HITRUST CSF Assessment

HITRUST Compliance Cybersecurity Healthcare Audit

Overview

Draft HITRUST CSF Validated Assessment deliverables for e1, i1, or r2 certification: control requirement responses at all maturity levels, evidence artifacts, Corrective Action Plans, and the Validated Assessment Report.

Getting Started

Add your source materials to the project workspace, then activate the HITRUST CSF Assessment skill. The agent will guide you through the process step by step.

Example Conversation

You: We need to prepare for our HITRUST r2 validated assessment. We’re a healthcare SaaS company — cloud-hosted on AWS, about 800 employees, we handle ePHI and fall under HIPAA. Can you help us build the control requirement responses?
Agent: I’ll guide you through the r2 assessment. A few scope questions first: (1) Do you have mobile devices accessing ePHI, and do you offer a patient-facing portal? (2) Are there any other regulatory overlays beyond HIPAA — PCI, NIST, state privacy laws? (3) Have you done a prior HITRUST assessment we can build on?
You: Yes, patient portal, no PCI, and we need to be NIST-aligned. No prior HITRUST — this is our first. Go ahead and start with Category 01 (Access Control).
Agent: Based on your scope — cloud on AWS, HIPAA + NIST overlays, patient portal, ~800 employees — your r2 assessment will include approximately 280 requirements. I’ve started drafting control-responses.json. Here are my responses for requirement 01.a (Business Requirement for Access Control):
Policy (100): “Information Access Control Policy v2.3, approved by CISO on 14 Jan 2025, addresses business requirements for access control across all ePHI systems.”
Procedure (75): “Access provisioning SOP documented in Confluence — covers request, approval, and provisioning workflow. Gap: no formal documented deprovisioning procedure; a separate offboarding SOP is being drafted.”
Implemented (75): “AWS IAM roles enforce least-privilege access. Okta SAML federation active for all corporate systems. Gap: privileged access review conducted ad hoc rather than quarterly.”
Measured (50): “Access review completion rate tracked; no formal KPI dashboard yet.”
Managed (0): “No management review of access control metrics documented.”
Overall score: 68.75 — passing, no CAP required for this requirement. Shall I continue with 01.b and flag requirements that will need CAPs?

Sample Output Excerpt

Below is a representative excerpt from a HITRUST r2 control requirement response document.

Requirement 09.ab — Monitoring System Use

Category: 09 — Communications and Operations Management Assessment type: r2 | In-scope overlays: HIPAA, NIST

Maturity Level Responses

Level	Score	Evidence
Policy	100	Information Security Monitoring Policy v1.4, approved by Board of Directors, 22 Mar 2024
Procedure	75	Log Review SOP (ITSEC-SOP-012) covers daily SIEM review. Gap: procedure does not address API gateway log review for the patient portal.
Implemented	75	Splunk SIEM collects logs from all EC2 instances, RDS, and S3 access logs. Daily review tickets generated in Jira. Gap: CloudTrail logs from three legacy Lambda functions not yet forwarded to SIEM.
Measured	50	Mean time to review (MTTR) for security alerts tracked monthly. No formal threshold or SLA defined.
Managed	25	Quarterly security operations review meeting held; minutes on file (Q1 2025). Log monitoring KPIs not yet a standing agenda item.

Overall score: 75.0 — Compliant (no CAP required)

CAP

Not required (score ≥ 62)

Requirement 01.c — Privilege Management

Category: 01 — Access Control

Level	Score	Evidence
Policy	100	Privileged Access Management Policy v2.1
Procedure	50	PAM SOP covers provisioning; deprovisioning steps missing for contractor accounts.
Implemented	50	CyberArk PAM deployed for database admins. Gap: 12 service accounts have standing privilege without rotation schedule.
Measured	0	No privileged account metrics collected.
Managed	0	No management review of privileged accounts.

Overall score: 50.0 — Non-Compliant (CAP required)

CAP — CAP-2025-014

Field	Details
Gap	Privileged account management is incomplete: contractor deprovisioning undocumented, 12 service accounts lack rotation, no metrics or management review.
Corrective action	(1) Update PAM SOP to include contractor offboarding; (2) Rotate all 12 service account passwords and enable automated rotation in CyberArk; (3) Implement monthly PAM dashboard report; (4) Add privileged account review to quarterly security operations meeting agenda.
Owner	Head of IT Security
Target date	30 June 2025
Residual risk	Medium

Built-in Scripts and Validation

The skill includes a validation tool the agent runs against your response document during and after drafting.

Validation tools

Tool	Purpose
hitrust_requirement_coverage_check	Scans the control response document (JSON or Markdown) and validates: (1) every in-scope requirement has a response at all five maturity levels; (2) each level has a numeric score (0, 50, 75, or 100); (3) each level cites at least one evidence artifact; (4) requirements scoring below 62 overall have a CAP with a named owner and a specific target date; (5) CAP corrective action descriptions are substantive. Returns PASS with a count of validated requirements, or FAIL with a numbered list of specific issues to fix.

Tool

Purpose

hitrust_requirement_coverage_check

Scans the control response document (JSON or Markdown) and validates: (1) every in-scope requirement has a response at all five maturity levels; (2) each level has a numeric score (0, 50, 75, or 100); (3) each level cites at least one evidence artifact; (4) requirements scoring below 62 overall have a CAP with a named owner and a specific target date; (5) CAP corrective action descriptions are substantive. Returns PASS with a count of validated requirements, or FAIL with a numbered list of specific issues to fix.