We understand that pursuing HITRUST validation can seem daunting, but with the right approach and the right partners, it's entirely achievable.
Having worked in the cybersecurity industry for nearly 20 years, I've gained some key insights on a topic that's becoming increasingly important in the world of compliance: HITRUST assessments.
For many of you, PCI DSS compliance is a familiar landscape. But as data security demands evolution, especially in the healthcare sector, other frameworks like HITRUST are coming to the forefront. If you're wondering how HITRUST fits into an overall security posture, or if you're feeling a bit overwhelmed by the prospect of another complex assessment, you've come to the right place. We're going to break down the ins and outs of HITRUST validation, from readiness to certification and beyond.
About three years ago, I noticed a recurring challenge at our company: our clients were struggling with their readiness for HITRUST assessments. Unlike PCI, where some deficiencies can be rectified relatively quickly, HITRUST has very specific timelines for when controls must be in place. If an assessor finds a policy item is missing, it needs to have been in place for at least 60 days before the assessment. For systems and procedures, that window extends to 90 days.
This strict time frame means that if you're not adequately prepared before the formal assessment begins, any identified gaps can lead to corrective action plans (CAPs) in your final report, which isn't ideal. It’s like airing your dirty laundry for everyone to see. This realization drove us to identify a critical need: a dedicated readiness solution.
That's why having a dedicated readiness assessor is a game-changer. Readiness assessors go through the same rigorous training as HITRUST validation assessors; they focus on helping you get ready, rather than performing the final grading. They act as your advocate, helping you prepare, identify evidence, and even assisting with evidence collection. This close collaboration with a readiness assessor can make all the difference in navigating the complexities of HITRUST and ensuring a smoother, more successful validation.
Before you even begin the readiness process, you need to decide which HITRUST certification is right for your organization.
There are three main types, each with varying levels of scope and complexity:
The e1 assessment is the simplest of the three. It consists of 44 predetermined controls and focuses on basic security hygiene. This option might be suitable for organizations with less complex environments or those just starting their compliance journey. It can often be achieved in as little as four to five months, especially if you already have other certifications like SOC 2 in place. While it’s simple, remember that it primarily deals with implemented controls and doesn't delve deeply into policies and procedures.
The i1 assessment builds upon the e1, incorporating all 44 e1 controls and expanding to a total of 182 controls. This certification demonstrates a more robust security posture. The i1 typically takes longer, usually seven to nine months, though prior assessment experience can shave off some time. A key feature of the i1 is its two-year cycle, with a "rapid recertification" in year two. If there are no significant changes to your environment, roughly 40 of the 182 controls are reviewed, which can significantly reduce the effort and budget in the second year.
It's important to understand that the i1 ramps up the focus on policy and procedure, ensuring these are not just in place, but explicitly stated and implemented. If your policy "kinda talks about" something, it's not enough. HITRUST requires explicit statements. This is where a readiness assessor becomes invaluable, helping you ensure your policies meet the stringent evaluative criteria.
The r2 assessment is the most comprehensive and involved certification. It includes all 182 controls from the i1 and e1, then adds many more based on your organization's risk factors and specific regulatory requirements. The number of controls can range from the mid-200s to over 2,000, depending on factors like the number of records you handle, your cloud presence, and specific statutes you need to comply with (e.g., NIST 800-53, ISO, GDPR, Texas law, HIPAA).
To determine the exact number of controls for an r2, you'll need to purchase a subscription to HITRUST's portal, myCSF. Within myCSF, you'll answer a series of questions about your risk factors, which then tailors the assessment object to your specific needs. The r2 assessment typically takes around a year, sometimes a little less, because of the extensive nature of the controls and the 60- to 90-day incubation period for newly implemented items.
Once you've decided on your certification type and started the readiness journey, the next phase is the actual validation and quality assurance (QA) process.
After completing your readiness work and ensuring all controls have met their incubation periods, you'll upload information and self-grade each control within the myCSF portal. Once you're done, you submit it to a HITRUST assessor, like SecurityMetrics. We then review all your evidence and grade it independently. The beauty of working with a readiness assessor is that they can consult with us on how we interpret certain controls, ensuring you're aligned with our expectations before submission. This proactive approach significantly increases the likelihood of a smooth validation.
