Introducing the New HITRUST AI Security Assessment and Certification: Security Assurance for AI Providers

HITRUST recently announced a new assessment and certification designed to help organizations secure their artificial intelligence (AI) systems and build trust with stakeholders.

For organizations that produce or provide AI systems, the HITRUST AI Security Assessment is a comprehensive, threat-adaptive framework that provides assurance to customers that your AI-powered platforms and applications are secure. 

Here’s everything you need to know ahead of the framework’s formal release in December 2024:

A Comprehensive AI Security Assessment

Developed in collaboration with leaders in the AI space, the HITRUST AI Security Assessment and Certification includes up to 44 carefully selected, highly prescriptive controls that address risks and threats related to AI systems. These controls can be added to the core set of requirements for the e1, i1, or r2 assessment, depending on an organization’s level of risk and assurance needs, and cover areas such as:

• AI security threat management
• AI security governance and oversight
• Development of AI software 
• Access to AI systems
• Encryption of AI assets
• AI system logging and monitoring
• Documenting and inventorying AI systems;
• Sanitizing AI data, inputs, and outputs
• Resilience of AI systems

Because securing AI systems is only one piece of a strong cybersecurity program, the HITRUST AI Security Assessment is not meant to be a standalone assessment. To get the full picture, organizations must also consider the security of supporting technologies as part of a HITRUST e1, i1, or r2 certification. 

For organizations that have already completed a HITRUST e1, i1, or r2 assessment, the AI Security Assessment is a seamless addition to your compliance program; however, organizations do not need to wait until a new certification cycle to begin the AI Security Assessment process. 

If the HITRUST AI Security Assessment is built on top of an e1 or i1—or a combined e1 and i1 assessment—it is known as an ai1. If built on top of an r2, it is called an ai2. Both options provide a means for organizations to proactively address questions and concerns over security and receive reliable reporting that can be shared with internal and external stakeholders.

The HITRUST AI Security Certification is valid for the same period of time as the underlying e1, i1, or r2 certification. This means e1 and i1 certifications are valid for one year, while r2 certifications are valid for two years, with an annual review in the interim.

A Step Beyond Existing Standards

Achieving HITRUST AI Security Certification allows businesses that provide AI products and services to demonstrate the highest level of AI security, risk management, and risk mitigation, which cannot be achieved with other standards alone.

For instance, ISO 42001 mandates controls for the establishment, implementation, and ongoing maintenance of an organization’s AI management system (AIMS)—a broad standard that encompasses many more risks than just cybersecurity. Contrastingly, the HITRUST AI Security Assessment outlines highly tailored controls, tools, and methodologies for implementing, testing, validating, and reporting on AI security in particular. The HITRUST AI Security Assessment is designed to be compatible with ISO 42001 while offering a more targeted, prescriptive cybersecurity standard for organizations that provide AI technologies, not just use them.

Other existing cybersecurity assurance frameworks, such as SOC 2 and PCI DSS, do not specifically cover AI. The HITRUST AI Security Assessment was created to fill that gap with a practical yet rigorous standard that is updated quarterly and built to adapt as threats emerge and evolve.

Achieving certification will allow your customers to feel confident about adopting your AI systems and show stakeholders that your organization prioritizes data security just as much as it prioritizes innovation. 

Other Options for AI-Powered Organizations

The announcement of HITRUST’s new AI Security Assessment and Certification comes on the heels of the release of the HITRUST Artificial Intelligence Risk Management (AI RM) Assessment, which offers a starting point for organizations that either use or provide AI systems to evaluate their AI risk management strategies.

While not a formal certification, the HITRUST AI RM Assessment examines more than 50 risk management controls and provides a professional AI Risk Management Insights Report to help organizations better understand their AI risk management stance and identify potential gaps.

As a HITRUST Authorized External Assessor, BARR Advisory is proud to support organizations across all sectors in their journeys to secure their AI systems and manage AI-related risks effectively. 

Contact us today to find out how these new frameworks for AI-powered businesses fit into your compliance strategy.