HITRUST CSF Assessments and Services

    Practical experience backed by industry expertise.

    Ensuring the security of your information has never been more critical than it is today. As your organization works to comply with ever-evolving security regulations, relying more heavily on technology, look to Wipfli for assistance and assurance.

    The Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) is one of the industry’s most widely adopted security frameworks. As a designated HITRUST CSF Assessor, Wipfli can assess your information security program against many industry standards and regulatory and state statutory requirements (i.e., HIPAA, HITECH, PCI, COBIT, NIST, and CMS).

    Obtain a third-party assessment. Wipfli provides risk assessments using the most updated framework to demonstrate your compliance with all of the regulatory security requirements facing health care organizations and business partners today.

    Improve your security confidence. By performing an initial gap analysis against the HITRUST CSF, Wipfli can identify areas of noncompliance to help you better manage and mitigate risk, in addition to helping you take appropriate and reasonable steps to improve your organization’s security program and understand and implement information protection safeguards that meet compliance requirements.

    Take your security efforts to the next quality level. Using the most up-to-date framework, Wipfli can develop a roadmap for your organization to pursue CSF validation or certification.

    Ensure strong vendor management. Use the CSF to further ensure your business partners are also meeting compliance requirements.

    Benchmark against other providers. Upon completion of your assessment, you'll gain access to data, allowing your organization to measure against other organizations.

    Learn more about our HITRUST Partner Program.

    Business Associates - We've got you covered too!

    If you are a health care vendors or business associate, required to protect health information, by now you've heard HITRUST CSF Assurance is the new standard for streamlining the third-party assurance process. Check out our resources just for you:

    Leaders in health information privacy and security.

    With the adoption of electronic health records (EHRs) and health information exchanges (HIEs), the growing threat of medical identity theft, and the increased emphasis on individual privacy, you need proper security controls in place. You also need to comply with multiple requirements on several fronts—requirements that keep changing.

    Wipfli is uniquely qualified to help. As a designated HITRUST CSF Assessor, we apply the most current, widely recognized, and industry-adopted standards to your security framework. Whether or not your organization actually adopts CSF, you can be confident you’re getting an assessment based on one of the industry’s most widely accepted approaches to regulatory compliance and risk management.

    Using the HITRUST CSF Assurance Program also means Wipfli can align and assess your compliance with all the different regulations your organization must meet while taking the size and complexity or your organization into consideration. The result is a focused expert engagement with relevant documentation that appropriately fits your organization.


    By providing clients with a best practice-based, prescriptive information security framework that normalizes existing security requirements with a common approach for assessing and reporting, Wipfli can aid your organization in reducing the inefficiencies and complexities associated with managing security independently.


    HITRUST CSF Assessor

    Wipfli’s accreditation as a CSF Assessor makes the firm part of a small and elite group of security experts in the world that are qualified to provide information assurance services to the health care industry and business associates. Contact Paul Johnson or Karen Johnston to get started:

    Paul Johnson

    Karen Johnston


    What You Should Know About Using AWS, Azure, and Other Third-Party Tools

    Lately, we’ve uncovered uncertainties about cloud computing services with regard to HITRUST compliance—in particular, whether Amazon Web Services (AWS), Microsoft Azure, or other third-party tools offer features that can help address the assurances required across the 19 CSF assessment domains. This series of articles will share some of the useful tools and features we’ve encountered while performing assessments.

    Read Part 1.