After our assessment, we submit everything to the HITRUST Alliance for their QA process. This is not the finish line! First, HITRUST conducts an automated review to ensure everything is in order and all questions are answered. Following that, a HITRUST individual will perform an in-depth review of a selection of your controls, sometimes asking for additional evidence or clarification. It's crucial to have your team available and responsive during this phase, as HITRUST has a very limited timeframe (typically around 10 days) for responses.
If any deficiencies are found during our assessment or HITRUST's QA, they may result in a Corrective Action Plan (CAP). A CAP details how you plan to address the identified gaps and will be included in your final report. While a CAP doesn't necessarily prevent you from achieving certification, it will be noted in your report. This is another strong argument for investing in thorough readiness – minimizing CAPs makes for a cleaner report.
It's also important to be aware of the fees involved. In addition to your assessor fees, you'll pay two separate fees directly to HITRUST Alliance: one for the annual myCSF subscription and another for reserving your QA slot. While my understanding is that there's no QA fee in year two for i1 and r2 rapid recertifications, you will still need to pay an assessor for the interim assessment.
Throughout the HITRUST journey, several factors can significantly impact your success and timeline:
You need to reserve a spot with HITRUST Alliance for their QA process well in advance. This date serves as a critical target, helping to motivate your team and ensure everything is completed on time. And having a firm deadline helps rally the troops. When choosing this date, consider your internal team's availability (avoid holidays!), your readiness assessor's timeline, and our availability as your validation assessor.
During your readiness assessment, you and your readiness assessor will identify any big pieces – significant changes or implementations needed to meet HITRUST controls. This could involve upgrading firewalls, implementing an IDS/IPS, or migrating systems to the cloud. These are not small undertakings and require careful planning, procurement, configuration, and testing. They also have to be fully functional and logging as intended, not just plugged in. Knowing about these early allows you to factor them into your timeline, preventing last-minute surprises.
This is perhaps the most critical success factor for any compliance initiative. Without strong buy-in from leadership, it's incredibly challenging to drive the necessary organizational changes. Policies need to be updated, new procedures adopted, and teams across the organization need to understand and commit to their roles in achieving compliance. If leadership isn't pushing that message and ensuring resources are allocated, individual teams or even departments can struggle to implement the required changes.
Delaying your compliance efforts can lead to significant penalties. If you know HITRUST validation is in your future, don't put it off until the last minute. The timelines are strict, and rushing the process will only lead to more stress, potential deficiencies, and possibly missed deadlines. Get started early. You can get help so you understand the scope, identify potential complexities, and even suggest ways to make the process more manageable.
One of the common concerns we hear from clients is the ongoing commitment required to maintain compliance, especially with the interim assessments in year two. You have to keep up with the implemented policies and procedures. It's easy to get everything in place for the initial assessment and then, over the next year, lose focus.
This is where continuous assurance becomes incredibly valuable. SecurityMetrics’ partner, Privaxi, offers a Continuous Assurance Management Program (CAMP). For a small number of hours each month, they provide ongoing assistance to ensure your security controls remain in place and effective. This can include:
This kind of outsourced readiness help is a fantastic solution for companies, especially smaller ones, that may not have the dedicated in-house staff to manage ongoing compliance. It's often more cost-effective than hiring a full-time employee, reducing the overhead associated with new hires. All outsourced resources are USA-based, ensuring seamless communication and understanding.
We understand that pursuing HITRUST validation can seem daunting. With potentially hundreds or even thousands of controls, it's a significant undertaking. However, with the right approach and the right partners, it's entirely achievable.
The solution SecurityMetrics offers includes an outsourced readiness assessor, which dramatically reduces your internal time commitment. You're looking at one to three hours a week working with the readiness assessor, who will handle much of the heavy lifting, including policy writing, technology advice, and even evidence collection.
Remember, the timeline for certification varies:
These timelines, however, rely on your consistent engagement.
If you're still weighing your options or need to build a case for HITRUST within your organization, consider these steps:
Ultimately, our goal is to help you achieve your compliance objectives, whether it's HITRUST, PCI, or another framework. We're here to answer your questions, provide guidance, and partner with you every step of the way.
.svg)
