Blog

HITRUST CSF Readiness: Preparing for Healthcare Security Assessment

How healthcare and life sciences organisations can prepare for the HITRUST Common Security Framework assessment process.

← Back to Blog
Published 3 March 2026 · BCERT Editorial Team · 7 min read

The HITRUST Common Security Framework (CSF) is a certifiable framework specifically designed for the healthcare industry, consolidating requirements from HIPAA, NIST, ISO 27001, PCI DSS, and other relevant standards into a single, risk-scalable control set. Originally developed in 2007, the CSF has become the de facto assurance standard in US healthcare — widely demanded by health plans, hospital networks, and health IT vendors as a condition of doing business. Achieving HITRUST certification demonstrates that your organisation's security program has been independently validated against a rigorous, comprehensive framework.

What Is HITRUST CSF v11?

HITRUST CSF version 11 (released in 2023) introduced significant changes to improve the reliability and efficiency of assessments. Key changes include:

  • Restructured assessment types: CSF v11 introduced three assessment types — e1 (essential, 44 controls), i1 (implemented, ~182 controls), and r2 (risk-based, full scope, 200+ requirement statements). The r2 replaces the previous Validated Assessment.
  • Enhanced quality assurance: Increased testing requirements and quality review by HITRUST to improve consistency across assessors.
  • Sampling and inheritance: Improved methodologies for control sampling and for leveraging existing certifications (such as ISO 27001 or SOC 2) to reduce assessment burden.

Control categories in the CSF cover 19 domains including information protection program, endpoint protection, portable media security, mobile device security, wireless protection, configuration management, vulnerability management, network protection, password management, access control, audit logging, education and training, third-party assurance, incident management, business continuity, risk management, physical and environmental security, data protection and privacy, and transmission protection.

Readiness Assessment vs Validated Assessment

Organisations typically progress through two phases before achieving certification:

Readiness Assessment: Conducted by a HITRUST Authorised External Assessor (like BCERT), the readiness assessment identifies gaps between your current security program and the HITRUST CSF requirements. It is not a certification — it is a preparatory exercise that produces a gap report and remediation roadmap. Organisations use it to understand what work is needed before committing to the full validated process.

Validated Assessment (r2) or i1 Assessment: This is the certification assessment, conducted by an authorised assessor and submitted to HITRUST for quality review and scoring. HITRUST issues the certificate (valid for two years for r2, one year for i1) upon successful completion. The validated assessment requires extensive evidence collection, testing, and documentation.

Who Needs HITRUST?

HITRUST is primarily relevant for:

  • Healthcare providers and health plans: Hospitals, clinics, payers, and health networks frequently require HITRUST of their technology vendors as a condition of contract.
  • Health IT and SaaS vendors: Electronic health record (EHR) vendors, telehealth platforms, and health data analytics companies.
  • Life sciences and pharma: Companies handling clinical trial data, patient registries, or genomic information.
  • Business associates: Any organisation that handles PHI on behalf of a covered entity and whose customers require HITRUST rather than (or in addition to) HIPAA attestation.

The Gap Analysis Process

A HITRUST gap analysis examines your organisation against the specific control requirements applicable to your scope, system type, and risk factors. The process includes: scoping the assessment (determining which requirements apply based on organisational and regulatory factors), reviewing existing policies and controls, testing a sample of implemented controls, and scoring each requirement against HITRUST's maturity model. The output is a scored gap report that mirrors the actual validated assessment structure — so you know precisely what to fix and in what priority order before the certification assessment begins.

Ready to get certified?

Visit bcert.uk or contact us at info@bcert.uk to discuss HITRUST readiness.

Request a Gap Analysis →