HITRUST CSF Assurance Program

December 2016

" "

Cyber-attacks are on the rise, and healthcare has the bullseye on its back—the industry was the most attacked in 2015, surpassing financial services, information and communication, manufacturing, retail and wholesale, and energy and utilities. Coupled with the rise of technology to store and transmit valuable healthcare data, it’s more important than ever that healthcare providers not only achieve compliance, but prove they are indeed a trustworthy resource.

BDO recently took a significant step in filling that gap when it was designated as a HITRUST CSF Assessor by the Health Information Trust Alliance (HITRUST). With this achievement, BDO is now approved to provide services using the HITRUST CSF, a comprehensive security framework that addresses the multitude of security, privacy and regulatory challenges facing healthcare organizations to comply with healthcare, third-party and government regulations and standards. 

CSF assessors like BDO provide trained resources to healthcare organizations of varying size and complexity to assess compliance with security control requirements and document corrective action plans that align with the HITRUST CSF.
“The industry’s transition to electronic health records (EHRs), though critical to progress and innovation, has also opened the door to significant security and privacy risk. As an approved HITRUST CSF Assessor, BDO can help healthcare clients ensure they meet all regulatory requirements while protecting sensitive client and patient data.”

Patrick Pilch, Managing Director & National Leader of The BDO Center for Healthcare Excellence & Innovation


HITRUST CSF Assurance Program

The HITRUST CSF Assurance Program delivers simplified compliance assessment and reporting for HIPAA, HITECH, state and business associate requirements. Leveraging the HITRUST CSF, the program provides healthcare organizations and their business associates with a common approach to manage security assessments, creating efficiencies and containing costs associated with multiple and varied assurance requirements.

HITRUST CSF Assessors are critical to helping uphold information security and privacy standards for the healthcare industry and a core component of the HITRUST CSF program by providing trained resources to healthcare organizations.

With the second phase of the U.S. Department of Health and Human Services’ Office of Civil Rights’ auditing efforts around HIPAA underway, BDO advises healthcare organizations to review their internal compliance and security controls and implement any necessary remediation actions in line with the HITRUST CSF.
“The healthcare industry was the top target for cyberattacks last year, and as events this year have shown, that trend is not slowing down.  Clients that take advantage of the HITRUST CSF framework can streamline HIPAA compliance and minimize cyber vulnerabilities.”

Shahryar Shaghaghi, National Leader of BDO’s Technology Advisory Services practice and Head of International BDO Cybersecurity


CSF Assurance Program benefits include:

Reduced costs and complexity

Through the adoption of a common set of security (and privacy) objectives and assessment processes, the HITRUST CSF Assurance Program streamlines how healthcare organizations manage business-associate compliance. Business associates can assess once and report to their many constituents, while healthcare organizations and other external parties benefit from a more complete and effective assessment process.

Managed risk

Through a commercially reasonable process, organizations achieve increased insight into their internal and third-party risks. By freeing resources from reacting to new requirements and audits, organizations can take a proactive approach focusing on the other building blocks of an effective security management program.

Simplified compliance

Through a streamlined framework, organizations benefit from a consistent and efficient approach for reporting compliance with internal stakeholders, HIPAA, HITECH, state and business associates.

BDO HITRUST Service Offerings

SOC2 Plus Audits

Leveraging the HITRUST CSF framework, BDO uses the HITRUST CSF Assurance Program to deliver a simplified, streamlined approach to completing a compliance assessment and reporting for HIPAA, HITECH, NIST, ISO, COBIT state and business associate requirements.

HITRUST CSF Certification

Guided by the HITRUST CSF, BDO translates multiple security frameworks into a common language, developing a prescriptive framework for healthcare organizations to implement security controls in line with regulatory standards including HIPAA, NIST, ISO, COBIT, FTC Red Flags and PCI. HITRUST CSF certification provides organizations with a third-party assessment verifying their compliance with industry certifications for the

Readiness Review and Remediation

The depth of BDO’s healthcare and cybersecurity industry experience sets us apart and enables us to “connect the dots” across various systems and functional areas within a healthcare organization.  Our team of cyber security analysts, hospital executives, physicians and accountants can leverage their experience to conduct readiness reviews for your organization and remediate any issues identified through that process.
“Trust is a critical element of effective healthcare. That trust is built on a promise of confidentiality which, when broken—even inadvertently—jeopardizes the provider-patient relationship. Organizations certified under HITRUST can provide their patients and partners with ease of mind, ensuring they’re doing everything they can to safeguard sensitive information.”

Josh Ayers, Assurance Partner in BDO’s Assurance practice