Is your organization looking for an industry-agnostic way to implement information security best practices? Have you investigated HITRUST certification in the past only to be discouraged by the level of effort required? Are you working toward full HIPAA compliance?
If you answered yes to any of the above, you should be excited about the new HITRUST Implemented One-Year (i1) Assessment. Read on to learn more about HITRUST i1 and how it could help your business save time and money while enhancing your security posture.
1. HITRUST i1 Ensures Security Best Practices
As described in HITRUST’s official press release, HITRUST i1 is a “continuously-relevant cybersecurity assessment that aligns and incorporates best practices and leverages the latest threat intelligence to maintain applicability with information security risks and emerging cyber threats, such as ransomware.” In other words, the control requirements for HITRUST i1 were carefully selected to promote superior security no matter the business type (check out section #3 for details on how these controls are threat-adaptive).
Perhaps your business is not required to obtain an official compliance certification, but you still want to demonstrate your commitment to security to both internal and external stakeholders. There are self-attestation assessments out there, such as the HITRUST Basic, Current-State (bC) Assessments, that can help you achieve good security hygiene. However, this category of assessment is not validated by an independent third party and only provides a low level of assurance for your customers, partners, and prospects.
At the opposite end of the spectrum, you may have looked into options that result in certification and offer a higher level of assurance compared to self-assessments but are geared toward a specific industry or piece of legislation. Terminology in these assessments such as “cardholder data’’ or “protected health information” can be confusing if it’s not applicable to your business. HITRUST i1, however, is guaranteed to be highly relevant to your business because of its industry-agnostic approach to security.
If your organization is looking for a certifiable standard that ensures information security best practices and provides assurance against moderate risk, then HITRUST i1 may be the right fit.
2. HITRUST i1 is More Attainable Than HITRUST r2
Another reason why your organization may be interested in HITRUST i1 is the fact that it is easier to achieve compared to the standard HITRUST Risk-based, Two-year (r2) Assessment (formerly known as the HITRUST CSF Validated Assessment). If your organization does not have robust security resources in place, it could be difficult to achieve HITRUST r2 certification, and keep up with the ongoing requirements such as interim assessments.
With HITRUST i1, organizations will be able to earn a HITRUST certification that is well-suited for their needs and doesn’t demand a significant amount of time and resources.
The primary reasons why HITRUST i1 certification is relatively simple to achieve are:
- Maturity levels: It is required that a HITRUST r2 assessment evaluates an organization’s security controls against the Policy, Process, and Implemented levels of the HITRUST maturity model (Measured and Managed are optional). HITRUST i1 only tests an organization against the Implemented maturity level.
- The controls: The average HITRUST r2 assessment involves an average of 360 control requirements out of 2,000 eligible controls. HITRUST i1, on the other hand, calls for 219 static control requirements that are the same for every organization that undergoes the assessment. This also makes comparison across different reports more straightforward.
3. HITRUST i1 is Always Up to Date
For a variety of reasons, many assessments on the market today are not updated on a regular basis to keep up with new and emerging threats. To address this issue, HITRUST i1 was specifically designed to be a continuously relevant security assessment. The HITRUST Alliance has made it known that they are reviewing the latest threat intelligence data and fine-tuning security controls no less than quarterly, as well as for every major and minor release of the HITRUST CSF.
Not only will HITRUST i1 be updated to incorporate controls that cover the evolving threat landscape, it will “sunset controls that have lost relevance and have limited assurance value based on effort required to comply or assess.” This means your organization can take comfort in knowing that the work you put into HITRUST i1 will be efficient and provide maximum security value.
4. HITRUST i1 is a Springboard for Full HIPAA Compliance
The HIPAA Security Rule necessitates that organizations carry out a risk analysis, implement security controls, and establish “reasonable and appropriate” policies and procedures to protect sensitive information. Without an official governing body to certify HIPAA compliance, HITRUST r2 provides the best way for organizations to prove they are HIPAA compliant through a reputable and certifiable framework.
I predict that some healthcare payers may start asking organizations in their supply chain to obtain HITRUST i1 certification as a way to evaluate progress and effort toward full HIPAA compliance. For example, perhaps an organization has only partially implemented some of their security controls and does not yet have appropriate policies and procedures in place. HITRUST i1 would be a good intermediate step to help them work toward HITRUST r2 certification.
Get Started on Your HITRUST Journey Today
HITRUST i1 is a gamechanger for the compliance industry — it fills a crucial market gap for businesses that want a highly reliable security certification for moderate risk assurance. Because security is an ongoing process of continuous improvement, the fact that this assessment is frequently updated to maintain continuous relevance is highly appealing. If you’re seeking guidance on HITRUST, A-LIGN is here for you. We have helped hundreds of clients achieve HITRUST certification and can make your HITRUST journey as smooth and efficient as possible.