Many business leaders know HITRUST as something associated with cybersecurity but aren’t sure exactly what it is or how it works. The HITRUST Common Security Framework (CSF) is a set of rigorous yet flexible controls governing data, technology and processes to ensure consumer privacy and demonstrate protection of sensitive information.
HITRUST has both for-profit and nonprofit divisions. The organization’s Executive Council includes leaders from major healthcare-related businesses.
With those basics in mind, let’s explore some of the most common questions and misconceptions about HITRUST to gain a more thorough understanding.
Who is HITRUST for?
HITRUST was originally designed with the security needs of healthcare-focused organizations in mind. Today, however, it offers a valuable and broadly applicable approach to meet data and cybersecurity needs and demonstrate a robust security posture, as organizations of every size and industry may handle sensitive personal, financial, proprietary, or health-related data.
What are the different HITRUST certifications?
There are three levels of HITRUST certifications:
- HITRUST Essentials (e1) Validated Assessment – A certification that addresses basic cybersecurity processes and controls for companies with less risk.
- HITRUST Implemented (i1) Validated Assessment – A more robust level of assurance that includes verification of specific controls and leading information security practices.
- HITRUST Risk-based (r2) Validated Assessment – A detailed and comprehensive certification for organizations that with high risks or stiff regulatory compliance needs.
How long does it take to get HITRUST certified?
Each certification requires a number of different controls and standards. The foundational level (e1) requires organizations to implement 44 controls while i1 includes 182 different CSF requirements. The most rigorous certification, r2, covers an average of 375 controls but that number is flexible, as appropriate controls vary with the nature and size of the organization and its unique risk profile.
Some organizations can complete the e1 assessment in a month or less while others will require more time, and each certification can build on the previous one. Organizations that obtain e1 have already completed many of the requirements for i1 and r2; those with an i1 certification are well on the way to completing r2.
Is HITRUST the same as HIPAA?
No. HIPAA and HITRUST are different, but the HITRUST CSF framework can help your organization meet HIPAA requirements as well as the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) and other security requirements.
HITRUST represents a comprehensive approach to security that incorporates controls and protective postures included in numerous other regulatory frameworks, including HIPAA, ISO/IED 27000-series, and PCI. One of the key advantages of HITRUST is its harmonization with other authoritative security sources, meaning organizations can ensure their compliance with multiple reporting and regulatory requirements through a single HITRUST assessment.
How does HITRUST relate to SOC 2?
HITRUST certification and SOC2 attestation are very different and intended to offer different types of assurance. SOC 2 attestation is an opinion-based examination conducted and issued by a public accounting firm, whereas a HITRUST certification is an objective assessment based on an organization’s compliance with the controls set forth in the HITRUST cybersecurity framework. The flexibility of the HITRUST framework allows HITRUST assessments to map to the same standards included in SOC 2, where appropriate for an organization’s compliance and assurance needs.
How does HITRUST help with third party risk management and shared services?
Vendors and business associates can share their HITRUST data and reporting outcomes (Certification Reports, Letters of Certification, etc.) with your organization, making third party risk management (TPRM) much easier. Some TPRM solutions can accept HITRUST assessment details digitally direct from the vendor.
When your organization utilizes IT services from HITRUST-certified vendors, cloud service providers, and others, the controls associated with their certifications are inheritable. This means they contribute to your own security certification requirements, significantly reducing the time and effort necessary for your organization to obtain HITRUST certification.
How does HITRUST keep organizations safe in an evolving threat landscape?
Cyber-risks are constantly shifting, with new threats always arising. HITRUST constantly assesses emerging threats and identifies gaps and vulnerabilities within the assurance HITRUST certifications provide. Regular updates published by HITRUST help organizations understand what’s changed and learn how to adapt to new threats.
HITRUST can be a valuable tool to help businesses and nonprofits achieve important technology and compliance goals. Whether it’s HITRUST or any other risk management or compliance concern, Mauldin & Jenkins can help you identify and implement a comprehensive risk reduction strategy that’s perfectly tailored to meet your needs.
