Services
Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
Industry Solutions
Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
About Us
About Us
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships

The HITRUST e1 Assessment: A Breakdown

Healthcare Assessments

In American history, the Westward Expansion is an important theme of our 19th century. What began with 13 colonies that fought for American independence eventually—after many years—grew to include more places that held more people and different opportunities.

More recently—as in, over the last 3 years—HITRUST has also expanded exponentially to become an all-encompassing certification that can be achieved by a wide variety of industries and organizations.

When HITRUST endeavored to become accessible to more and more institutions, they introduced alternatives to the now-typical 2-year (r2) certification—consider that a parallel to the Louisiana Purchase of 1803, which stretched west from the Mississippi River to the Rocky Mountains and from the north of Canada to New Orleans, doubling the size of the United States.

Now, HITRUST has expanded again, this time with a lower-effort validated cybersecurity assessment they have designated as their HITRUST Essentials, 1-year (e1) Assessment. (For the sake of continuing our metaphor, this could be considered similar to the later Gadsden Purchase of 1853 that established much of America’s southern border.)

Now when these expansions happened, explorers forged west in search of a better life. But where they ventured into the unknown, you don’t have to—as experienced HITRUST assessors, we’re going to explain the basics of this new assessment, including its benefits. We’ll also provide a high-level comparison of all three HITRUST assessments.

This expansion that now includes the e1 option represents an exciting new opportunity for those who perhaps had yet to commit to HITRUST certification—read on to find it if it’s the right move for you.

What is the HITRUST e1 Assessment?

Presuming you’re familiar with the HITRUST i1 and r2 assessments, the e1 assessment now offers clients a certification alternative that is significantly lower effort and cost than the typical r2 assessment.

Like its siblings—the i1 and r2—the e1 is also designed to be threat-adaptive. HITRUST consistently reevaluates the most pressing cyber threats through its quarterly reconciliation of cyber threat intelligence to the HITRUST CSF requirements—therefore, when changes are necessary, they will be included in major and minor releases of the HITRUST CSF.

However, with its static baseline of only 44 requirements, the e1 assessment can be completed in a much shorter timeframe while still providing your clients with assurance regarding your good security hygiene.

This e1 assessment can also serve as just a first step for those who are:

  • New to HITRUST, or
  • Planning to continue onto the more thorough i1 and r2 assessments, or
  • Interested in evaluating the risk management of your (potential) third-party vendors

Should you complete the e1 certification process, your deliverables will include the certification report, certification letter, and certification letter with scope, which can be distributed to your clients as evidence of your foundational benchmark of proper cybersecurity controls.

 

Key Benefits of the e1 Assessment

HITRUST wouldn’t introduce a new assessment without established use cases, but what makes the e1 the right option for your organization? There are a few aspects you might consider:

  • Flexibility: The e1 assessment can be performed as a readiness or validated assessment – and readiness assessments can be performed with an External Assessor or as a self-assessment.
    • If you opted for the former, the scope of your e1 assessment would be fully inheritable for your subsequent i1 and r2 assessment, as all controls are nested into the more comprehensive certifications.
  • Broad Appeal: The e1 assessment’s focused scope contains key controls that are inherently expected for nearly all entities, making it relevant to any and all industries seeking proper cybersecurity hygiene.
  • Addresses Modern Threats: As per HITRUST’s commitment to threat adaptability, such threats addressed include those that are potentially high impact like phishing and ransomware.
  • Lean and Low Effort: The curated set of 44 cybersecurity controls focuses on fundamental cybersecurity practices while remaining lean and relatively low effort when compared to the i1 and r2 assessments.
    • e1 assessments focus mostly on implemented evidence, which significantly reduces the amount of Policy and Procedure updates, compared to that which is necessary for the r2 assessment.
  • Shorter Turnaround: The Quality Assurance phase of the e1 assessment—during which HITRUST reviews and issues the certification—is significantly reduced. You would receive certification no more than 30 days after submission (or your next e1 Validated Report is complimentary). 

HITRUST e1 vs. i1 vs. r2

To help put all this into perspective, we put together a breakdown of the high-level elements of all three HITRUST assessments. If you’re brand new to HITRUST, this might provide a good starting point for understanding all three of your options.

(For more details on the i1 and r2, you can also check our article here.)

 

e1

i1

r2

Timeline

1-year certification

1-year certification

2-year certification

HITRUST Certifiable?

Do You Need a HITRUST External Assessor?

Yes

Yes

Yes

MyCSF Data Entry

External Assessor can enter scoring and scope into MyCSF

External Assessor can enter scoring and scopeinto MyCSF

You must enter scoring and scope into MyCSF

Requires an Interim Assessment?

No

No

Yes

Threat Adaptive?

Fixed Requirements?

Yes

Yes

No - Requirements are tailored to your assessment scope

More Considerations for HITRUST Certification

Though it took many years to connect the whole of the new American lands, those expansions westward were key parts of the country’s history. With its own new addition, HITRUST has now grown its key offerings from two to three—the newest option in the e1 represents both a lighter lift in proving your cybersecurity hygiene as well as an avenue to the more robust HITRUST assessments.

Though you may now understand more regarding the e1, HITRUST certification features many complexities you’ll need to navigate, no matter which assessment you choose. To learn more about these intricacies, check out our other content detailing different aspects:

Of course, you may find you have more organizationally specific questions regarding this framework—if so, please feel free to contact us, as our experts would be happy to address your concerns and clear the way for your moving forward with HITRUST.

 

About Kevin Keane

Kevin Keane is a Senior Associate with Schellman. Prior to joining the firm in 2020, Kevin worked as a Senior Technology Risk Professional and gained significant experience in many areas of IT audit such as SOX IT Controls, System Implementations, Automated Controls, and SOC Report Evaluations. As a Senior Associate at Schellman, Kevin primarily focuses on HITRUST audits for various healthcare organizations.