HITRUST announced it is addressing the need for a continuously-relevant cybersecurity assessment that aligns and incorporates best practices and leverages the latest threat intelligence to maintain applicability with information security risks and emerging cyber threats, such as ransomware.
The design and selection of the controls for the HITRUST Implemented 1-year (i1) Assessment puts it in a new class of information security assessment that is threat-adaptive – designed to maintain relevance over time as threats evolve and new risks emerge, while retiring controls no longer deemed material.
Most existing assessment approaches are not designed to keep pace with current and emerging threats; those that do, rely heavily on broad control requirements that raise questions about suitability of control and consistency of review that ultimately impact reliability of results.
In contrast, HITRUST identifies information security controls relevant to mitigating known risks and leverages cyber threat intelligence data to influence the selection – and where necessary, updating – of technically-focused HITRUST CSF requirements included in the HITRUST i1 Assessment. As a result, the HITRUST i1 Assessment includes controls selected to address emerging cyber threats active today.
“The HITRUST i1 Assessment is unique in both selection of controls and the design of its assurance program. Effort towards completion is comparable to other moderate assurance vehicles while delivering a higher level of reliability,” said Jeremy Huval, HITRUST Chief Innovation Officer.
The HITRUST i1 Assessment is the first information security assessment of its kind with attributes not available through other assurance programs:
- Designed to maintain relevant control requirements to mitigate existing and emerging threats and provide updates as new threats are identified (It is threat-adaptive, prescriptive, and focused on controls relevant to risk)
- Designed to sunset controls that have lost relevance and have limited assurance value based on effort required to comply or assess
- Its unique controls selection and assurance program design deliver a higher level of reliability than other moderate assurance options
- The level of time and effort to complete is comparable to other moderate assurance options in the market
- Offers a forward-looking, 1-year certification
As the HITRUST i1 was designed around relevant information security risks and emerging cyber threats, it is not surprising it provides coverage for numerous standards, such as NIST 800-171, GLBA Safeguards Rule, HIPAA Security Rule, and Health Industry Cybersecurity Practices (HICP).
HITRUST will evaluate security controls and review threat intelligence data no less than quarterly, and for each subsequent major and minor release of the HITRUST CSF, to ensure the HITRUST i1 Assessment requirement selection remains relevant over time. Guidance documents will also drive enhancements to the HITRUST CSF and HITRUST i1 Assessment control sets as needed.
While the HITRUST i1 Assessment is intended to adapt and evolve to maintain relevance, it’s important to note that HITRUST i1 Assessment certified organizations will not be impacted by changes to the HITRUST i1 Assessment control requirements until their next HITRUST assessment cycle.