HITRUST I1 Assessment Control Selection Leverages Security Best Practices And Threat Intelligence

HITRUST announced it is addressing the need for a continuously-relevant cybersecurity assessment that aligns and incorporates best practices and leverages the latest threat intelligence to maintain applicability with information security risks and emerging cyber threats, such as ransomware.

The design and selection of the controls for the HITRUST Implemented 1-year (i1) Assessment puts it in a new class of information security assessment that is threat-adaptive and designed to maintain relevance over time as threats evolve and new risks emerge while retiring controls no longer deemed material.

HITRUST i1 Assessment

HITRUST identifies information security controls relevant to mitigating known risks

Most existing assessment approaches are not designed to keep pace with current and emerging threats; those that do, rely heavily on broad control requirements raise questions about the suitability of control and consistency of review that ultimately impact the reliability of results.

In contrast, HITRUST identifies information security controls relevant to mitigating known risks and leverages cyber threat intelligence data to influence the selection and where necessary, updating of technically-focused HITRUST CSF requirements included in the HITRUST i1 Assessment. As a result, the HITRUST i1 Assessment includes controls selected to address emerging cyber threats actively.

Reliable assessment with compliance

“The HITRUST i1 Assessment is unique in both selection of controls and the design of its assurance program. Effort towards completion is comparable to other moderate assurance vehicles while delivering a higher level of reliability,” said Jeremy Huval, HITRUST Chief Innovation Officer.

The HITRUST i1 Assessment is the first information security assessment of its kind with attributes not available through other assurance programs:

• Designed to maintain relevant control requirements to mitigate existing and emerging threats and provide updates as new threats are identified (It is threat-adaptive, prescriptive, and focused on controls pertinent to risk).
• Designed to sunset controls that have lost relevance and have limited assurance value based on the effort required to comply or assess.
• Its unique control selection and assurance program design delivers a higher level of reliability than other moderate assurance options.
• The level of time and effort to complete is comparable to other moderate assurance options in the market.
• Offers a forward-looking, 1-year certification.

As the HITRUST i1 was designed around relevant information security risks and emerging cyber threats, it is not surprising it provides coverage for numerous standards, such as NIST 800-171, GLBA Safeguards Rule, HIPAA Security Rule, and Health Industry Cybersecurity Practices (HICP).

Review and evaluation 

HITRUST will evaluate security controls and review threat intelligence data no less than quarterly

HITRUST will evaluate security controls and review threat intelligence data no less than quarterly, and for each subsequent major and minor release of the HITRUST CSF, to ensure the HITRUST i1 Assessment requirement selection remains relevant.

Guidance documents will also drive enhancements to the HITRUST CSF and HITRUST i1 Assessment control sets as needed.

Webinar

While the HITRUST i1 Assessment is intended to adapt and evolve to maintain relevance, it’s important to note that HITRUST i1 Assessment certified organizations will not be impacted by changes to the HITRUST i1 Assessment control requirements until their next HITRUST assessment cycle.

HITRUST is hosting a webinar at 11 a.m. CT on Thursday, February 3, 2022, discussing the HITRUST Implemented 1-year (i1) Assessment in more detail.