Risk factors are used to tailor the HITRUST CSF requirements included in risk-based, 2-year (r2) assessments. They are not used on other HITRUST assessments such as Implemented, 1-year (i1) assessments or basic, Essentials, 1-year (e1) assessments.
  • arrow_drop_downGeneral Factors
    • arrow_drop_downOrganization Type
      Legal classification of the Assessed party.
    • arrow_drop_downEntity Type
      (Note: Applicable to assessment objects created prior to June 1, 2020.)
      Type of organization as interpreted by HIPAA.
  • arrow_drop_downOrganizational Factors
    • arrow_drop_downNumber of Records that are currently held
      Count of sensitive records within the scope of the Assessment.
    • arrow_drop_downNumber of Individual Records that are processed annually
      Count of sensitive records received or transmitted yearly within the scope of the Assessment.
    • arrow_drop_downNumber of Covered Lives (Payer)
      Count of individuals enrolled in health insurance plans.
    • arrow_drop_downNumber of Admitted Patients annually (Hospital)
      Count of people that were provided care for in the past year.
    • arrow_drop_downNumber of Licensed Beds (Hospital)
      Count of hospital beds available within the facilicites of the scope.
    • arrow_drop_downNumber of Prescriptions Filled Annually (Pharmacy)
      Count of prescription orders fulfilled yearly.
    • arrow_drop_downNumber of Patient Encounters Annually (Physician Practice)
      Count of people that were provided care for in the past year.
    • arrow_drop_downNumber of Physicians on Staff (Physician Practice)
      Count of Physicians employed by the Assessed organization.
    • arrow_drop_downNumber of transactions received and sent annually (HIE)
      Count of sensitive transactions processed yearly.
    • arrow_drop_downTotal Terabytes of Data Held (IT)
      Count of TBs of sensitive data stored.
    • arrow_drop_downVolume of Data Exchanged Annually (Non-IT)
      Count of MBs of sensitive data processed yearly.
  • arrow_drop_downGeographic Factors
    • arrow_drop_downGeographic Factors
      Geographic reach of the systems and facilities being Assessed.
  • arrow_drop_downTechnical Factors
    • arrow_drop_downIs the system(s) accessible from the Internet?
      An information system or application to which users are able to gain access from a public network (e.g., Internet). Applies whether the application is publicly exposed or is behind a firewall accessible only after first establishing access to an internal domain (e.g., VPN).
    • arrow_drop_downIs the scoped system(s) (on-premise or cloud-based) accessible by third-party personnel (e.g., business partners, vendors, cloud providers)?
      An information system or application to which approved third-parties are provided access. A third-party is any entity that is separate from the organization, that has been authorized for physical and/or logical access to the scoped system. This includes cloud service providers as the provider would have the physical access to the organization's systems. Furthermore, third-party accessibility does not depend on the means of access and occurs regardless of whether it is over a public network or whether the application is specifically hosted for customer use, for the purpose of operation, administration, or maintenance. Customers are considered "second-parties," not "third-parties;" and therefore, should not be considered when answering this question.
    • arrow_drop_downDoes the system(s) transmit or receive data with a third-party?
      An information system or application that exchanges information (interactively or through system-to-system connectivity) with a third-party (e.g., business partners, vendors, cloud service providers).
    • arrow_drop_downIs the system(s) publicly positioned?
      The host organization has positioned the information system or application in a public location (e.g., a kiosk in the welcome area of a hospital wing that lacks strict visitor control), which is distinct from a person using their own laptop to access their online bank account from a coffee shop.
    • arrow_drop_downConnects with or exchanges data with a Health Information Exchange (HIE)
      Connects with or otherwise conducts transactions with or through an HIE, where a transaction is defined as the electronic movement of health-related information among organizations according to nationally recognized standards, e.g., X12 EDI or HL7.
    • arrow_drop_downNumber of interfaces to other systems
      The number of interconnections (whether or not persistent) a system or application has with other systems, regardless of location, for the purpose of sharing data where the responsibility for security control lies outside the boundary of the existing system (whether with another part of the same organization or a third-party).
    • arrow_drop_downNumber of users of the system(s)
      The number of users that have access to an information system, application, or service.
