From Wikipedia, the free encyclopedia

HITRUST is a privately held company located in Frisco, Texas, United States that, in collaboration with healthcare, technology and information security organizations, established the HITRUST CSF. The company claims CSF is a comprehensive, prescriptive, and certifiable framework, that can be used by all organizations that create, access, store or exchange sensitive and/or regulated data.

HITRUST originally served as an acronym for "Health Information Trust Alliance", but the company has since rebranded as simply HITRUST. HITRUST includes a for-profit division (HITRUST Services Corp) and a not-for-profit division (HITRUST Alliance).


The HITRUST CSF (created to stand for "Common Security Framework", since rebranded as simply the HITRUST CSF) is a prescriptive set of controls that meet the requirements of multiple regulations and standards.[1][2] The framework provides a way to comply with standards such as ISO/IEC 27000-series and HIPAA.[3][4] Since the HITRUST CSF incorporates various security, privacy, and other regulatory requirements from existing frameworks and standards, some organizations utilize this framework to demonstrate their security and compliance in a consistent and streamlined manner.[5] Organizations can complete a self-assessment using the HITRUST framework, or they can engage with a HITRUST assessor for an external, third-party engagement.

HITRUST CSF has garnered criticism for being "cumbersome, expensive, arbitrary, unnecessarily complex", and using "outdated data".[6][4]

Current version of CSF is v11, released in January 2023.

HITRUST Validated Assessment Certifications[edit]

Depending on your security needs and organizational maturity, the HITRUST CSF provides three assessment certifications.[7] CSF v11 introduced a third validated assessment certification, the HITRUST Essentials, 1-Year (e1) Assessment Essentials.

  • HITRUST Essentials, 1-Year (e1) Assessment Essentials: The e1 Validated Assessment is specifically designed for organizations that are in the early stages of implementing security controls. It primarily focuses on the crucial cybersecurity controls and serves as a starting point for such organizations. The main objective of this assessment is to verify the presence of fundamental cybersecurity hygiene practices.
    • Number of HITRUST CSF Requirements: 44 (Year 1), 44 (Year 2)
  • HITRUST Implemented, 1-year (i1) Assessment Leading Practices: The i1 Validated Assessment is designed to verify an organization's implementation of Leading Security Practices using specific controls. It offers reliable assurances against cyber threats and assists in establishing a robust and comprehensive information security program. At this tier, both a Readiness Assessment and a Rapid Recertification Assessment are available. While providing a moderate level of security assurance compared to the previous tier, this assessment is less detailed than the next level, the r2.
    • Number of HITRUST CSF Requirements: 182 (Year 1), approximately 60 (Year 2 with Rapid Recertification)
  • HITRUST Risk-based, 2-year (r2) Assessment Expanded Practices: The r2 Validated Assessment represents the most comprehensive review and sets the highest standard for ensuring information protection. This assessment employs an adaptable and risk-based approach to control selection, catering to organizations with a high potential for risk. At this level, a Readiness Assessment, Interim Assessment, and Bridge Assessment options are available. One notable feature of the r2 Validated Assessment is the issuance of a NIST Cybersecurity Framework Report, which outlines the organization's compliance with the controls included in the HITRUST CSF. This report is exclusive to the r2 assessment level and provides additional insights into an organization's cybersecurity posture.
    • Number of HITRUST CSF Requirements: An average of 375 (Year 1), approximately 40 (Year 2 Interim Assessment)

Executive Council[edit]

HITRUST is led by a management team and governed by an Executive Council made up of leaders from across a variety of industry. These leaders represent the governance of the organization, but other founders also comprise the leadership to ensure the framework meets the short- and long-term needs of the entire industry.

Executive Council members represent the following organizations:


  1. ^ Bosworth, Seymour; Kabay, M. E.; Whyne, Eric (2014). Computer Security Handbook, Set. John Wiley & Sons. ISBN 9781118851746. Retrieved 16 May 2019.
  2. ^ Snedaker, Susan (2013). Business Continuity and Disaster Recovery Planning for IT Professionals. Newnes. ISBN 9780124114517. Retrieved 17 May 2019.
  3. ^ "What is HITRUST CSF Certification?". Datica Health. Retrieved 17 May 2019.
  4. ^ a b Schreider, Tari (2017). Building Effective Cybersecurity Programs: A Security Manager's Handbook. Rothstein Publishing. ISBN 9781944480509. Retrieved 16 May 2019.
  5. ^ "Microsoft Compliance. Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) (2019)".
  6. ^ "Delaware Health Information Network Pursues HITRUST Certification". www.govtech.com. Retrieved 20 August 2019. In an open letter to the HITRUST Alliance written and posted to LinkedIn last year, a network security professional named Kamal Govindaswamy questioned the usefulness of the HITRUST CSF, describing it as "cumbersome, expensive, arbitrary, unnecessarily complex" and using "outdated data."
  7. ^ "HITRUST CSF Validation Requirements". Thoropass. 2023-05-03. Retrieved 2023-05-22.