard HITRUST assessment that we have come to know and love, just rebranded to emphasize key differences. As you may have gathered from the name, the r2 assessment has a 2-year assessment cycle, with options for an interim assessment at the one-year mark and requiring a re-certification at the end of the 2-year cycle to maintain certification. The r2 is also a customized-scope assessment, tailored to the organization seeking certification based on their critical systems and inherent risks. The validated part means that an authorized external assessor must review your assessment and submit it on your behalf. We mentioned before that this assessment is the industry-standard. For the highest level of assurance that you have secured your implemented systems with HITRUST cybersecurity and risk management controls and processes, this is what you are looking for. It’s a lot of work but depending on the size and complexity of your organization and inherent risks, it is worth it for many especially when looking at data-sharing business relationships.

i1 Validated Assessment

The 1-year implemented (i1) validated assessment – One of the new additions to the HITRUST assessment portfolio, the i1 validated assessment features a preconfigured adaptive set of 219 (subject to change over time) controls that the prospective organization must adopt in order to obtain certification. These controls are adaptive to meet the needs of the current cybersecurity landscape, including current cybersecurity threats and best practices to protect your organization. The i1 lacks the organization-specific controls and customizability of the r2 but makes up for it with its simplicity and effectiveness of demonstrating that your organization is up to par with top tier cybersecurity measures. The 1-year certification cycle is more of a boon than anything, as it allows you to modify your HITRUST program on an annual basis to reflect to most current best practices. This assessment type also requires third-party validation from an authorized third-party assessor and provides a great level of assurance for executives and business partners.

bC Assessment

The basic, current-state (bC) Assessment – The bC is described as a “good hygiene” self-assessment performed by the organization and not by an external assessor. Although a good measuring stick of how your organization is doing with their Cybersecurity, the bC assessment lacks the third-party validation that the other assessments offer and provides far and away the lowest level of assurance. Note that there is no formal certification offered for bC from HITRUST. This isn’t to say that the bC isn’t appropriate for some situations. We recommend the bC for organizations that have a very young cybersecurity program and lack the maturity typical of an organization seeking HITRUST certification.

This information is by no means definitive, and your organizations specific needs may call for speaking with a HITRUST professional. Our team is available to consult with you on which offering might be best for your organization. Contact us today!