    • arrow_drop_downNumber of transactions per day
      The average number of transactions per day (i.e., in a 24-hour period), computed annually, where a transaction is defined as a discrete event between a user and a system that supports a business or programmatic purpose. A digital system may have multiple categories or types of transactions, where risk would need to be evaluated and the response adjusted based on the degree to which a transaction happens within a discrete environment (e.g., entirely within a virtual server), internal to a segment or network domain (e.g., entirely within a company network), or routes externally (e.g., over leased lines, a VPN, or a public network). It should be noted that all online transactions are transactions, but not all transactions are online, and e-commerce exchanges would fall within the scope of online transactions, by definition.
    • arrow_drop_downDoes the system allow users to access the scoped environment from an external network that is not controlled by the organization?
      This question pertains to situations where users can connect to the organization's internal network from a remote/external network that is not controlled by the organization through the use of VPN, SSH proxy, telnet, or similar.
    • arrow_drop_downAre hardware tokens used as an authentication method within the scoped environment?
      Hardware tokens are physical devices that provides a one-time key or nonce (e.g., PIV card, USB dongle, or fob). The use of mobile apps, email, and similar applications for two- or multi-factor authentication are not hardware tokens.
    • arrow_drop_downDoes the organization allow personally-owned devices to connect to scoped organizational assets (i.e., BYOD - bring your own device)?
      Bring your own device (BYOD) include any devices outside of the organization's control that can be used to connect to organizational assets.
    • arrow_drop_downAre wireless access points in place at any of the organization's in-scope facilities?
      Wireless access points outside of the control of the organization, such as home and public wireless networks, are excluded from this factor.
    • arrow_drop_downDoes the organization perform information systems development (either in-house or outsourced) for any scoped system, system service, or system component?
      Information systems development refers to the practice of creating, testing, constructing, and/or introducing new computer systems, including, but not limited to, application, interface, database, and application programming interface (API) development.
    • arrow_drop_downDoes the organization allow the use of electronic signatures to provide legally binding consent within the scoped environment, e.g., simple or basic electronic signatures (SES), advanced electronic or digital signature (AES), or qualified advanced electronic or digital signatures (QES)?
      The use of electronic signatures includes, but not limited to, e-prescription.
  • arrow_drop_downRegulatory Factors
    • arrow_drop_downSubject to PCI Compliance
      Applicable when the scope of the assessment includes the processing (use, storage, transmission, etc.) of payment card (“credit card”) information.
    • arrow_drop_downSubject to FISMA Compliance
      Generally applies to Federal Agencies; NIST SP 800-53 control requirement MAY also apply to Federal contractors if the contract specifies adherence to FISMA security requirements, NIST control requirements, and/or requires a System Security Plan (contact your contract’s contracting officer representative, COR, for more information).
    • arrow_drop_downSubject to FTC Red Flags Rule
      Required if the organization, in the regular course of business, obtains or uses consumer reports in connection with a credit transaction, furnishes information to consumer reporting agencies in connection with a credit transaction, or advances funds to or on behalf of a person, in certain cases.
    • arrow_drop_downSubject to the State of Massachusetts Data Protection Act
      According to 201 CMR 17.01(2), the provisions of this regulation apply to all persons that own or license personal information about a resident of the Massachusetts Commonwealth.
    • arrow_drop_downSubject to the State of Nevada Security of Personal Information Requirements
      Applicable to “data collectors” in the State of Nevada, which according to Chapter 603.030 includes any governmental agency, institution of higher education, corporation, financial institution or retail operator or any other type of business entity or association that, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates or otherwise deals with nonpublic personal information (e.g., name, SSN, medical ID number; see NRS 603A.040).
    • arrow_drop_downSubject to the State of Texas Medical Records Privacy Act
      Applies to all “covered entities,” which according to TX Health & Safety Code Title 2, Subtitle I, § 181.001(2) includes a business associate, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an Internet site in the State of Texas; or any person that (1) comes into possession of protected health information of a Texas resident; (2) obtains or stores protected health information of a Texas resident under this chapter; or (3) is an employee, agent, or contractor of an entity or person so described.
