EDUCATE.
TRANSFORM.
PROTECT.

Delivering expert cyber security solutions to small and medium-sized businesses

Learn More

HITRUST v11 Updates: Understanding the Key Differences between r2, i1, and e1 Programs

HITRUST is a certifiable framework that helps organizations and their service providers streamline security and compliance efforts. It draws from US healthcare laws like the HIPAA and the HITECH Act, standardizing requirements from various security frameworks and legal and regulatory requirements to facilitate the delivery of multiple compliance reports based on a single assessment.

HITRUST provides an industry-wide approach for managing third-party risks across various industries. With the release of CSF version 11, HITRUST aims to improve the mitigation techniques against rapidly evolving cyber threats. In addition, it increases the range of authoritative sources and eases the road to higher levels of assurance.

Particulars of the HITRUST v11 Update

With its v11 update, HITRUST reiterates its commitment to continuous improvement. In addition to reducing complexities, the updated version helps healthcare organizations better manage risk, keeping up with the modern cyber threat landscape.

Here are the objectives and benefits of the v11 update:

  • First, protect against the latest and emerging threats: With the v11 update, the entire HITRUST assessment portfolio can leverage cyber threat–adaptive controls appropriate for each level of assurance.
  • Reduces effort toward HITRUST certification: Using improved control mappings and precision of specifications contained in the v11 update, organizations can achieve HITRUST certification with greater ease.
  • Enables traversable assessment journey: The CSF v11 update introduces a building block approach through an expanded, aligned portfolio. As all HITRUST assessments are subsets or supersets of each other, organizations can reuse the works sharing standard control requirements and inheritance in lower-level HITRUST reviews to achieve higher assurances.
  • Expands authoritative sources: The HITRUST v11 update introduces two new authoritative sources: NIST SP 800-53, Rev 5, and Health Industry Cybersecurity Practices (HICP) standards.
  • AI-based Standards Development Toolkit: The AI-based standards development platform improvements help assess threat-adaptive mitigations, offer authoritative sources, and control redundancies for organizations to achieve the desired level of assurance.

 As per a report, the HITRUST CSF version 11 has the potential to reduce certification efforts by up to 45%. Most importantly, the v11 updates are necessary to keep the HITRUST framework relevant and in alignment with the emerging threat landscape.

Understanding r2 vs. i1 vs. e1: The Key Differences

With its version 11 update, HITRUST continues to make its assessments more accessible for organizations. For example, the HITRUST Essentials 1-year (e1) assessment and the HITRUST Implemented 1-year (i1) assessment make it easier for organizations with a minimal risk profile to achieve certification. In addition, the update further aligns overlapping controls, making it easier to work toward the risk-based two-year assessment or r2.

The e1 is a low-effort cybersecurity assessment with 44 standardized controls with no scoping requirement. It focuses on basic cybersecurity hygiene and requires a HITRUST assessor firm to evaluate the control maturity. The i1 is a midrange assessment with 219 controls that requires an external assessor to validate the control implementation. In addition, it undergoes HITRUST’s quality assurance review for approval or denial certification. It is a good stepping stone for r2.

The r2 HITRUST assessment builds upon 40 security frameworks, including NIST, ISO, and PCI DSS. This certification shows the highest level of commitment to data security and requires the maximum time, effort, and money for all three assessments. In addition, with more than 2,000 r2 controls and tailored scope to match the organization’s operations, the r2 certification requires large amounts of policy and process documentation.

Scoring on r2 rules depends on five maturity levels: policy, process, implementation, measures, and management. This assessment is necessary every two years, with an interim review on odd years to remediate any gaps from the previous year’s evaluation.

Conclusion

The HISTRUST CSF version 11 update is an essential change that will help healthcare organizations strengthen their cybersecurity posture and safeguard confidential data from any security breach. In addition, it adapts to the growing need for a more streamlined assessment process to combat new and emerging cyber threats. From expanding authoritative sources and introducing traversable assessment to improving the AI-based standards development kit, the HITRUST CSF v11 update makes the certification more achievable for organizations. Therefore, organizations should prepare ahead or select any reputed cybersecurity firm to help them in their journey toward HITRUST certification.



CONTACT US FOR A FREE CONSULTATIONGetting started in security can be challenging. Let us help ease the burden of security and compliance with our small-mid sized business services and solutions.