What is HITRUST? Complete Guide to HITRUST Certification

by: Blaise Wabo 6 mins
resource feature What is HITRUST 1 0

The HITRUST CSF is the only comprehensive, prescriptive security framework that pulls from over 50 authoritative security standards and is proven to reduce risk. HITRUST empowers organizations in highly regulated industries to build and demonstrate a mature cybersecurity and compliance strategy. 

Although the HITRUST CSF has been around for more than a decade, many organizations still struggle with knowing if it’s the right certification for them. Here’s what you need to know before your organization decides to complete a HITRUST assessment.   

What is the HITRUST CSF?  

HITRUST offers a framework of security and privacy controls known as the HITRUST Common Security Framework (CSF). The CSF is unique because it harmonizes multiple authoritative sources — including HIPAA, ISO, NIST, and PCI DSS — into a single, integrated set of controls. This allows organizations to meet the requirements of many standards at once. 

The primary goal of HITRUST is to provide a prescriptive and consistent approach to risk management. Although it originated in the healthcare industry and is considered the “gold standard” for protecting ePHI, the framework was made industry-agnostic in 2019. While not federally mandated, HITRUST is considered one of the most comprehensive frameworks because of its mapping to numerous other standards. 

What is the HITRUST AI Risk Management (RM) Assessment?

The HITRUST AI Risk Management Assessment is a streamlined self-assessment designed to help organizations evaluate and manage the risks associated with AI.

This framework is built upon the National Institute of Standards and Technology (NIST) AI Risk Management Framework (RMF) and the ISO 23894 standard. HITRUST has consolidated the overlapping controls between these two standards into 51 key controls featured in the AI Risk Management Assessment.

One major advantage of the HITRUST AI Risk Management Assessment is its accessibility. Organizations do not need to be HITRUST-certified or even planning certification in the future to take advantage of this assessment.

Additionally, this framework is not restricted to the healthcare industry. Any company, regardless of the sector, can apply the assessment to measure AI-related risks.

What are the benefits of HITRUST?   

Many organizations pursue a HITRUST assessment because of these benefits:

  • Meets regulatory requirements established by third-party organizations and legal mandates
  • Accelerates revenue and market growth by helping businesses stand out from competitors
  • Saves time and resources with a scalable framework that integrates multiple regulatory standards
  • Consolidates over 40 different regulatory requirements and recognized frameworks, including ISO 27001, NIST SP 800-53, HIPAA, PCI DSS and more

What are the types of assessments?  

There are three types of HITRUST CSF validated assessments:

1. Validated 1-Year (e1) Assessment

    The e1 is the cybersecurity essentials assessment with 44 control requirements and is meant for low-risk organizations that want to ensure they are maintaining good cybersecurity hygiene.

    2. Implemented 1-Year (i1) Assessment

    The i1 Assessment is suitable for moderate assurance and results in a 1-year certification if requirements are met. There are 219 static controls in an i1 Assessment and only the Implemented maturity is tested. Once your assessment has been submitted to myCSF, we will review, validate and submit the assessment to HITRUST for approval.

    3. Risk-Based 2-Year (r2) Assessment

    This validated assessment focuses on a comprehensive risk-based specification of controls with a very rigorous approach to evaluation, suitable for high assurance requirements. A minimum of three of five maturities must be addressed during the r2 Assessment, Policy, Process, and Implemented. This certification is issued for two years with an Interim Assessment required during the one-year anniversary of the certification. Similar to the i1 Assessment, we will review and validate your assessment scores and will submit your final assessment to HITRUST for approval.

    Learn more about these assessments here.

    What is the HITRUST assessment process?   

    The HITRUST Assessment process is composed of five steps:  

    • Step 1: Define scope. During this stage, an organization either works with a third-party assessor or an internal subject matter expert to define scope and determine what type of HITRUST assessment to undergo.  
    • Step 2: Obtain access to MyCSF portal. The organization undergoing the assessment contacts HITRUST to obtain access to the MyCSF portal. Once access is granted, the organization creates its assessment object and engages an approved third-party assessor firm to begin the process.
    • Step 3: Complete a readiness assessment/gap-assessment. The assessor performs appropriate tests to understand the organization’s environment and flow of data between systems, and then documents any possible gaps. The gap assessment also ranks organizational gaps by risk level, allowing for the remediation of any issues before the validated assessment.
    • Step 4: Validated assessment testing.  During this phase, the assessors review and validate the organization’s scores as part of the selected assessment type (e1, i1, or r2). The final assessment is then submitted to HITRUST for approval. HITRUST’s quality assurance (QA) process, which occurs before certification is issued, typically takes 4 to 10 weeks depending on the assessment type and the assessors’ responsiveness.
    • Step 5: Interim assessment testing. If certification is obtained as part of the r2 Assessment, an interim assessment is required to be conducted at the one-year mark to maintain certification. It is important to note that an interim assessment is not required if certification was obtained via the e1 or i1 Assessment.  

