HITRUST

Readiness assessment

We examine your organization’s environment and flow of data between systems that are in-scope, identify gaps for control, and provide recommendations for remediation.

Validated 1-Year (e1) Assessment

The e1 is the cybersecurity essentials assessment with 44 control requirements and is meant for low-risk organizations that want to ensure they are maintaining good cybersecurity hygiene.

Implemented 1-Year (i1) Assessment

The i1 Assessment is suitable for moderate assurance and results in a 1-year certification if requirements are met. There are 219 static controls in an i1 Assessment and only the Implemented maturity is tested. Once your assessment has been submitted to myCSF, we will review, validate and submit the assessment to HITRUST for approval.

Risk-Based 2-Year (r2) Assessment

This validated assessment focuses on a comprehensive risk-based specification of controls with a very rigorous approach to evaluation, suitable for high assurance requirements. A minimum of three of five maturities must be addressed during the r2 Assessment, Policy, Process, and Implemented. This certification is issued for two years with an Interim Assessment required during the one-year anniversary of the certification. Similar to the i1 Assessment, we will review and validate your assessment scores and will submit your final assessment to HITRUST for approval.

Interim assessment testing

If an r2 assessment was completed we will test a subset of requirements including 19 controls from the prior r2 assessment and determine the progress of any Corrective Action Plans. This ensures the ongoing effectiveness of those controls to identify and document any scope changes that may impact your HITRUST certification.

HITRUST risk & advisory services

The A-LIGN Advisory Team will review your company’s policy and procedure documents and evaluate them against the HITRUST CSF standard. We will share any gaps identified and will remediate those gaps by updating and documenting the policies and procedures accordingly to meet the HITRUST CSF specifications. If your company needs policies and procedures created, we can design and document those appropriately after performing interviews to understand the control environment. We can also assist in documenting non-technical controls such as Risk Assessment, Incident Response, Disaster Recovery, and more.

HITRUST AI cybersecurity assessment

This assessment helps organizations manage AI-related cybersecurity risks and integrates with HITRUST e1, i1, and r2 assessments via the “Cybersecurity for AI Systems” compliance factor in MyCSF. Based on ISO/IEC 23894:2023 and the NIST AI Risk Management Framework, it includes 51 controls for AI governance.

The assessment provides a report with strengths and improvement areas, adaptable for various AI stages, supporting self-assessment or HITRUST validation. A-LIGN offers readiness assessments and certification submissions to HITRUST.

HITRUST AI risk management assessment

This assessment provides a structured approach to managing AI-related risks, supporting responsible AI governance. The HITRUST AI Cybersecurity Assessment includes tailored controls for AI challenges, based on multiple authoritative sources, and allows control inheritance from AI solution providers.