I help digital health and healthcare technology organizations navigate the HITRUST CSF: readiness, validated assessment support, gap analysis, policy remediation, and ongoing CSF posture across multi-framework practices.

The starting observation: most HITRUST work converges on one question. How do you turn a security program into auditable evidence the QA team accepts the first time? The answer is documentation discipline scoped to your environment, not generic templates. That scoping decision is usually the difference between a clean assessment and a QA cycle of revisions.

What I help with

Validated assessment support

  • e1, i1, and r2 readiness and validated assessment work
  • Scoping engagements: data-flow mapping, system boundaries, shared-responsibility documentation
  • Sampling plans and population definitions for evaluative-element scoring
  • MyCSF administration: requirement library navigation, evidence intake, scoring submission, QA response
  • PRISMA maturity scoring across Policy, Process, Implemented, Measured, Managed
  • Findings documentation using the standard Inheritance / Sample / Interview / Policy / Process / Implementation template

Gap analysis and remediation

  • Pre-assessment readiness reviews against current HITRUST CSF requirements
  • Policy suite development and remediation: ISMS, Access Control, Mobile Device, Network Management, Incident Response, BCP/DR, Physical Security, Privacy
  • Each policy change traced back to its driving requirement so QA evidence is auditable
  • Evidence package preparation for assessor review

Internal assessment function development

  • Help organizations build the internal assessment capability to maintain CSF posture between certifications
  • Testing methodology, documentation discipline, and scoring approach
  • MyCSF setup and admin practices that meet assessor-quality standards
  • Independence and objectivity protocols for HITRUST team-composition requirements
  • Internal findings tracking and remediation workflows that integrate with the next assessment cycle

Multi-framework crosswalk

  • Reduce duplicate evidence collection across HITRUST, SOC 2, ISO 27001:2022, HIPAA, NIST 800-53, and NIST 800-171
  • Map AI-specific controls to ISO/IEC 42001 for organizations adding AI to existing HITRUST scope
  • Identify shared-responsibility inheritance from cloud providers and SaaS dependencies

AI-powered evidence review tooling

I run a custom evidence-review tool built on an open-source cybersecurity assessment platform that compresses HITRUST first-pass review effort.

  • Assessor uploads, or syncs from a customer’s structured cloud folder, policy / process / implementation documents against HITRUST requirements
  • Tool returns structured assessor notes: MET / NOT MET / PARTIALLY MET determinations, evidence citations with page-level references, gap analysis, and assessor action items
  • Separate analysis paths apply the right criteria to each evidence type (policy reviewed against policy criteria, process against process criteria, implementation against implementation criteria)
  • Readiness mode adds a remediation roadmap with prioritized gaps, recommended templates, and effort estimates
  • Cross-framework adaptation: same approach applies to SOC 2, HIPAA, NIST 800-171, and CMMC

The tooling does not replace assessors. It produces structured first-pass notes that an assessor reviews, refines, and approves; force multiplication, not substitution. In comparable frameworks the same approach drops evidence review from 60-80 hours to 25-35 hours per engagement.

What’s at stake

When this works. Customer security questionnaires take days to turn around, not months. Attestation deadlines submit on time. Your enterprise health-system and payer deals don’t stall on certification status.

When this doesn’t get done. A HITRUST attestation deadline slips, and the payer deal goes dark. A QA finding lands on the wrong side of the certification window. A customer requests an i1 attestation as a contract precondition, and you don’t have the readiness work done to commit to a timeline.

Background

  • HITRUST CCSFP, active since 2017
  • Certified Information Systems Auditor (CISA), ISACA
  • 5+ years of validated assessment experience as a Senior HITRUST Assessor and Engagement Lead at Drummond Group, where I was a pivotal team member from inception to launch of the firm’s HITRUST service line
  • M.S. Cybersecurity and Information Assurance, Western Governors University
  • Credited contributor to the CHAI Responsible AI Guide (Privacy and Cybersecurity Profile)

HITRUST engagements increasingly overlap with adjacent tracks. If your product is ONC-certified, the ONC certification page covers CEHRT obligations and HTI-5 strategy. If you’re adding AI features, the AI governance page covers ISO/IEC 42001 work that maps directly into HITRUST AI control coverage.

Get started

Most HITRUST engagements begin with a scoping conversation: which assessment type, which boundary, what customer commitment is driving the work. From there we agree on a readiness plan and timeline that fits your QA submission window.

Schedule a call to discuss your HITRUST work.