HITRUST® Version 11 Introduces Streamlined e1 Assessment for Lower-Risk Organizations

On December 20, 2022, HITRUST announced that it will release HITRUST CSF version 11 (v11) in January 2023 to “improve mitigations against evolving cyber threats, broaden the coverage of authoritative sources, and streamline the journey to higher levels of assurance.” In addition to addressing emerging threats, this major update to HITRUST CSF reduces redundancies and streamlines processes allowing organizations to achieve the same level of assurance with less effort. The HITRUST v11 changes can reduce certification efforts by up to 45%. 

Three assessment types will be available with HITRUST CSF v11 to accommodate organizations with varying levels of risk and ensure that the level of effort required for assessment and certification matches the level of assurance needed, all of which come with the credibility of HITRUST certification. Here’s a summary of the three assessment types:

HITRUST CSF v11 Assessment Types

HITRUST Assessment	# of HITRUST CSF Requirements	Subject Matter / Focus	Control Maturity Levels	Level of Assurance	Level of Effort
HITRUST Essentials, 1-year (e1) Validated Assessment	44	Foundational Cybersecurity Hygienefor lower-risk organizations validating the most critical cybersecurity controls. Provides a starting point for all organizations including those in the early stages of implementing their program.	Implemented only(But: Some requirements areP&P focused)	Low	Low
HITRUST Implemented, 1-year (i1) Validated Assessment	Approximately 180	Leading Security Practices for organizations with robust information security programs ready to demonstrate controls that protect against current and emerging threats.​	Implemented only(But: Some requirements areP&P focused)	Medium	Medium
HITRUST Risk-Based, 2-Year (r2) Validated Assessment	Varied based on risk and compliance factors (average 400+)	Expanded Capabilities for organizations to demonstrate regulatory compliance against authoritative sources such as HIPAA and the NIST Cybersecurity Framework or expanded tailoring of controls based on identified risk factors.	Must: Policy, Procedure, ImplementedOptional: Measured & Managed	High	High

In this blog post, we’ll focus on the new HITRUST Essentials, 1-year (e1) Validated Assessment, which is being introduced with HITRUST CSF v11. This new assessment type replaces the Basic Current State (bC) assessment that was available under HITRUST CSF v9.

What is HITRUST CSF?

The HITRUST organization provides a framework that safeguards sensitive information and can help manage information risk for organizations across all industries. Its programs have been widely adopted in the healthcare industry. 

HITRUST CSF addresses the multitude of security, privacy, and regulatory challenges facing healthcare organizations today. With a comprehensive framework of security requirements, HITRUST incorporates a risk-based approach to federal and state regulations and common standards and frameworks to help organizations address these challenges. 

Why Did HITRUST Introduce the e1 Assessment?

The HITRUST organization perceived a market need for a streamlined and efficient “cybersecurity hygiene” assessment and certification focusing on basic cybersecurity hygiene and the most critical cybersecurity threats. The new e1 assessment was designed to meet this need. 

Unlike the bC assessment it is replacing, which is a questionnaire-based self-assessment only, the e1 assessment allows organizations to become certified for compliance. Achieving e1 certification is an excellent way for organizations to let their customers know that they take security seriously. 

This new, lower-effort assessment helps organizations manage the risk of vendors that:

• Are too risky to warrant an information security questionnaire alone. 
• Are not risky enough to warrant a HITRUST i1 or r2 assessment. 
• Need a demonstrable milestone towards achievement of a more robust HITRUST Assessment (i.e., i1 or r2) at a future date. 

The e1 assessment can also benefit organizations by: 

• Serving as a stepping stone to more extensive HITRUST assessments (i.e., i1 or r2) for organizations that are not capable of immediately obtaining a higher-level assurance assessment. 
• Being the organization’s targeted “end goal” when the effort to achieve a more robust assessment is not warranted based on the its size/risk profile.

In short, the e1 assessment strikes a good balance between level of effort and level of assurance for lower-risk organizations.

Effort vs. Assurance

Aligned Assessment Portfolio

With v11, HITRUST expanded and aligned its assessment portfolio so that all three assessment options offer both a readiness and validated assessment option.

HITRUST CSF Version 11 Assessment Portfolio

The table below outlines the differences between HITRUST readiness and validated assessments:

Readiness vs. Validated Assessments

e1 Assessment Characteristics

The following are key characteristics of the new e1 assessment:

• Enables organizations to reliably demonstrate that they’ve achieved a “minimum bar” of basic cybersecurity hygiene.
• Delivers a lower level of assurance than HITRUST i1 and r2 assessments, and requires far less effort to prepare for and assess.
• Provides an appropriate, suitable assessment for organizations with a lower risk profile.
• Allows traversal up and down the HITRUST assessment portfolio.
• Includes configurable organizational and system-specific controls.
• Provides the quality and reliability for which HITRUST validated assessments and deliverables are known.
• Offers a validated e1 assessment that can result in a one-year certification and requires an external assessor.

What Does HITRUST Mean by “Cybersecurity Hygiene?”

Cybersecurity hygiene is a set of basic practices that can be taken by all organizations to protect data and systems. It encompasses the minimum set of things organizations can do to reduce the chances of an adverse cybersecurity event like a malware outbreak or a data breach. 

Just as traditional hygiene measures are needed to limit the spread of viruses and disease, cybersecurity hygiene is needed to limit the spread of computer viruses and cybersecurity attacks. 

The HITRUST e1 assessment cyber hygiene requirements are:

• Easily understood and easily described.
• A starting point for a more robust cybersecurity program.
• Relevant to today’s cyber threats (e.g., the requirements cover ransomware and phishing but not dial-up modem controls).
• Specific and actionable.
• Industry agnostic (i.e., the requirements do not use any terminology that is specific to the federal government or any specific legislation).
• Not overly technical or complex.

Additional Resources

Below are additional resources that provide a deeper dive into the topics covered in this blog post:

• HITRUST CSF v11 Announcement
• Tevora Selected for the 2022 HITRUST Assessor Council

Contact Us

If you have questions about HITRUST CSF v11, or would like help bringing your organization into compliance, our team of experienced HITRUST and healthcare security experts can help. Just give us a call at (833) 292-1609 or email us at sales@tevora.com.