What is HITRUST?
HITRUST was founded in 2007. The HITRUST Alliance developed the “HITRUST approach” to help organizations from all sectors–and especially healthcare–effectively manage data, information risk, and compliance.
HITRUST certification by the HITRUST Alliance enables vendors and covered entities to demonstrate compliance to HIPAA requirements based on a standardized framework. HITRUST certification is achieved through working with a HITRUST-certified assessor (CCSFP).
HITRUST was created to help secure the healthcare sector in a risk-based manner through task management across a matrix of third-party assurance assessments, with the hope of consolidating, reducing, and in some cases, eliminating the need for multiple reports.
HITRUST refers to its consolidated security design as “assess once, report many.”
What are the HITRUST requirements?
Specific HITRUST requirements are available through HITRUST’s MyCSF portal and will include various implementations of foundational security measures and controls depending on your organization and the type of HITRUST assessment you are performing. Assessments are built using a risk-based security and privacy controls framework, which corresponds to 46 authoritative sources.
HITRUST is a risk-based approach to organizational security–as opposed to a compliance-based approach. However, the HITRUST CSF assurance program combines aspects from common security frameworks like ISO, NIST, PCI DSS, and HIPAA. HITRUST supports compliance with major security frameworks. Your personal assessment(s) will be created using a risk-based security and privacy controls framework which draws from 46 authoritative data security sources. As an example, the following graphic shows how HITRUST specifically provides a foundation for the NIST framework implementation.
Between the CSF’s 19 reporting domains are 149 control specifications, which can each be assessed to one of three implementation levels.
Read about the HITRUST Common Security Framework here.
3 steps to becoming HITRUST Certified
When becoming HITRUST certified, your specific tasks and security controls will depend on your organization type, size, and the kinds of data you handle.
Download the HITRUST CSF Preparation Checklist here.
Scope your organization
Nearly all assessments begin with scoping. It is crucial to understand what you are assessing and why. HITRUST covers the protection of many types of data, so a thorough scope is recommended. A certified security assessor will be helpful at this stage.
First, define and classify any protected information your company obtains or generates. This includes information such as:
- Personally Identifiable Information (PII) such as name, address, phone, email, or photos
- Demographic information such as race, age, sex, or orientation
- Medical records
- Billing and payment information
- Any other ther sensitive data that falls under protected health information (PHI)
You will then need to map your data flow, a step that will include asking a list of data flow questions to different department heads throughout your organization. There are tools and programs available to help you map your data flow as well as diagram your network.
Determine HITRUST assessment type(s), remediate, and prepare for final Validation Assessment
Talk to your security assessor about setting up a MyCSF Portal. This is the portal where you and your assessor will keep track of your HITRUST certification steps and submit your security control evidence.
Some or all of the following assessments may be used throughout the HITRUST Certification process:
HITRUST CSF Readiness Assessment
The Readiness Assessment is a self-assessment tool to help organizations identify security gaps and get ready for the Validated Assessment. Ultimately, the Readiness Assessment is intended to bring your security posture to a position that will result in the success of your Validated Assessment so you can receive HITRUST Certification. You don’t need an outside assessor for the Readiness Assessment, but it can be helpful to consult with one. After completing the Readiness Assessment, you will receive a HITRUST CSF Readiness Assessment Report.
HITRUST CSF Validated Assessment
The HITRUST CSF Validated Assessment needs to be performed by an Authorized External Assessor organization. After your assessor helps you submit evidence of security controls to HITRUST, you will receive a HITRUST CSF Validated Assessment Report. According to the report, if your organization meets CSF Certification standards, your HITRUST Certification will be issued. If you do not meet the HITRUST Certification standards, consult with your HITRUST Assessor (CCSFP).
HITRUST CSF Certifications are valid for two years and require an Interim Assessment after one year.
Work with an assessor for HITRUST validation and certification
After thorough scoping and readiness assessments, your CCSFP assessor will conduct the security assessment of your location(s) and work closely with you throughout the certification process.
The bulk of the work for a HITRUST Assessment will come before submission of evidence.
Learn about the difference between HITRUST and HIPAA.
Maintain HITRUST Certification
Healthcare remains a major target of cybercriminals due to the high value of protected health information–both to cybercriminals and to healthcare providers. The HITRUST Alliance requires that a formal HITRUST Validation Assessment be performed every two years, but it is critical to maintain good security hygiene at any organization throughout the year. This goal is best achieved through the right testing (vulnerability scanning, penetration testing), as well as continuous internal security awareness training and external security consulting.
HITRUST offers the following assessments to help maintain HITRUST Certification and protect your organization’s data:
HITRUST CSF Interim Assessment
The Interim Assessment must be completed one year after HITRUST Certification. It contains originally assessed controls, any security updates or changes, and any needed remediation plans. This assessment should be completed by an External Assessor.
HITRUST Bridge Assessment
In the event that an organization cannot achieve HITRUST Certification within the required time frame, a Bridge Assessment may be performed to extend certified status for 90 days beyond the validated assessment due date.
Find a HITRUST CSF Assessor
Certified HITRUST Assessors are known as Certified Common Security Framework Practitioners (CCSFP). SecurityMetrics CCSFP Assessors SecurityMetrics assessors make the HITRUST process simple by breaking steps into actionable pieces, so you won’t feel overwhelmed.
An assigned project coordinator works with you and the SecurityMetrics assessors, keeping everyone involved organized and on track. The HITRUST process can be complex, SecurityMetrics assessors are committed to helping you reach your important deadlines.