TRANSITIONING FROM
HITRUST for HIPAA to NIST
A drive for efficiency, year-over-year cost savings, lower complexity, TCO, while driving HIPAA compliance
that for every provider and partner.
Why Move to NIST CSF 2.0?
Hospitals and other healthcare facilities are increasingly moving away from HITRUST and adopting the NIST CSF 2.0 for numerous reasons: the updated NIST CSF 2.0 framework offers greater flexibility, a broader approach to cyber risk management, and a common language for both technical and executive stakeholders across the organization. Additionally, many hospitals find that NIST CSF 2.0 enables streamlined reporting, aligns business with evolving regulatory expectations, supports lower cyberinsurance premiums, and can significantly reduce the costs associated with becoming and maintaining compliance with HIPAA/HITECH and other federal, state, and industry regulatory mandates.
Increasingly, industry data suggest that using a risk and governance-centric framework, such as NIST CSF 2.0, combined with HITRUST as the Informative Reference¹ (Appendix), used to define controls and outcomes, can streamline compliance efforts and potentially reduce overall audit preparation costs by 30-50%. The following table illustrates the overall differences between NIST CSF 2.0 and HITRUST:
¹The NIST CSF 2.0 Informative Reference document is part of the overall NIST CSF 2.0 implementation process and is defined as a detailed catalog of specific sections from one or more cybersecurity standards, guidelines, and practices that provide guidance for implementing the outcomes described in the CSF Core's Subcategories.
Why Perform a NIST CSF 2.0 Assessment for Healthcare?
Healthcare organizations face unique pressures related to compliance, risk management, and cyber resiliency. NISTCSF 2.0 introduces essential updates for governance, supply chain security, and incident response tailored for healthcare environments.
Furthermore, NIST CSF 2.0 provides a more generalized, risk and governance-focused framework that applies not only to healthcare but also across most market verticals. NIST CSF 2.0 focuses on offering guidelines and standards that can be tailored to an organization’s specific needs, making it a highly flexible option for cybersecurity management.
Enhancing NIST CSF 2.0 with HITRUST
HITRUST’s framework harmonizes controls from dozens of standards (including HIPAA, NIST SP 800-53), offering prescriptive requirements and frequent updates. Using HITRUST controls mapped to NIST CSF 2.0 via NIST’s Informative References simplifies compliance, reporting, and avoids redundant work for organizations already using HITRUST assessments.
Core Insights’ Security Assessment Approach
Define Scope and Objectives
Establish assessment boundaries: Select systems, vendors, or business units relevant to healthcare operations.
​
Align to CSF Functions: Map in-scope activities to NIST CSF 2.0 Functions and Categories (Govern, Identify, Protect, Detect, Respond, Recover).
Document assumptions and risk tolerances: Include constraints, inventory status, and critical priorities.
1
Assessment and Scoring
Score control implementation: Classify each control as Met, Not Met, or Not Applicable.
​
Generate risk statements: For unmet controls, use standardized cause–event–impact language for clarity and traceability.
​
Update risk register: Capture issues and gaps directly led to CSF Subcategories and HITRUST control references.
3
Control Mapping and Crosswalks
Utilize the NIST CSF 2.0-HITRUST Crosswalk: Cross-reference NIST CSF 2.0 Core and Subcategories with HITRUST controls using the authoritative crosswalk documentation.
​
Create the Current Profile for the assessment scope: Use HITRUST controls as the information. References entered into the Current Profile, and prepare the assessment materials based on the Current Profile.
​
Deploy HITRUST controls: Launch questionnaires or review policies/practices mapped to CSF Subcategories.
​
Evidence gathering: Require supporting documentation for each NIST CSF 2.0/HITRUST control (e.g., screenshots, policies, logs).
2
Communicate Findings and Report
Create a CSF Target Profile: Build the Target Profile summarizing evidence and compliance status. Use the crosswalk document to map HITRUST controls to the NIST CSF 2.0 controls in the Target Profile document.
