Types of HITRUST Assessments (Part 2 of 6)

Travis Good
November 9, 2021

After you've determined that HITRUST is a framework to which you want to comply, the next step is to decide on the type of HITRUST assessment for your company. HITRUST offers 3 different types of assessments, which are analogous to levels of certification offered by other frameworks such as the PCI self assessment questionnaires (SAQ) and reports on compliance (ROC).

Each type of HITRUST assessment builds on the previous one, with additional assurance with each higher level.

The three types of HITRUST assessments are below.

1. Self Assessment

A HITRUST self assessment is just what it sounds like, an assessment completed by the company. The self assessment is simply the company populating the CSF and attesting, without external validation, to meeting the HITRUST controls. Despite not being validated, this type of assessment does offer companies a standard security report they can share with customers and partners.

It's important to remember that most bespoke security assessments performed by companies against their vendors are simply self assessments, albeit self assessments using custom spreadsheets and questionnaires. A security assessment typically involves a questionnaire, often in the format of a spreadsheet, with questions that a vendor must answer. Oftentimes, the questions on these assessments cover the exact same content as the CSF but in different order and with different words. The onus is on the assessing company to investigate and attempt to validate what their vendors claim in security assessment spreadsheets. This is not an easy task.

A HITRUST Self Assessment Report offers a standardized security assessment. If assessing companies are familiar with the HITRUST CSF, this means the entire security review process can theoretically be accelerated.

This is the cheapest option as the only cost is that of the CSF license. And of course the time it takes to populate the CSF.

2. Validated Assessment

Moving up a level in terms of assurance, a HITRUST validated assessment requires a HITRUST-approved external assessor. An assessor would clarify and validate the CSF entries from the company. This type of assessment historically has required an on site visit by an assessor though this may change with the requirements to work from home.

In addition to validating the entries in the CSF, the assessor would then rate the maturity of each control using the HITRUST maturity model (more on that in the next lesson). A report is then is generated and, if the report meets or exceeds a HITRUST defined threshold, a HITRUST Validated report is issued.

While this type of assessment offers a level of validation and assurance beyond a self assessment, in my view it is hard to justify the effort and money for a validated assessment without doing a full HITRUST Certification (see below).

The cost of this assessment includes the cost of the CSF license and the cost of the external assessor. There are also additional resources needed to work with and respond to assessor questions and comments.

3. HITRUST Certification.

Using the scoring from the validated assessment from above, a HITRUST Certification can be granted if certain required controls and scoring thresholds are met (more on scoring in the next lesson) and after HITRUST has validated the work of the assessor. HITRUST, the organization, will do additional validation on the work of the assessor.

A HITRUST Certification offers a lot of value over a self assessment and validated assessment. And the cost and level of effort is low relative to going from a self assessment to a validated assessment. In my experience, the external assessor does most of the work of interfacing with HITRUST.

The cost of this assessment includes the cost of the CSF license, the cost of the external assessor, and the cost of the HITRUST Certification itself.

----

The type of HITRUST assessment determines the level of assurance and the level of acceptance and value in the market. More cost → more assurance → more value.