By reading this, you’ll learn about the fundamental aspects of HITRUST certification, as well as receive answers to frequently asked questions about HITRUST.
There are a number of important certifications or compliance requirements your company can achieve in regard to cyber and financial security (e.g., PCI DSS, HIPAA). One of the more high level and detailed certifications is HITRUST. This type of certification can ultimately set your business apart and place you into a higher level of security.
In this white paper, you’ll learn about the fundamental aspects of HITRUST certification, as well as receive answers to frequently asked questions about HITRUST, like:
Let’s answer your biggest questions so you can tackle HITRUST with confidence.
HITRUST Common Security Framework (CSF) includes multiple security frameworks under one umbrella.
Like any robust security framework, HITRUST CSF helps reduce the risk of breaches and enhances early detection of potential threats, minimizing damage to your organization.
HITRUST is becoming increasingly required by organizations to ensure robust protection of sensitive data, such as personally identifiable information (PII) and protected health information (PHI), particularly when working with third parties, especially in the healthcare sector.
For example, groups like Health3PT accept HITRUST certification as a trusted way to manage third-party risk effectively.
Obtaining HITRUST certification demonstrates your organization’s commitment to maintaining a comprehensive set of security and privacy controls tailored to your business. It signals to your partners and business associates that you prioritize data protection and have taken necessary steps to reduce risk.
Many organizations face the challenge of addressing multiple assessments, and HITRUST is beneficial as it maps to various other frameworks. However, despite its importance, many hesitate to pursue HITRUST certification due to limited resources and often only do so when required.
Large organizations in the healthcare sector often require HITRUST validation of their business associates and service providers to achieve assurance that these partners are committed to security and are taking necessary measures to secure the data entrusted to them.
HITRUST offers several types of assessments, each focusing on different controls:
Before starting an r2 assessment, a detailed analysis of your company’s attributes is required to determine the scope. This assessment is ideal for organizations seeking the highest level of security assurance.
Where the e1 and i1 are built with a preset set of controls, the r2 incorporates all of the controls contained in the e1 and i1, but then adds additional controls, which are determined by your completion of the factoring exercise in the MyCSF portal.
This exercise consists of a questionnaire about your business’ functions and scope, along with selecting the various standards you wish to include (e.g., State of Texas, HIPAA, FedRAMP).
Choosing the right certification depends on your business needs, risk appetite, and level of maturity. Budget and resources also play a significant role in determining the necessary controls. Understanding your risk level and limitations is crucial in making the right choice.
Timing of your deliverable requirements may also inform your decision regarding which of the three assessment types would be smart.
As far as cost goes, the MyCSF portal typically costs between $16,000-$18,000 per year, with discounts available for multi-year agreements. Additional costs apply for QA reviews by HITRUST, which can cost as much as:
If you’re interested in a simplified way to start your HITRUST assessment process, check out our HITRUST Preparedness Calculator. It’s one of the best ways to see where you’re at, what assessment type you need, and what to do next.
1. Scoping:
2. Technology and Documentation Preparation:
3. Evidence Gathering:
4. Timeline Estimation:
5. Validation Setup:
6. Validation and QA Review:
7. Remote Validation:
This structured approach helps ensure that the readiness assessment is comprehensive and on track for a successful HITRUST certification.
After analyzing your data, assets, and network flow, you’ll identify which of the 19 domains and their associated controls apply to your environment. Typically, this results in around 270 controls in the r2 assessment type. Documenting this information is crucial as you present it to a HITRUST Validation Assessor, like SecurityMetrics.
If part of your environment is hosted in the cloud, a key advantage is that you can inherit some controls from the environment you use, such as AWS, Azure, or other cloud-based tools that have already undergone HITRUST certification. This inheritance can significantly reduce your burden.
In order to determine your scope and apply the correct controls, you’ll need to understand your data flow, identify the systems it interacts with, and document everything. During the readiness preparation, new areas may be discovered that need to be added to the scope.
Defining your scope is critical when trying to get HITRUST certification. It’s essential to narrow down your focus and determine what you can realistically manage.
Given the potentially high cost and lengthy process, especially for large organizations, it’s vital to manage your scope carefully to avoid overwhelming yourself. You’ll need to consider various risk-based questions, such as:
With the r2 assessment type, the more affirmative answers, the more controls you’ll need to address to mitigate risks. Generally, it’s advisable to start simple and gradually expand your scope.
Preparing for a HITRUST assessment can require significant time and effort, especially if you're managing it alone, potentially demanding several hours of work per week.
Many organizations find it challenging to balance this with their daily operations, which is why SecurityMetrics partners with Privaxi to offer you comprehensive support.
Privaxi acts as an extension of your team, managing the entire process from gap analysis to evidence gathering. They break down the HITRUST domains, cross-reference existing frameworks like PCI or ISO 27001, and assist with technical configurations for platforms like AWS and Azure. They also help develop and tailor policies and procedures to your organization’s needs.
By leveraging their expertise, organizations can focus on daily operations while ensuring readiness for validation with less strain on internal resources.
Once all information and evidence are uploaded, and self-assessment is complete, the assessor will review everything before submitting it to HITRUST.
It’s important to note that any new systems or processes must be in place for 90 days (60 days for policies and procedures) before they’re considered compliant by HITRUST. This is a crucial detail, as prematurely submitting a new implementation could lead to rejection.
The process includes a thorough documentation review, and if any issues arise, HITRUST may request revisions. Once everything is satisfactory, a draft report is submitted for client approval. If approved, HITRUST issues the official certification report.
