Everything You Need to Know About HITRUST Certification
Published 01/13/2023
Originally published by A-LIGN.
Written by Blaise Wabo, A-LIGN.
HITRUST is a standards organization focused on security, privacy and risk management. The organization developed the HITRUST CSF to provide healthcare organizations with a comprehensive security and privacy program. This program was specifically designed to help organizations manage compliance and reduce risk.
Although the HITRUST CSF has been around for more than a decade, many organizations still struggle with knowing if it’s the right certification for them.
Here’s what you need to know before your organization decides to complete a HITRUST assessment.
What is HITRUST?
The HITRUST CSF is a comprehensive, flexible, and certifiable security framework used by organizations across multiple industries to efficiently approach regulatory compliance and risk management.
This standard provides customers with confidence in knowing their data and confidential information are secure.
HITRUST vs. HIPAA: What’s the difference?
While HITRUST and HIPAA may seem similar on the surface, it would be inaccurate to truly pit the two of them against each other.
HITRUST CSF is a certifiable security and privacy framework with a list of prescriptive controls/requirements that can be used to demonstrate HIPAA compliance.
HIPAA, or the Healthcare Insurance Portability and Accountability Act, is a U.S. law that details a set of safeguards covered entities and business associates must follow to protect health information.
That said, a more productive question to ask is “What is the best method for demonstrating HIPAA compliance within my organization?”
If you’d like to learn more about why you might choose the HITRUST CSF as a means to achieve HIPAA compliance, check out our blog post explaining the benefits of this approach.
Is HITRUST only for healthcare organizations?
The HITRUST CSF was originally designed specifically for the healthcare industry. However, in 2019, HITRUST made the CSF industry agnostic, enabling organizations in any industry to pursue the certification.
What are the benefits of HITRUST?
Many organizations choose to undergo a HITRUST assessment because of how the CSF:
- Satisfies regulatory requirements mandated by third-party organizations and laws
- Accelerates revenue and market growth by differentiating your business from the competition
- Saves your organization time and money by leveraging a solid and scalable framework that includes multiple regulatory standards
- Unifies over 40 different regulatory requirements and recognized frameworks (such as ISO 27001, NIST SP 800-53, HIPAA, PCI DSS, etc.)
What Are the Types of HITRUST Assessments?
There are three types of HITRUST CSF Assessments, each with its benefits. They are
HITRUST CSF bC Assessment, HITRUST CSF i1 Assessment and HITRUST CSF r2 Assessment. In January 2023, HITRUST will release a new product called the HITRUST CSF e1 Assessment. The e1 will be the Cybersecurity essentials assessment with less than 50 control requirements, meant for low-risk organizations that want to be HITRUST certified. It will provide a low level of assurance. More details on this new product will be shared in our upcoming blogs early 2023.
HITRUST CSF Basic, Current-State (bC) Assessment
The HITRUST CSF bC Assessment is a self-assessment that focuses on good security hygiene controls in virtually any size organization. Its simple approach to evaluation makes it suitable for rapid and/or low assurance requirements.
While this assessment is the fastest to complete, it provides the lowest level of assurance. No validated report or certification comes from the bC Assessment; it simply results in a HITRUST-issued CSF Self-Assessment report.
This is not to say the bC Assessment lacks in benefits. Cheaper than the other HITRUST assessments, the bC Assessment provides organizations with a way to request good security hygiene assurances from the vendors they hire. As long as these vendors only handle small amounts of sensitive data, a stronger assessment is not required.
HITRUST CSF Implemented, 1-year (i1) Assessment
Launched in January 2022, the i1 Assessment is a new assessment that focuses on leading security practices with a more rigorous approach to evaluation than other existing assessments in the marketplace.
The i1 Assessment provides moderate assurance. Although an i1 Assessment will lead to a 1-year certification if all requirements are met, it does not have coverage for the 40+ regulatory factors in the HITRUST CSF.
HITRUST is making changes to the i1 Assessment as of January 2023. The new i1 Assessment will be based on the new CSF v11 (also coming out January 2023) and will have fewer controls than the current i1 Assessment. There will be approximately 180 control requirements in the new i1 Assessment vs. 219 in the existing one. Also, the new i1 Assessment will have a notion of full certification in year 1, and if certain requirements are met, a rapid recertification will be performed in year 2 instead of a full certification in year 2. More details on the new i1 Assessment will be shared in our upcoming blogs early 2023.
HITRUST CSF Risk-based, 2-year (r2) Assessment:
Formerly the CSF Validated Assessment, the r2 Assessment focuses on a comprehensive risk-based specification of controls. It also takes a very rigorous approach to evaluation, which is suitable for the high assurance requirement. This certification is issued for two years. Worth noting is that an Interim Assessment must be completed at the one-year mark.
Although this assessment provides the highest assurance level certified by HITRUST, the completion process is costly and requires a high level of effort and resources.
If you’d like to learn more about the key differences between HITRUST i1 and HITRUST r2, read our blog post to learn about which assessment is best for your organization.
What is the HITRUST Assessment Process?
The HITRUST assessment process is composed of five steps:
- Step 1: Define Scope. During this stage, an organization either works with a third-party assessor or an internal subject matter expert to define scope and determine what type of HITRUST assessment to undergo.
- Step 2: Obtain Access to MyCSF portal. The organization (or the entity being assessed) contacts HITRUST to get access to the MyCSF portal. After receiving access, the organization should create their assessment object and engage an approved third-party assessor firm.
- Step 3: Complete a Gap Assessment/Self-Assessment. The assessor performs appropriate tests to understand the organization’s environment and flow of data between systems, and then documents any possible gaps. The gap assessment also ranks gaps in your organization by risk level, allowing you to remediate any gaps before the assessment.
