The Health Information Trust Alliance (HITRUST) is a non-profit organization dedicated to enhancing data protection standards and certification programs to assist organizations in safeguarding sensitive information, managing information risk, and achieving their compliance objectives.
HITRUST distinguishes itself from other compliance frameworks by integrating multiple authoritative sources, including HIPAA, SOC 2, NIST, and ISO 27001, among others. This unique approach allows for the harmonization of various industry standards and best practices. Moreover, HITRUST is the sole standards development organization that offers a comprehensive framework, assessment platform, and independent assurance program. This holistic approach has played a significant role in driving the widespread adoption of HITRUST standards and practices across industries.
HITRUST developed the HITRUST Common Security Framework (CSF) as a comprehensive and quantifiable approach to address the security risks associated with healthcare information and other sensitive data. The CSF serves as an objective and measurable framework for organizations to effectively manage these risks. Achieving HITRUST CSF certification enables organizations to showcase that specific systems within their environment meet the stringent standards and regulations outlined in the framework.
Certifications conducted by HITRUST-certified assessors play a crucial role in this process. These assessors evaluate organizations’ adherence to the CSF requirements and generate detailed reports. These reports serve as valuable resources for organizations, providing insights into their current maturity levels and identifying areas for improvement. By leveraging these reports, organizations can gain a better understanding of their security posture and take appropriate measures to enhance their overall security maturity.
Types of HITRUST
There are three types of HITRUST CSF Validated Assessments, each with its benefits.
HITRUST Essentials, 1-Year (e1) Validated Assessment + Certification
Provides entry-level assurance focused on the most critical information security controls and demonstrates that essential cybersecurity hygiene is in place.
The e1 Assessment is a new Assessment type that HITRUST released January 2023.
HITRUST Implemented, 1-Year (i1) Validated Assessment + Certification
Provides a moderate level of assurance that addresses cybersecurity leading practices and a broader range of active cyber threats than the e1 Assessment.
HITRUST Risk-based, 2-Year (r2) Validated Assessment + Certification
A high level of assurance that focuses on a comprehensive risk-based specification of controls with an expanded approach to risk management and compliance evaluation.
Value of a HITRUST Certification
HITRUST Certification demonstrates that your organization is taking the most proactive approach to cybersecurity, data protection, and risk mitigation.
Delivers a competitive advantage to expand existing partnerships and earn new business – including speeding and strengthening RFP responses.
Offers added peace-of-mind that data networks and IT assets are protected from intrusion and breaches.
Demonstrates that your organization has a strong cybersecurity program in-place.
Provides a comprehensive Certification Report, which can reduce time and cost compared to completing proprietary questionnaires, multiple assessments, and single-use assurance reports.
Establishes a proactive culture across an organization indicating a collaborative team commitment to improving information security and privacy.
Shows justification for more favorable cyber insurance premiums.
1. Define Scope
2. GAP Assessment
3. GAP Remediation
4. Undergo a HITRUST CSF Assessment
5. Interim Assessment
HITRUST Certification Journey
Determine your security and privacy measures.
Enables you to evaluate yourself using the established approach, criteria, resources and perform gap analysis and gap remediation on the recommended controls from MyCSF tool.
Choose a certified HITRUST External Assessor to assist you in the process. Then utilize MyCSF to streamline your preparedness efforts.
Our Assurance team will conduct an audit of your assessment and grant you certification upon achieving a passing score.
For r2, maintain certification every 2 years. Complete an r2 interim assessment for 1-year mark. Maintain el and i1 certification annually.
History of HITRUST
HIPAA signed into law
Introduced Enforcement Rule to fully comply with HIPAA Security and Privacy rules
HITRUST standard is introduced
Widely adopted control framework in Healthcare industry (HIMSS Survey)
HITRUST Version 9.6 released with key changes to requirements and procedures for HITRUST i1 Implementation.
The HITRUST alliance released the latest version of its HITRUST CSF, version 11
HITRUST was founded in 2007 to address the need for a standardized framework to manage information security and privacy risks in healthcare. They developed the HITRUST CSF, integrating multiple standards and regulations into a comprehensive system. The CSF enables organizations to assess and manage their risks effectively. HITRUST also offers certification through third-party assessments. Their efforts have led to widespread adoption and recognition in data protection standards and compliance programs.
Since 2007, HITRUST has been architecting and implementing a comprehensive and fully integrated approach to information risk management and compliance assessment and reporting that provides a level of transparency, scalability, consistency, accuracy, integrity, and efficiency simply not obtainable through other approaches and/or assurance report mechanisms. HITRUST’s unique and comprehensive approach to information risk management and compliance—The HITRUST Approach—addresses all of these criteria to provide the most robust assurance option available.
Who Must Comply with HITRUST?
Initially tailored for the healthcare sector, the HITRUST CSF underwent a significant transformation in 2019 when HITRUST made it industry agnostic. This update allowed organizations from any industry to pursue HITRUST certification, recognizing the universal need for robust information security and privacy management.
While not mandated by the Federal government, HITRUST Certification stands out as one of the most comprehensive frameworks available. It encompasses a wide range of standards, including HIPAA, SOC 2, NIST, ISO 27001, and more. The CSF’s mapping to these various standards enhances its credibility and demonstrates its ability to address multiple compliance requirements, further establishing it as a trusted framework for organizations striving for strong data protection practices.
The HITRUST e1 and i1 certifications are valid for one year while the r2 certification is valid for two years if the Interim Assessment is completed successfully and timely.
Note that the HITRUST certifications should be treated as a continuous improvement and monitoring assessment and not a static once and done type of assessment. And this is because the threat landscape is always evolving and so the HITRUST CSF.
HITRUST provides three different levels of assessments, each with varying degrees of comprehensiveness, assurance, and difficulty. Though HITRUST regularly updates the framework, the latest version is version 11 which was released in January 2023.
Here is the current number of controls in each assessment for HITRUST CSF v11.
- e1 assessment = 44 requirement statements
- i1 assessment = 182 requirement statements (including the 44 from the e1)
- r2 assessment = 213 – 1200+ (dependent on the scope and risk factors of the organization (This includes the 182 i1 requirement statements as a baseline)
The HITRUST CSF is a flexible and scalable security framework that is adapted to each organization’s compliance needs so the policies and procedures required will depend on your scope.
You must have policies and procedures in place that address at least 19 HITRUST control domains. Your organization must receive a maturity score of at least “3” (on a scale from 1-5) for each control domain to earn HITRUST r2 certification. The HITRUST CSF control domains are:
- Information Protection Program
- Endpoint Protection
- Portable Media Security
- Mobile Device Security
- Wireless Security
- Configuration Management
- Vulnerability Management
- Network Protection
- Transmission Protection
- Password Management
- Access Control
- Audit Logging and Monitoring
- Education, Training, and Awareness
- Third-Party Assurance
- Incident Management
- Business Continuity and Disaster Recovery
- Risk Management
- Physical and Environmental Security
- Data Protection and Privacy