    • arrow_drop_downSubject to Joint Commission Accreditation
      Applies to many types of health care organizations, including hospitals, doctor offices, nursing homes, office-based surgery centers, behavioral health treatment facilities, and providers of home care services that are accredited by the Joint Commission or seek to become accredited by the Joint Commission.
    • arrow_drop_downSubject to CMS Minimum Security Requirements (High-Level Baseline)
      Generally applies to Federal Agencies; NIST SP 800-53 control requirement MAY also apply to Federal contractors if the contract specifies adherence to FISMA security requirements, NIST control requirements, and/or requires a System Security Plan (contact your contract’s contracting officer representative, COR, for more information).
    • arrow_drop_downSubject to MARS-E Requirements
      Applies only to Health Insurance Exchanges (HIXs) and requires compliance with the Minimum Acceptable Risk Safeguards for Health Insurance Exchanges (MARS-E).
    • arrow_drop_downSubject to Federal Tax Information (FTI) Requirements (to include IRS Pub 1075 Compliance)
      Applies to recipient agencies, agents, or contractors of Federal Tax Information (FTI); generally applies to organizations that use personal tax information to determine benefits or subsidies (e.g., welfare agencies, Health insurance Exchanges (HIXs)).
    • arrow_drop_downSubject to the State of California Civil Code § 1798.81.5(a)(1)
      Is intended to apply to any profit or non-profit organization located anywhere in the world that collects personal information about a California resident; supports the CA Attorney General’s interpretation of “reasonable security” as, at a minimum, meeting the requirements specified in the Center for Internet Security (CIS) Critical Security Controls (CSC).
    • arrow_drop_downSubject to the HITRUST De-ID Framework Requirements
      Generally used to assess the protections afforded a de-identified data set in its intended use environment (e.g., processed, stored, transmitted) based on the criteria outlined in the HITRUST De-identification Framework.
    • arrow_drop_downSubject to EHNAC Accreditation
      Applies to organizations such as, but not limited to, electronic health networks, hospitals, physicians, financial services firms state regulators, and vendors that are accredited or seeking to become accredited by the Electronic Healthcare Network Accreditation Commission (EHNAC).
    • arrow_drop_downSubject to DHS Cyber Resilience Review (CRR v2016)
      Applies to organizations that are evaluating the operational resilience and cybersecurity capabilities within Critical Infrastructure and Key Resources sectors, as well as State, Local, Tribal, and Territorial governments.
    • arrow_drop_downSubject to Federal Financial Institutions Examination Council (FFIEC) Banking Requirements
      Applicable to state member banks, bank and savings and loan holding companies (including their nonbank subsidiaries), and U.S. operations of foreign banking organizations that must assess their level of information security risk and evaluate the adequacy of controls and applicable risk management practices.
    • arrow_drop_downSubject to FedRAMP Certification
      Applies to cloud providers that are required to obtain a security assessment from a third-party assessment organization (3PAO) to sell government cloud services to a federal agency; may also be used voluntarily by cloud services providers and other entities that use their services to demonstrate a minimum level of due care and due diligence.
    • arrow_drop_downSubject to 21 CFR Part 11
      Applies to records required for clinical investigations of medical products that are maintained in electronic format in place of paper format, including all records that are necessary for FDA to reconstruct a study; records required for clinical investigations of medical products that are maintained in electronic format and where the electronic record is relied on to perform regulated activities; records for clinical investigations submitted to FDA in electronic format under predicate rules, even if such records are not specifically identified in FDA regulations; and electronic signatures required for clinical investigations intended to be the equivalent of handwritten signatures, initials, and other general signings.
    • arrow_drop_downSubject to EU GDPR
      Applies to all organizations processing the personal data of data subjects residing in the European Union, regardless of the organization’s location.
    • arrow_drop_downSubject to 23 NYCRR 500
      Applicable to all companies within the state of New York that are operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.
    • arrow_drop_downSubject to HIPAA
      Applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.
    • arrow_drop_downSubject to Singapore Personal Data Protection Act (PDPA)
      Applies to all organizations that collect, use, and disclose personal data in Singapore, and to all organizations collecting, using, or disclosing personal data from individuals in Singapore, whether or not the organization has a physical presence in Singapore.