Document Tier justification: Provide rationale for CSF Implementation Tiers using governance and operational evidence.
Share actionable insights: Present detailed operational findings and executive summaries for leadership decisions.
4
Continuous Improvement and Compliance Integration
leveraging Core Insight's CaaS (compliance as a service)
Iterative Reassessment
Schedule regular follow-ups to verify remediation actions and update CSF/HITRUST mapping.
Stay Current with Framework Updates
Leverage HITRUST’s frequent control refreshes to maintain cybersecurity posture maturity. Maintain evidence collection.
Unified Audits and Reporting
Produce audit-ready, NIST-mapped, and stakeholder-friendly compliance documents in less time.
This approach helps healthcare facilities efficiently manage compliance, demonstrate cyber resilience,and align risk management processes with evolving regulatory expectations using both NIST CSF 2.0 and HITRUST frameworks.
Core Insights has extensive experience in healthcare assessment and compliance, utilizing both NIST CSF2.0 and HITRUST. Since 2019, our consultants have successfully completed multiple NIST CSF 2.0/HITRUST compliance migration engagements with a variety of healthcare organizations, ranging from small regional hospitals to extensive county-wide healthcare providers with hundreds of locations and a complex, extensive data and systems ecosystem. In addition, our Compliance-as-a-Service (CaaS) program for healthcare compliance is designed to function effectively across multiple frameworks, including HITRUST and NIST CSF 2.0.
Each Core Insights Principal consults has individual experience ranging from 24 to 47 years. We service every industry vertical except Entertainment.
CORE
INSIGHTS
NIST CSF 2.0 Informative References
Overview and Utilization
What Are Informative References?
NIST Cybersecurity Framework 2.0 (NIST CSF 2.0) Informa1ve References are authoritative sources—including standards, guidelines, and regulations from NIST and other organizations—that map to the Framework’s Functions, Categories, and Subcategories. They provide detailed guidance on achieving the desired cybersecurity outcomes described in the NIST CSF 2.0 Core by illustra1ng how existing controls or best practices from other frameworks address specific CSF outcomes.
Examples include mapping to NIST SP 800-53, ISO/IEC 27001, CIS Controls, HITRUST, sector-specific regulations, and other established frameworks, standards, and policies.
Informative References are curated, non-prescriptive pointers and are updated online separately from the NIST CSF 2.0 Core, ensuring ongoing relevance.
How Are Informative References Used?
Organizations use Informative References to:
​
-
Implement Outcomes: Translate high-level CSF outcomes into practical, actionable steps by consulting mapped controls, requirements, and guidelines.
-
Facilitate Compliance: Align internal security and risk management programs with multiple standards by leveraging connections between CSF and other frameworks.
-
Support Assessments: Reference established controls in audits, assessments, gap analyses, and implementation plans to ensure comprehensive coverage and avoid duplication.
-
Enhance Customization: Select references most relevant to their regulatory environment, sector, or technology footprint, and adapt the CSF to unique organizational contexts.
Practical Example:
If the CSF outcome is "Monitor and detect anomalous events," Informative References may point to NIST SP 800-53 AU-6 (audit logs), ISO/IEC 27001 section on monitoring, and CIS Controls for audit log management. Organizations can use these mapped resources to implement the specific processes needed to realize the CSF outcome.
Key Points
​
-
Informative References are a flexible toolkit, not a mandatory checklist—organizations select those most useful for their needs.
-
Mappings are kept current via NIST’s Online Informative Reference Repository, allowing organizations to access the latest connections between the CSF and other standards.
-
Online resources, including downloadable comparison reports and selec1on tools, are available to support implementa1on and crosswalking efforts. Additional information about Informative References and the crosswalking efforts associated with them can be found at NIST’s National Online Informative References Program (OLIR). For Limited Use with Authorization www.coreinsightsintl.com
The following table presents an example of the Informative References document prepared by NIST to illustrate the flexibility of NIST CSF 2.0 across multiple security frameworks.
