HITRUST CSF certification

HITRUST common security framework (CSF) has become a widely adopted security and privacy framework. It creates a defined and holistic set of requirements to assess business applications and systems related to the secure storage and transmission of electronic data. Adoption of a HITRUST framework has rapidly become a standard requirement across the healthcare industry, as many insurance payers, hospitals and health systems require vendors to achieve certification as part of their third-party risk management efforts.

HITRUST compliance certification incorporates multiple security and privacy standards as well as regulatory requirements, under one holistic program. The various intersections between these information technology frameworks and health care regulations make implementing the program complex, especially for organizations without adequate dedicated resources for the effort.

The benefits of certification

Increases your ability to secure high-value contractual relationships with major health care providers, insurance payors and more
Establishes credibility and trust in the effectiveness of your privacy and security controls
Provides assurances of risk management and compliance to dozens of regulatory bodies

Helps to address evolving cyberthreats with access to continuously updated methodologies and solutions
Creates more efficient processes in responding to request-for-proposal questionnaires and eliminates the need for multiple assessments and single-use reports
Reduces your risk exposures and can lead to more favorable cyber insurance premiums

Connect with our HITRUST team

Certification types: e1, i1 or r2

There are three different HITRUST CSF certification options: e1, i1 and r2. Knowing which assessment is right for your organization requires an understanding of your budget, resources and risk.

The pathway to HITRUST CSF: e1, i1, or r2 certification

Cyber essentials 1-year (e1)

Certification addresses essential cybersecurity hygiene utilizing 44 static control requirements. This one-year certification takes about half the effort to implement as the i1 certification and provides basic-level assurances.

Implemented 1-year (i1)

Provides your organization with cybersecurity leading practices utilizing 182 static control requirements. This one-year certification requires moderate effort to implement and provides moderate cybersecurity assurances.

Risk-based 2-year (r2)

Provides your organization with an expanded approach to risk management and compliance evaluation. This complex, two-year certification is tailored to your organization and utilizes a library of 2000+ control requirements. On average, an r2 certification uses 450 tailored control requirements and takes a significantly higher level of effort to implement.

Connect with our HITRUST team

Guiding you through the HITRUST CSF journey

While HITRUST CSF is a standardized framework to address certification, it’s meant to be used as a guide. Additional considerations must be weighed for each organization.

To help organizations with certification, RSM works to create a customized road map that is designed to address the organization’s structure, goals, culture and systems. That road map not only helps you achieve HITRUST CSF certification but also helps you continually upgrade and enhance your program to meet the ever-changing risk and regulatory landscape.

The pathway to certification

: HITRUST CSF strategic planning and advising provides your organization access to our professionals who provide advice on your implementation plan and guide your organization with a reasonable path for adoption. This relationship includes assistance with strategic planning and education, executive presentations, budgeting, project management, road map development, internal readiness assessment advising, and access to outsource your organization’s in-house HITRUST CSF assessment process in accordance with the HITRUST Alliance’s internal assessor program.

: A HITRUST CSF Rapid Assessment^® is designed to allow your organization, regardless of size, to quickly identify and remediate gaps. This assessment includes, at a high level, interviewing key stakeholders and reviewing select processes and artifacts. RSM’s Rapid Assessment assists in identifying fundamental gaps and provides you with realistic action plans and a high-level view of your organization’s alignment with the HITRUST CSF, which will allow your organization to prioritize remediation efforts.

: A HITRUST CSF readiness assessment is the most efficient and effective way to prepare your organization for a validated assessment. By identifying gaps through a design-level assessment of policy, procedures and select artifacts that demonstrate the implementation of a requirement statement, you can focus your remediation efforts in the right areas. In addition, a readiness assessment will provide you with practical, detailed recommendations that will help your organization prioritize remediation efforts in order to conduct a successful HITRUST CSF-validated assessment.

: Remediation support allows your organization to experience full access to the resources that RSM has to offer. As a cybersecurity consulting firm, RSM can assist with general remediation assistance, policy development, procedure development, cyber resiliency plan development, IT infrastructure consulting, risk consulting and management consulting.

: A HITRUST CSF-validated assessment is the final phase required prior to submitting for certification consideration to the HITRUST Alliance. As an authorized external assessor firm, RSM will conduct the HITRUST CSF-validated assessment in accordance with the HITRUST Alliance’s assurance program requirements. If eligible, RSM will manage the HITRUST Alliances quality assurance process to help your organization achieve HITRUST CSF certification.

If your organization qualifies, RSM can also leverage your HITRUST r2 validated assessment to provide additional certifications, including NIST CSF and (SOC) 2.

: A HITRUST CSF risk-based, two-year (r2) interim assessment is required before the end of your first year of HITRUST CSF r2 certification. This must be performed by a HITRUST authorized external assessor firm. If your organization is eligible, RSM will conduct the HITRUST CSF r2 interim assessment in accordance with the HITRUST Alliance’s assurance program requirements.

: A HITRUST CSF implemented, 1-year (i1) rapid recertification assessment, if your organization is eligible, is an alternative way to quickly recertify your organization against a sample of selected requirement statements that were scored in the original certified HITRUST CSF i1 validated assessment object. It must be performed by a HITRUST authorized external assessor firm.

Connect with our HITRUST team

Integral partner to your HITRUST CSF journey

When you need outside assistance, it is important to choose the right advisor.

RSM understands the issues you face and will work with you to tailor a HITRUST CSF implementation plan that fits your organization's structure and culture. Our process has helped clients of all sizes create confidence in their security and privacy program.

See what others are saying:

I would picture [RSM] as not a vendor, but as a partner that has really helped us not only improve our security but also benefit our business.

Chief Information Security Officer, Cecelia Health

RSM brings the right people with the right skills to the table every time. The RSM people I’ve interacted with all act with integrity and are responsive to feedback.

System Vice President and Chief Information Security Officer, SSM Health

RSM’s breadth, depth, knowledge and commitment to their customers has led to a longstanding partnership that has enabled us to successfully mature and grow our risk management program.

Vice President, Chief Information Security Officer, a Top US Health System

SWIPE TO VIEW

Connect with our HITRUST team

Contact our HITRUST professionals

Complete this form and an RSM representative will be in touch shortly.

Subscribe to Risk Bulletin

Our cybersecurity, risk and fraud professionals provide regular insights and regulatory compliance updates to help your organization manage risk.

THE POWER OF BEING UNDERSTOOD

ASSURANCE | TAX | CONSULTING

RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent assurance, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/about for more information regarding RSM US LLP and RSM International.

Technology alliance platforms

Featured topics

Real Economy publications

Platform user insights and resources

About us

Experience RSM

Spotlight on culture

Work with us

Spotlight on culture

HITRUST CSF certification

The benefits of certification

Certification types: e1, i1 or r2

Cyber essentials 1-year (e1)

Implemented 1-year (i1)

Risk-based 2-year (r2)

Guiding you through the HITRUST CSF journey

The pathway to certification

Integral partner to your HITRUST CSF journey

See what others are saying:

Contact our HITRUST professionals

Complete this form and an RSM representative will be in touch shortly.

Subscribe to Risk Bulletin

Our cybersecurity, risk and fraud professionals provide regular insights and regulatory compliance updates to help your organization manage risk.

THE POWER OF BEING UNDERSTOOD