- Step 4: Validated Assessment Testing. During the validated assessment (either the i1 or r2 Assessment) testing phase, assessors review and validate the client scores, then submit the final assessment to HITRUST for approval. HITRUST will then decide whether to approve or deny your organization certification. The HITRUST QA stage in the process (before issuing the certification) can take anywhere from four to 10 weeks, depending on the assessment and the assessors’ level of responsiveness.
- Step 5: Interim Assessment Testing. If certification is obtained as part of the r2 Assessment, it is then required for an interim assessment to be conducted at the one-year mark in order to maintain certification. It is important to note that an interim assessment is not required if certification was obtained via the i1 Assessment.
To view a comprehensive, step-by-step guide to the HITRUST CSF Assessment process, download our HITRUST CSF Companion Guide.
What are the HITRUST Policies and Procedures?
The biggest challenge many organizations face in obtaining a HITRUST CSF certification is establishing policies and procedures that satisfy the HITRUST requirements. This is more of a challenge for r2 Assessments. It is important to note that some policies and procedures are still required to be tested in an i1 Assessment, even though the tests performed will be less rigorous than for the r2 Assessment.
HITRUST policies and procedures must be created, documented, and in place for at least 60 days prior to the validated assessment in order to achieve full compliance. Policies are established guidelines and rules an organization and its employees must follow in order to achieve a specific goal, whereas procedures are the documented steps for the organization in order to meet the defined policies.
For a full description of the specific policies and procedures organizations must follow to obtain HITRUST CST certification, read our blog post on the subject here.
Why is it Important to Choose HITRUST-Compliant Vendors and Partners?
After your organization receives its HITRUST CSF certification, you should continue managing your risk by assessing any risk exposure from your third-party business partners.
With cybersecurity compliance constantly evolving as new threats emerge, it doesn’t matter if you have great security if your third-party vendors do not have great security as well and they are a risk exposure vector to your organization.
In fact, many large healthcare corporations, including Anthem, Health Care Services Corporation (HCSC), Highmark, Humana, UnitedHealth Group, sent a memo to most of their downstream vendors to achieve HITRUST certification. This was enacted to ensure the safe handling of all sensitive information.
When you select vendors, be sure to perform a risk assessment to ensure they have a risk mitigation strategy in place. This is the first step to ensure that they can protect the data you might share with them. Requesting a security compliance report, like a HITRUST Validated Assessment, SOC 2, PCI DSS, or NIST 800-53, among others, is a good approach to meet this objective.
For more on how to properly vet HITRUST-compliant vendors, read our blog on the topic.
Can HITRUST Certification Also Satisfy Other Requirements?
In short, yes. HITRUST CSF certification draws from several major pre-existing frameworks to provide a complete, certifiable security standard. The nature of this foundation may simplify the steps an organization needs to take to satisfy other requirements.
Three of the major requirements HITRUST CSF certification can help satisfy include SOC 2, ISO 27001/NIST 800-53 and FedRAMP.
SOC 2
A SOC 2 report describes the internal controls at a service organization, providing users with management assertions, a description of both the system and the controls, tests and the results of the tests, and the independent service auditor’s report. Service organizations that provide services to other business entities commonly use SOC 2 reports.
HITRUST and the AICPA have developed a collaborative approach that aligns the AICPA’s Trust Services Criteria with the HITRUST CSF criteria. This converged reporting model makes HITRUST and SOC 2 complimentary services.
ISO 27001/NIST 800-53
The foundations of HITRUST CSF were actually built upon ISO/IEC 27001 and NIST SP 800-53. However, ISO 27001 is not control-compliance based, and is instead a management/process model for the Information Management System that is assessed.
Unlike HITRUST CSF, NIST 800-53 does not address the specific needs within the healthcare industry. This means that while ISO 27001 and NIST 800-53 are both beneficial frameworks to demonstrate cybersecurity standards, they are not as comprehensive as HITRUST CSF.
Fortunately, HITRUST certification covers many more factors than ISO 27001 and NIST 800-53, making both assessments easier to attain after being HITRUST CSF certified.
FedRAMP
The Federal Risk and Authorization Management Program (FedRAMP) is a certification that serves to raise confidence in the security of cloud service providers (CSPs) utilized by the federal government.
You can easily map FedRAMP requirements to the HITRUST CSF framework. Organizations interested in pursuing FedRAMP certification could consider adding it to their HITRUST assessment to benchmark whether they are prepared and to mature their controls as needed but should note that adding FedRAMP to a HITRUST assessment is not the equivalent of achieving FedRAMP certification.
For a complete list of requirements that HITRUST CSF certification can assist with, read more here.
Getting Started With HITRUST Certification
HITRUST certification may seem daunting, but it doesn’t have to be. There are many steps organizations can take ahead of time to streamline their certification process.
The best way to set yourself up for a successful HITRUST assessment is to make the time and resource investment upfront. This means hiring an external assessor firm that understands your business and industry, and has proven HITRUST certification success. You should also spend time with your assessor before your assessment to ensure you understand everything you’ll need with a thorough scoping effort.
For more on the do’s and don’ts of beginning your HITRUST journey, check out this blog post.
Related Articles:
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
5 Big Cybersecurity Laws You Need to Know About Ahead of 2025
Published: 11/20/2024
Managing AI Risk: Three Essential Frameworks to Secure Your AI Systems
Published: 11/19/2024
Top Threat #5 - Third Party Tango: Dancing Around Insecure Resources
Published: 11/18/2024