HITRUST通用安全框架(CSF)允许医疗保健实体证明符合许多不同的标准和法规,例如HIPAA, ISO, NIST, SOC 2, GDPR, 一种总线标准, CMS, MARS-E, 和更多的. You can learn more about their background here:

One of a select group of HITRUST脑脊液 assessors, LBMC 网络安全 参与了将医疗保险和医疗补助服务中心(CMS)和NIST的安全标准整合到HITRUST联盟框架中的工作. In 2010, we became one of the first HITRUST脑脊液 assessor organizations, 使我们非常有资格使用HITRUST脑脊液来确保您组织的信息安全可靠.


HITRUST, in collaboration with leaders from the private sector, 政府, 技术, 和 information 隐私 和 security spaces, 建立HITRUST脑脊液, a certifiable framework that can be used by any organization that creates, 访问, 商店, 或者交换敏感信息. 

Every organization can achieve the coveted HITRUST脑脊液 Certification, but it will take a little patience, 很多行政支持, 和, 有时, 援助之手. 


On-Dem和 Webinar Duration: 0:05:47


  • 罗宾 巴顿, HITRUST授权外部评估委员会股东,实践领导者 & 质素小组委员会委员

网络研讨会:HITRUST 1评估

2021年12月, HITRUST宣布了最新的服务产品-新的i1实施认证.
  • What is the HITRUST i1 Implemented Verified Assessment 和 Certification?
  • Why was this new option was created?
  • i1和r2之间的关键区别.
  • How to choose which option is right for you.




我在技术领域工作了30多年,并参与了该领域所有大型公司的评估. LBMC是首屈一指的. 通过HITRUST进程, their team became an extension of ours, making the experience enjoyable 和 extremely rewarding!
LBMC is very flexible 和 accommodating to our specific needs. They gave us a unique advantage with HITRUST certification, demonstrating 合规 with various st和ards 和 regulations. With LBMC, you get the ‘Big 4’ service without the extreme costs. Their local access 和 service level are unmatched by large, national providers.
我们需要一个有经验的HITRUST评估合作伙伴,并在当地开展日常的面对面接触. LBMC的资源、良好的声誉和专业知识使其成为一个完美的选择. Our team values their highly qualified professionals.
Chief Information Security Officer at a healthcare management company in 纳什维尔

Do your policies 和 procedures address the HITRUST criteria?

是否 维护 或者现在就追求认证 is 愉快的时光 to review 和 ensure your policies 和 procedures 符合HITRUST标准. 

1. 适用性

  • 策略和程序成熟度级别和评分仅适用于r2评估.  
  • E1和i1评估仅侧重于控制实施,但可能仍需要审查政策和程序. 

2. 潜伏期

  • 补救或新实施的政策/程序必须至少实施60天(约2个月)才能考虑评分.  
  • 政策和程序已实施60天(约2个月),可用于有效评估. 
  • 对于实现的、度量的和管理的成熟度级别,周期是90天(大约3个月). 

3. 得分

  • M成熟度等级被打分 基于 the HITRUST Control Maturity 得分 Rubric, 考虑 的力量 percentage of evaluative elements being addressed. 
4. 格式

政策高层次的原则或行动,旨在指导当前和未来的决策与管理的哲学和 目标. 
过程Detailed steps necessary to perform specific operations in 合规 与标准. 

文档可以 萤火虫e 标准、手册、指南、 指令,而不是 只是传统 政策, 或程序文件. 


HITRUST®框架通过帮助组织解决安全问题而迅速发展, 隐私, 监管方面的挑战. However, there are common misconceptions. 

1. 你们能通过HIPAA认证吗?

HIPAA安全规则的安全标准对于医疗保健组织的实施来说还不够规范. The HITRUST脑脊液® maps to the HIPAA Security Rule, 违反通知, 及私隐规则, assuring that your organization meets these requirements. MyCSF的HIPAA合规性和报告包生成报告,向审核员或调查人员证明合规性. 

2. Is certification limited to healthcare entities?

No, it is applicable across various industries, 包括制造业, 银行, 娱乐, 和电信. The framework is developed with input from leaders in 隐私, 信息安全, 风险管理, making it relevant to many sectors. 

3. Was the framework created due to failed OCR HIPAA audits?

这是不正确的. HITRUST was founded in 2007, while OCR HIPAA audits began in 2011. LBMC has supported the CSF since 2010. 

4. Can an organization certify to the NIST 网络安全 Framework (CSF)?

是的, many organizations prefer the NIST CSF. HITRUST提供了NIST CSF报告记分卡,详细说明了CSF框架中包含的相关控制的合规性. 

5. Is this program an “Assess Once, Report Many™” audit program?

是的, experienced audit firms can combine criteria for multiple audit needs, 从而提高效率, 减少审计疲劳, 更高质量的结果. 

6. Can the framework support ISO 27001 certification efforts?

是的, The HITRUST脑脊液 framework can assist with ISO 27001 certification, 但是,选择熟练的服务提供商以实现合规性和有效性是至关重要的. 

CSF提供全面的控制要求和严格的评估程序,以衡量电子受保护健康信息(ePHI)的剩余风险水平。. The testing must be performed by an approved assessor, ensuring quality assurance. 


  • Scoping 和 Certification Selection: 保证程序允许针对框架进行独立的认证或验证. These engagements must be performed by trained 和 vetted assessors, experienced in healthcare 信息安全. We 能够帮助您的组织理解和定义您的范围这一关键步骤吗, as well as selecting the best assessment scoping strategy for your organization.
  • Readiness 和 Consulting 服务: LBMC网络安全专家 确保您的组织在开始认证之旅时为HITRUST做好准备,在所有行业中建立一个众所周知且普遍接受的安全框架. 我们提供准备评估, 项目管理, 修复援助, 分数改进指导, 和更多的.
  • Certification (Validation, Interim, & Rapid Recertification Assessments): Ready to certify or have a certification in place? LBMC可以帮助您. 认证一年后需要进行临时评估,以根据CSF评估组织的当前状态. LBMC 网络安全 provides this service 和 submits an Annual Review Letter. 
  • 桥梁评估: 为应对与COVID-19相关的挑战,允许延长认证期限. LBMC, with a decade of experience 和 the most seasoned team in the industry, offers external assessment services to guide you through the bridge process. 

As the leader of the “10-year club” of assessors, LBMC是业内服务时间最长的评估员,拥有业内最有经验的团队. 2010年2月, 明升体育app下载领导人签名加入了一项运动,这项运动已经成为现代安全和隐私评估的黄金标准. 我们已经培养了一个由专家领导的评估团队,他们为这一成功做出了最长的贡献. 

We have helped countless organizations reach their HITRUST脑脊液 认证的目标. And, yes, we have learned many lessons along the way. We are assessor council members 和 assist the industry with education 和 outreach. 我们感到有义务和义务为那些踏上这段旅程的人提供鼓励和建议. Please reach out any time with how we can assist you on your journey! 



画了 Hendrickson

股东 & 网络安全实践负责人

手机图标 电子邮件图标 纳什维尔

罗宾 巴顿


手机图标 电子邮件图标 纳什维尔

