RSI Security recently partnered with HITRUST to introduce a novel assessment available from the cybersecurity organization: HITRUST AI Assessments. RSI Security Marketing Coordinator Anna-Laure Iman began with an introduction of the three primary speakers for the event:
- Matt Datel, Director of Strategic Partnerships at HITRUST, coordinates the assessor program and educates the broader public about all matters of HITRUST assessments.
- John McLaughlin, Sales Development Executive at RSI Security and formerly of Crowdstrike, is a solutions advisor with a depth of experience in software and services.
- Mohan Shamachar, Director of Information Security & Compliance at RSI Security, leverages over 20 years of experience in the field to streamline infosec and compliance.
After introductions, McLaughlin started with an overview of RSI Security’s HITRUST offerings.
RSI Security’s HITRUST Assessment Services
McLaughlin provided some context for RSI Security’s involvement with HITRUST by explaining that we’ve been around since 2008. And, although we’re headquartered in San Diego, our reach extends across southern California and the rest of the US, as RSI Security is truly remote. Our 50+ employees and 400+ consultants power our full-suite cybersecurity, compliance, advisory, Security Operations Center (SOC), and other services for businesses of all kinds and sizes.
And, as a HITRUST Assessor for over seven years, we offer everything from gap and bridge assessments to CSF certification (see below), coordinated assessments with other frameworks (i.e., SOC 2), targeted healthcare risk advisory, third party risk management (TPRM), and more.
What sets RSI Security apart, McLaughlin explained, is our comprehensive experience.
When it comes to HITRUST in particular, we offer guidance through the entire certification journey—from the kickoff call through initial planning and into implementation, assessment, certification, remediation (if needed), re-certification, and seamless, long-term maintenance.
McLaughlin then gave the floor to Datel for a more in-depth discussion of HITRUST assessments in general and the new HITRUST AI Assessments in particular.
HITRUST CSF and AI Assessments, Explained
Before diving into the new HITRUST AI Assessment, Datel spent some time explaining exactly what the different types of CSF Assessments are. This is because the AI Assessments feed off of the HITRUST CSF controls, and CSF certification is a pre-requisite for one of the AI audits.
At present, HITRUST offers three kinds of CSF certification assessments:
- HITRUST e1 – These are the most fundamental assessments, which Datel described as a starting point for organizations newer to framework deployment. They comprise 44 controls dubbed “cybersecurity essentials,” and certification is granted for one year.
- HITRUST i1 – These are also one-year assessments, but they offer a moderate level of security assurance through 182 distinct controls. Datel recommends these assessments for higher-risk organizations on their way toward full security maturity and compliance.
- HITRUST r2 – These risk-based, two-year certifications are customized and scalable to the exact needs and means of a given organization, with 250+ controls based on their specific sensitive data, risk profile, tech stack, compliance obligations, and other factors.
Datel noted that all HITRUST assessments used to follow the rigorous r2 model. They’ve added the e1 and i1 assessments in recent years to maximize accessibility across various use cases.
Datel also provided context about the vital role HITRUST Assessors (like RSI Security) play.
Namely, HITRUST Assessors have exclusive access to the MyCSF platform. This allows them to scope assessments, provide preparation services, and ultimately perform a validated e1, i1, or r2 Assessment. At present, this is the only way to achieve an official HITRUST certification.
Datel then explained why organizations conduct HITRUST assessments. In 2022 and 2023, 99.4% of HITRUST-certified organizations reported no data breaches whatsoever, and just 0.6% of HITRUST-certified entities reported a data breach. In comparison, an Identity Theft Resource Center study indicated that 73% of small businesses suffered a data or security breach in 2023.
While it’s impossible to guarantee protection from breaches, HITRUST certification comes close.
HITRUST’s New AI Assessments
The newest HITRUST assessments, focused on AI, extend the CSF’s security assurance and protection across emerging technology. One of the reasons the CSF is so effective at preventing cyberattacks is that HITRUST monitors threat intelligence. Leveraging partnerships across tech, healthcare, and other fields, HITRUST keeps tabs on what new tools are being implemented and how attacks can be monitored and caught before they’re able to cause substantial harm.
HITRUST updates the CSF multiple times per year in response to emerging threats.
As businesses in every industry adapt AI, HITRUST has two new assessments in development that will help organizations get ahead of upcoming regulations and assure effective AI use:
- AI RM (Risk Management) – These assessments are designed to help organizations identify and evaluate all risk areas related to AI, spanning security along with concerns like accountability, fairness, performance, and ecological implications. They comprise 51 controls and are available at present. They are not certifiable, at least at present, but their results are delivered via an Insights Report. They are a great first step toward…
- Cybersecurity for Deployed AI Systems – These assessments are aimed toward assuring that already-deployed AI systems are secure, up to CSF standards. Set to release on 12/8/24 alongside v11.4 of the CSF, these assessments comprise 44 new prescriptive controls based on CSF protections. However, they apply strictly to AI, and entities with deployed systems can get certified alongside an e1, i1, or r2 assessment.
As with e1, i1, and r2, there is a progression upward for organizations looking to get their AI systems certified. Datel explained that AI RM is a preliminary step that can apply to prospective systems (i.e., plans for deployment), but the deployed assessment is more comprehensive.
Questions and Closing Thoughts on AI Assessments
To close out, the presenters engaged with questions from the audience and each other.
One audience member asked about whether organizations planning to achieve HITRUST CSF certification in 2025 would need to wait until much later (2026) to certify their AI practices. Datel responded that they would be able to certify in 2024 provided they have a CSF 11.4 certification.
Datel also noted at this point that HITRUST is offering a 50% discount on its AI credits for all of 2025 on any purchase made before the end of 2024. Any organization considering certification in the upcoming year can take advantage—both HITRUST and RSI Security are eager to assist.
Mohan Shamachar added that organizations in healthcare specifically should be looking into HITRUST AI assessment. Doctors, nurses, and other stakeholders are using AI to collect, store, and otherwise process protected health information (PHI). But it’s unclear at present whether and how Health Insurance Portability and Accountability (HIPAA) regulations will apply to AI systems in the future. HITRUST is a great way to get ahead of upcoming requirements.
McLaughlin also chimed in with a question about anticipated challenges in implementing HITRUST AI protections. Datel noted that one apparent obstacle is actually a misconception: some organizations are hesitant to approach AI assessments because they fear an increase in scope and/or a threat to their existing HITRUST certification status. Datel dispelled this notion, adding that the AI assessments are a completely separate ordeal and cannot impact their CSF certification. An organization that failed AI assessment would not see any impact on their certification. Instead, they’d be in an excellent position to rectify and secure their AI use.
Another audience member asked whether AI assessments will incorporate physical security controls, like the CSF. Datel said that they likely will, but more emphasis will be placed on software and cloud protections. He also noted that a full list of controls is available upon request. HITRUST is making every effort to help organizations prepare for AI security.
To that effect, RSI Security also encourages organizations to reach out with questions about CSF and AI assessments, along with any other security advisory or implementation concerns.
Rethink and Optimize Your AI Security
As explained by McLaughlin in the presentation, RSI Security is a trusted HITRUST partner that has helped countless organizations prepare for, achieve, and maintain their HITRUST CSF certification. Looking ahead, we plan to provide the same full suite of services to organizations seeking secure, safe AI practices. We know that discipline upfront paves the way for greater flexibility and freedom in the future. We’ll help you rethink and future-proof your AI tech.
Check out our upcoming events so you don’t miss out on our next webinar.
And, to learn more about how RSI Security will help your organization, get in touch today!
Contact Us Now!