← back to all posts
Security Standards· HITRUST CSF· 5 min read

HITRUST CSF, 310 controls in eight minutes

Eighty percent of a HITRUST assessment is evidence reconciliation. Almost all of it is preventable.

The HITRUST Common Security Framework is the de facto information-security standard for US healthcare. A CSF version-11 r2 assessment requires evidence on three hundred and ten controls. Each control wants a responsible owner, a test result, an attestation date, and supporting evidence at a specific point in time.

The math of a HITRUST assessment is brutal. Three hundred and ten controls. Twelve weeks. Three to four full-time equivalents. External assessor fees that start at fifty thousand dollars and climb. The catch is that eighty percent of the cost is evidence reconciliation — pulling evidence from fifteen different tools and presenting it to the assessor in the framework's expected format.

This is pure waste. The evidence exists. The control owners did the work. The tests ran. The problem is that nobody can answer "show me every control as of the assessment cutoff" in less than a sprint.

What the assessor actually needs

For each of the 310 controls, three facts:

  1. The control owner at the time.
  2. The test result and the date it ran.
  3. The evidence — the artifact that demonstrates the control fired.

If those facts live in your GRC platform, SharePoint, the EHR audit log, the IAM tool, the SIEM, the change-management system, and Confluence respectively, the answer is "eight weeks." If they live in one graph, the answer is "eight minutes."

The one-query reconstruction

MATCH (c:Control) AT RECORDED '2026-04-30T23:59:00Z'
WHERE c.framework = 'HITRUST-CSF-v11'
OPTIONAL MATCH (c)-[:OWNED_BY]->(o:Owner)
OPTIONAL MATCH (c)-[:LAST_TESTED]->(t:Test)
OPTIONAL MATCH (c)-[:HAS_EVIDENCE]->(e:Evidence)
RETURN c.id, o.name, t.result, t.ts, collect(e)

The GRC graph rolls back to the assessment cutoff. Every control in the framework. Every test result signed by the control owner. Every owner attestation timestamped. Every supporting evidence artifact attached. The 310-control evidence package, complete in eight minutes.

The evidence-integrity proof

The assessor's harder question is whether any control evidence was modified after the assessment cutoff. db.verifyAclChain from the cutoff date forward returns zero retroactive edits. If a single test result had been silently edited between assessment cutoff and today, the chain would name the broken link.

This matters. HITRUST scoring counts evidence quality — the assessor wants level-5 (mature, measured, tested) evidence. Cryptographic non-modification proof is the highest quality of evidence anyone produces.

The PHI access lineage

Then there's the lineage. Every PHI access during the assessment window connects to a role, a purpose, and the control that authorized it. Three hundred and twenty thousand accesses for a mid-sized hospital. All connected. All authorized. Zero orphan reads.

The PHI access proof is what closes the audit. If a single read couldn't be tied to an authorized role and a stated purpose, the assessor would flag it. The chain proves there are zero.

The HIPAA + HITRUST + state-privacy triple

While the assessment is in flight, a patient files a state genetic-privacy deletion request. HIPAA requires audit-log retention. HITRUST requires control-test evidence. The state privacy law demands deletion. Three frameworks, one graph, no broken laws — the crypto-shred makes the PHI unreadable, the audit metadata stays for HIPAA, the HITRUST evidence stays for the assessment.

The numbers

A twelve-week, $120,000 assessment becomes a three-week assessment. CISO doesn't need to add headcount. Two hundred and ninety-eight of three hundred and ten controls pass cleanly. The other twelve are in remediation with documented plans, all signed. The r2 certification, secured.

Live walkthrough on the HITRUST tab.

See it live

The walkthrough is narrated, 90 seconds.

The full flow, ending with the chain verification and the right-to-be-forgotten resolution. Pre-rendered, runs in any browser, doesn't need an engine.

Open the Security Standards walkthrough →