HITRUST CSF SOC 2 Attestation

HITRUST CSF assurance program help organizations understand and report their effectiveness against other standards and best practice cybersecurity frameworks. E Com Security Solutions can assist you with the adoption of the HITRUST CSF as the foundation of your security and privacy compliance programme.

  • Manage risks and demonstrate the ability to secure PHI
  • Establish and maintain safeguards over the use and disclosure of PHI
  • Implement appropriate measures to detect and react to existing and emerging threats
  • Leverage expertise of the industry niche professionals who hold certifications such as CPA, QSA, ISO 27001 L.A, CISM, CISSP, CISA

Ready to Get Started?

Get in touch with our expert team to discuss your business needs or to evaluate the services for free.

Get Started


The Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) is becoming the most widely adopted framework for the healthcare industry in the US. HITRUST CSF was developed to address the multitude of security, privacy and regulatory challenges facing healthcare organizations. By including federal and state regulations, standards and frameworks, and incorporating a risk-based approach, the CSF helps organizations address these challenges through a comprehensive and flexible framework of prescriptive and scalable security controls.

The HITRUST CSF rationalises relevant regulations and standards and provides a common framework specific to the healthcare industry for managing security risks. By applying a single, comprehensive and certifiable framework to harmonise multiple regulations, standards and best practices, organisations can achieve a single assessment that may be reported in multiple ways for an ‘assess once, report many’ approach.


Leveraging the HITRUST CSF® for SOC 2 Reporting

HITRUST worked with the American Institute of CPAs (AICPA) to develop and publish guidance to streamline and simplify the process of leveraging the HITRUST CSF and CSF Assurance programs for SOC 2 reporting.

A SOC 2 examination is similar in structure and general approach to SOC 1 reporting, but also allows the flexibility to incorporate HITRUST CSF control requirements, using these requirements as the basis of your organization’s cybersecurity and information protection program. To support this approach, the AICPA’s Trust Services Criteria has been aligned to the HITRUST CSF, which provides standard and comparable requirements for use in SOC 2 reporting.