    For step-by-step guide to the HITRUST CSF Assessment process, download our HITRUST CSF Companion Guide.    

    What are the HITRUST policies and procedures?     

    The HITRUST CSF is a flexible and scalable security framework that is adapted to each organization’s compliance needs so the policies and procedures required will depend on your scope. 

    To achieve HITRUST r2 certification, organizations must establish policies and procedures that address a minimum of 19 HITRUST control domains. Additionally, they must attain a maturity score of at least 3 on a 1-5 scale for each control domain. The HITRUST CSF control domains are: 

    1. Information Protection Program 
    2. Endpoint Protection 
    3. Portable Media Security 
    4. Mobile Device Security 
    5. Wireless Security 
    6. Configuration Management 
    7. Vulnerability Management 
    8. Network Protection 
    9. Transmission Protection 
    10. Password Management 
    1. Access Control 
    2. Audit Logging and Monitoring 
    3. Education, Training, and Awareness 
    4. Third-Party Assurance 
    5. Incident Management 
    6. Business Continuity and Disaster Recovery 
    7. Risk Management 
    8. Physical and Environmental Security 
    9. Data Protection and Privacy 

    Access the full description of the specific policies and procedures for HITRUST CSF certification here.

    Can HITRUST certification satisfy other requirements?  

    In short, yes. HITRUST CSF Certification draws from several major pre-existing frameworks to provide a complete, certifiable security standard. The nature of this foundation may simplify the steps an organization needs to take to satisfy other requirements.  

    Three major requirements HITRUST CSF Certification can help satisfy include SOC 2, ISO 27001/NIST 800-53 and FedRAMP.  

    HITRUST and SOC 2 

    A SOC 2 report describes the internal controls at a service organization, providing users withmanagement assertions, a description of both the system and the controls, tests and the results of the tests, and the independent service auditor’s report. Service organizations that provide services to other business entities commonly use SOC 2 reports.    

    HITRUST and the AICPA have developed a collaborative approach that aligns the AICPA’s Trust Services Criteria with the HITRUST CSF criteria. This converged reporting model makes HITRUST and SOC 2 complimentary services.     

    HITRUST and ISO 27001/NIST 800-53   

    The foundations of HITRUST CSF were actually built upon ISO 27001 and NIST SP 800-53. However, ISO 27001 is not control-compliance based, and is instead a management/process model for the Information Management System that is assessed.   

    Unlike HITRUST CSF, NIST 800-53 does not address the specific needs within the healthcare industry. This means that while ISO 27001 and NIST 800-53 are both beneficial frameworks to demonstrate cybersecurity standards, they are not as comprehensive as HITRUST CSF.    

    Fortunately, HITRUST Certification covers many more factors than ISO 27001 and NIST 800-53, making both assessments easier to attain after being HITRUST CSF Certified.   

    HITRUST and FedRAMP   

    The Federal Risk and Authorization Management Program (FedRAMP) is a certification that serves to raise confidence in the security of cloud service providers (CSPs) utilized by the Federal government.     

    FedRAMP requirements can be easily mapped to the HITRUST CSF framework. Organizations interested in pursuing FedRAMP certification should consider adding it to their HITRUST assessment. This provides a FedRAMP benchmark and reveals areas to mature, but  is not the equivalent of achieving FedRAMP Certification.    

    For a complete list of requirements that HITRUST CSF Certification can assist with, read more here.   

    How long is HITRUST Certification valid? 

    The HITRUST e1 and i1 certifications are valid for one year while the r2 certification is valid for two years if the Interim Assessment is completed successfully and timely.  

    Note that the HITRUST certifications should be treated as a continuous improvement and monitoring assessment and not a static once and done type of assessment. And this is because the threat landscape is always evolving and so the HITRUST CSF. 

    What’s an example of HITRUST Certification in the real world?  

    Below are customer case studies in which the organization earned HITRUST Compliance to drive revenue, build customer trust and better their security posture.  

    Getting started with HITRUST certification 

    Achieving HITRUST certification begins with a strong foundation. Investing time and resources upfront is essential for a successful assessment. Start by hiring an experienced external assessor firm with a deep understanding of the business and industry, as well as a proven track record of HITRUST Certification success. Collaborate closely with the assessor to thoroughly scope the project and identify all necessary requirements.

    When choosing vendors, conducting a risk assessment is a critical first step to ensure that they can protect the data that might be shared with them. Requesting a security compliance report, like a HITRUST Validated Assessment, SOC 2, PCI DSS, or NIST 800-53, is an effective way to verify their compliance and commitment to data security.

    For more do’s and don’ts of beginning your HITRUST journey, check out this blog post.    

    As one of the top HITRUST assessors in the market and a leader in HITRUST AI certifications, A-LIGN can provide your organization with the experience and guidance needed to achieve certification.  Contact us to get started today.  

    Let's map out your compliance roadmap.

    Begin your compliance journey with A-LIGN today.

    GET STARTED