The timeline for certification depends on the assessment type and your organization’s complexity:
Internal deadlines and the organizational environment will play a significant role in determining the most suitable approach.
Start by addressing the technology requirements since HITRUST mandates a 90-day incubation period for technologies to be operational before they can be validated. For example, you can't install a firewall and submit it as evidence the next day—it must be in place for at least 90 days.
Next, focus on policies and procedures, which require a 60-day incubation period. By tackling these early, you ensure they meet the timeframe requirements while freeing up time to work on other framework areas.
Using a predefined list of requirements can help streamline this process and keep you ahead of deadlines.
The MyCSF portal is where you’ll engage in the HITRUST validation assessment. When you’re serious about this process, you’ll need to subscribe and schedule an assessment with the HITRUST Alliance. However, you can review your controls with an assessor before making any commitments.
If you’re new to this process, SecurityMetrics can guide you through the initial steps before you decide on your scope or the type of assessment you need.
Ultimately, you’ll need to purchase access to HITRUST’s MyCSF Portal and work with experts on the readiness side to ensure all necessary policies and procedures are implemented.
You must provide evidence in the portal that you’re fulfilling the required controls. Organizations must also score themselves on how well they meet these controls, with guidance available from HITRUST documentation.
Once self-assessment is complete, your assessor (such as SecurityMetrics) will review and validate the information before final submission.
After identifying your controls, the preparation phase begins, focusing on readiness and remediation. During this phase, you’ll break down each domain, assess your current status, leverage existing work, and conduct a gap analysis to identify and address any deficiencies.
Privaxi and SecurityMetrics work together with security engineers and compliance teams to identify gaps and integrate necessary changes throughout the program’s lifecycle.
With the added service of HITRUST readiness and remediation, provided by Privaxi, the work inside the MyCSF portal can largely be carried out by Privaxi, sparing you from many of the tasks you would normally have to shoulder yourself. For example, Privaxi can help with evidence collection, evidence scoring, and policy and procedure writing, as well as many other tasks for HITRUST certification preparation..
As we manage all aspects of HITRUST—from scoping to validation, SecurityMetrics and Privaxi help secure your business while maintaining real-time visibility into your operations. Our expertise in AWS, Azure, Google Cloud, and on-premises solutions allows us to tailor strategies that meet your compliance needs and prepare your company for future challenges.
Additionally, throughout the process, collaboration tools like Asana, Microsoft Teams, Slack, and OneDrive are used to ensure smooth collaboration and communication between teams.
Yes, there is flexibility, so you don't have to feel like you're locked into any one particular standard.
You can start with an e1 and transition to an i1 or r2 in subsequent years. The process is fluid, so you're not locked into one standard. Additionally, both the i1 and r2 operate on two-year cycles, with the second year involving a reduced scope assessment, which lowers costs and effort.
Yes, HITRUST certification makes it easy to jump on the path to other certifications, such as:
HITRUST's comprehensive nature and the fact that it addresses a broad range of cybersecurity, privacy, and risk management domains mean that it provides a great foundation for achieving a variety of other certifications.
HITRUST integrates elements from frameworks like NIST, ISO, PCI, and HIPAA. While frameworks like NIST focus on specific controls, HITRUST covers a broader range of domains, including cybersecurity, privacy, and risk management. It also requires more thorough documentation and evidence collection—simply having policies and procedures, as in a HIPAA audit, isn't enough; HITRUST demands detailed evidence at a granular level.
HITRUST is considered by some to be the gold standard in cybersecurity because of the depth and the customization required to meet its standards. Additionally, organizations can leverage prior efforts from other assessments (like SOC or PCI) through a mapping exercise, reducing redundancy in the process.
A readiness assessment is crucial before attempting HITRUST validation. It ensures your organization is fully prepared and that the foundational work is solid, making the validation process smoother.
After submitting your assessment, HITRUST will review it, potentially asking for clarifications or corrections.
Once everything is finalized, HITRUST may issue a Corrective Action Plan (CAP) report. This report may indicate a successful pass or outline areas needing improvement before final certification.
Remember, certifications require ongoing maintenance; they are not a one-time effort. You’ll need to maintain compliance with specific control elements continuously.
Hackers don’t take breaks, and time is on their side. Staying vigilant with the support of SecurityMetrics and Privaxi helps protect your organization from evolving threats.
When staff leave during the HITRUST preparation process, it can be a significant disruption.
However, having HITRUST partners like Privaxi helps mitigate this issue by providing additional staffing support to ensure the project continues smoothly. Here’s how it works:
1. Staff Augmentation:
2. Full Spectrum of Support:
3. Continued Progress:
This approach ensures continuity and reduces the impact of staff turnover on the readiness and validation process.
If your organization undergoes significant changes after completing a HITRUST validation (such as changes in technology, processes, or business structure), here's what you need to do:
It's important to work closely with HITRUST in such situations to avoid missteps and ensure compliance with the standards. Consulting with HITRUST directly helps clarify what specific changes will trigger reassessments or additional validation.
HITRUST may have you asking a lot of questions, but security and compliance aren’t optional. They are critical to your organization’s success.
Arming yourself with the best protection and certifications will place you at a level above most other organizations. Getting HITRUST certified will allow you to proceed with confidence and peace of mind.
If you’re having trouble getting started, SecurityMetrics’ team of experts will be your guide through HITRUST. Partnering with the right people can make all the difference. If you’d like to learn more about our HITRUST services, chat with our team today.
.svg)
