Cybersecurity News

HITRUST Announces Risk Assessment Portfolio Expansion

HITRUST will offer an expanded assessment portfolio to help organizations with risk management and cyber resilience.

HITRUST Announces Risk Assessment Portfolio Expansion

Source: Getty Images

By Jill McKeon

- HITRUST announced an expanded assessment portfolio to help organizations ensure cyber resilience and assess risk management protocols. The organization also unveiled a new approach to assessments to meet market demands and provide lower-effort assessments for moderate to low-risk scenarios.

HITRUST assessments are often viewed as the gold standard and can confirm an organization’s compliance with key regulations and ensure that IT systems are optimized for security.

“To meet the market needs for varying levels of assurance with higher reliability, HITRUST is adding two new assessment offerings,” the press release stated.

“Like the HITRUST CSF Validated Assessment, these new offerings will aid in understanding control effectiveness as well as cyber preparedness and resilience.”

With two new additions, the HITRUST assessment portfolio will include three assessments that satisfy a variety of compliance requirements while helping organizations quantify risk.

The Basic Current State (bC) Assessment “is a ‘good hygiene’ assessment and offers higher reliability than self-assessments and questionnaires by utilizing the HITRUST Assurance Intelligence Engine™ (AI Engine) to identify errors, omissions, and deceit,” the announcement explained.

The Implemented One-Year (i1) Validated Assessment serves as a best practices assessment and is recommended for organizations that need a baseline risk assessment or for situations of moderate risk. HITRUST Authorized External Assessors are responsible for validating the assessment.  

The portfolio also includes the HITRUST CSF Validated Assessment, an industry standard assessment that helps organizations assess risk relating to regulatory compliance, data volumes, and other risks. HITRUST plans to rename the assessment to the Risk-based, Two-Year (r2) Validated Assessment.

“Until now, most low to moderate risk assessment mechanisms were either self-attested or validated against unsuitable or inconsistent control selection and limited and subjective assurance programs; which makes it difficult for relying parties to understand the control requirements and depth, breadth, and consistency of the assurance process, limiting the usefulness and reliability of the results,” the announcement continued.

As cyber threats continue to evolve, organizations will be forced to consistently reevaluate security practices and ensure compliance. Healthcare organizations will increasingly look toward organizations like HITRUST, the National Institute of Standards and Technology (NIST), and the Cybersecurity and Infrastructure Security Agency (CISA) for guidance.

In June, NIST released a draft of its framework profile for ransomware risk management, which aimed to help organizations prevent, respond to, and recover from ransomware attacks. The guidance, though not final, provided organizations across all sectors with key tips and lessons.

NIST recommended that organizations use antivirus software, allow only authorized apps, keep computers patched, and restrict the use of personal devices on work networks.

CISA also recently released guidance on how organizations can protect personally identifiable information (PII) and prevent data breaches. CISA emphasized the importance of protecting customer and employee PII by encrypting sensitive information and implementing firewalls to protect networks from malicious activity.

Increased guidance, assessments, and regulations from government agencies and key stakeholders point to a growing need for uniform industry standards and best practices to help organizations combat today’s most pressing cybersecurity challenges.