HITRUST, the assurance health systems actually trust.
The HITRUST CSF is the certification large health systems increasingly require of their vendors. We map your controls, close the gaps and take you through the assessment to a certified report.
Three levels of HITRUST assurance — and the right one for you
HITRUST isn't one exam; it's a ladder of increasing rigor. We scope you to the level your customers require today — and build a path up when they raise the bar.
Essentials
A streamlined assessment of foundational cybersecurity hygiene — the quickest credible entry point.
Implemented
A threat-adaptive assessment of leading security practices. A strong middle tier for growing vendors.
Risk-based
The gold standard — a tailored, risk-based, expanded certification that health systems trust most.
Certification run by people who build the controls
We don't just advise on the CSF — we implement the controls to the maturity HITRUST scores, then stand beside you through validation.
We've built and certified healthcare platforms before — the CSF is familiar ground, not a first attempt.
e1, i1 and r2 — scoped to exactly what your customers require, with a path to climb.
HIPAA, NIST, ISO 27001, PCI and more — covered by a single CSF assessment.
Policy, process, implemented, measured and managed — we build controls that score on all five.
How a HITRUST engagement works
From level selection to a certified report — we scope, build to the maturity HITRUST scores, and support the validated assessment.
Start a conversation
01Scoping & readiness
We determine the right assurance level for your customers and run a gap assessment against the CSF controls in scope — so you know exactly where you stand.
- Level selection (e1 / i1 / r2)
- Scope definition
- MyCSF gap analysis
- Prioritized remediation plan
02Control implementation
We design and build the technical and process controls the CSF requires — to the maturity HITRUST actually scores, not just 'documented'.
- Technical control build
- Policy & process design
- Maturity uplift
- Evidence-by-design
03MyCSF & evidence
We populate MyCSF, map your evidence to every requirement, and run a mock assessment so the validated review holds no surprises.
- MyCSF population
- Evidence mapping
- Maturity scoring prep
- Mock assessment
04Assessment support
We work alongside your authorized external assessor through validation to a certified report — and keep the posture live across the certification window.
- Assessor coordination
- Validation support
- Corrective action plans
- Certification & bridge
The CSF domains an assessor will validate
Access control
Identity, least privilege and authentication across every system in scope.
- Provisioning & reviews
- RBAC & MFA
- Privileged access
- Remote access
Endpoint & configuration
Hardened, monitored endpoints and managed system configuration.
- Endpoint protection
- Configuration baselines
- Patch management
- Asset inventory
Network protection
Segmentation, monitoring and controls across the network perimeter and core.
- Segmentation
- Firewalling
- Intrusion detection
- Traffic monitoring
Risk management
A formal, scored risk program tracked to closure — exactly what r2 expects.
- Risk assessment
- Risk register
- Treatment plans
- Annual review
Third-party assurance
The vendors and subprocessors in your supply chain, assessed and governed.
- Vendor inventory
- Risk reviews
- Contractual controls
- Ongoing monitoring
Incident management
Detection, response and notification — designed, documented and tested.
- IR plan
- Detection & triage
- Notification process
- Tabletop exercises
Different reasons HITRUST lands on your desk
A health-system deal that demands it, a security program you're formalizing, or a stack of frameworks you'd like to satisfy at once — we scope to whichever brought you here.
Vendors whose deals require HITRUST
A health-system customer's procurement now mandates HITRUST. We get you certified at the level they require — without over-scoping to a tier they don't ask for.
- Level matched to the contract
- Fastest credible path
- Evidence that scales
- Renewal-ready posture
Teams formalizing their posture
You want one rigorous benchmark instead of answering a hundred different questionnaires. HITRUST harmonizes them — and we build you to score, not just to check a box.
- Single rigorous standard
- Maturity uplift
- Questionnaire relief
- Board-ready assurance
Orgs already juggling frameworks
You report against HIPAA, SOC 2 and more. One CSF assessment maps to the frameworks you already maintain — so you assess once and report many.
- Assess once, report many
- Control reuse
- Reduced audit fatigue
- Unified evidence
How HITRUST actually scores you
HITRUST doesn't ask “do you have a control?” — it scores each one across five maturity levels. We build to every level, not just the first.
Is the control documented as policy?
Is there a defined procedure to operate it?
Is it actually in place and operating?
Do you measure whether it's working?
Do you act on the measurements to improve?
From scope to certified
Assurance level and the CSF controls in scope.
Gap analysis against the requirements in MyCSF.
Build controls to the scored maturity levels.
Map evidence to every CSF requirement.
Authorized external assessor validation.
HITRUST review through to a certified report.
Certification principles we build by
The convictions that get you a certificate that actually means something — and that you can renew without starting over.
Score the maturity, not the checkbox
We build controls that pass all five maturity levels — documented, operating, measured and managed.
Assess once, report many
One CSF assessment that maps to HIPAA, SOC 2, NIST and ISO — so the work pays off across frameworks.
Right level, not max level
We scope to what your customers require, then build a path up — over-certifying is just wasted cost.
Evidence mapped to requirements
Every CSF requirement points at its proof in MyCSF, so validation is a walkthrough, not a hunt.
Controls that fit the team
Built into how you operate, not bolted on for the assessor and abandoned afterward.
Continuous across the window
r2 is a two-year commitment — we keep the posture live, not reconstructed at renewal.
HITRUST certification FAQ
Which HITRUST level do we need — e1, i1 or r2?
It depends on what your customers require. e1 is a fast, foundational entry point; i1 covers leading practices; r2 is the risk-based gold standard health systems most often demand. We match the level to your contracts rather than defaulting to the most expensive one.
How long does certification take?
e1 and i1 are faster — often a few months once controls are in place — while r2 is a larger, two-year certification. The real variable is your current state, which is why we start with a gap assessment and give you a scoped timeline.
Do you perform the validated assessment?
No — that has to be an independent HITRUST authorized external assessor. We prepare you, populate MyCSF, run a mock assessment, and support you through validation, but the assessment itself stays independent.
We already have SOC 2 — does that help?
Significantly. HITRUST harmonizes SOC 2, HIPAA, NIST and ISO, so much of your existing control work carries straight over. We map what you have and focus the effort on the genuine gaps.
What is MyCSF?
MyCSF is HITRUST's assessment platform — where the controls, your responses and the evidence live. We populate it, map your evidence to each requirement, and manage the workflow through to the assessor.
Need HITRUST to win the health-system deal?
Tell us the customer and the level they're asking for. We'll come back with a scoped path to a certified report — at the right tier, not the most expensive one.
Talk to our team