The HITRUST CSF is an overarching security and privacy framework that incorporates and harmonizes information protection requirements, including federal, state, and international legislation; regulatory agency rules and guidance; and industry frameworks. The HITRUST Assurance Program utilizes the HITRUST CSF to include a common set of information protection requirements with standardized assessment and reporting processes which are expected to be adopted by Assessed Entities and accepted by their relying parties.
The MyCSF Assessment Platform incorporates the HITRUST CSF in a single tool so organizations can manage information risk and their compliance needs. The MyCSF Assessment Platform provides organizations of all sizes with a purposefully designed and engineered Software as a Service (SaaS) solution for performing assessments and corrective action plan management, including enhanced benchmarking and dashboards.
Organizations that would like to become HITRUST certified are expected to adopt all requirements and evaluative elements in scope for them based on the various factors defined in its assessment. Due to the granularity of the requirements within the HITRUST CSF, it is recommended that organizations perform a readiness assessment to identify their current maturity level prior to pursuing HITRUST certification.
The standard requirements, methodology, and tools developed and maintained by HITRUST in collaboration with information security and privacy professionals, enable both relying parties and Assessed Entities to implement a consistent approach to third-party compliance management. For the purposes of this document, “relying” and “assessed” will be used as general descriptors, and an “Assessed Entity” is any organization that undergoes a HITRUST assessment. A “relying party” is any party that accepts a HITRUST assessment report, certification letter, and/or assessment results as an attestation of an assessed organization’s information security posture.
The HITRUST Assurance Program provides a practical mechanism for validating an organization’s compliance with the HITRUST CSF. Utilizing the HITRUST Assurance Program, organizations can perform an assessment against the requirements contained within the HITRUST CSF. This single assessment can provide an organization insight into its maturity against the various requirements in the HITRUST CSF, legal and regulatory compliance standards, and can be used in lieu of proprietary requirements and processes to provide assurances to third-parties.
This program allows for an organization to receive immediate and incremental value from the HITRUST CSF as it follows a logical path to certification. This Assessment Handbook is intended to describe the workflow and HITRUST expectations as an Assessed Entity and its External Assessor follow that certification path.