What is HITRUST Certification?
Founded in 2007, HITRUST issues certifications to businesses and organizations that are independently assessed for compliance with its Common Security Framework (CSF). An organization can obtain HITRUST certification when all the required controls are fully implemented within the scoped environment. The HITRUST CSF is designed for use by a variety of organizations that may create, access, store, or share sensitive data. The CSF incorporates commonly accepted standards such as ISO, NIST, PCI, HIPAA, and COBIT within its baseline security controls.
Assurance of a secure operating environment is a challenge that has rapidly spread across industries. Recent breaches have shown how supply chain attacks can have significant downstream impacts. The interesting thing to note is that most recent high-profile attacks could have been prevented through the application of sound cyber hygiene practices, such as those required of organizations undergoing HITRUST certification. Several examples include the usage of strong, advanced authentication mechanisms, the ability to identify and prevent the usage of weak credentials, and more.
HITRUST solves this dilemma through the application of the HITRUST Common Security Framework (CSF) and a Validated Assessment, which if an organization obtains certain levels of assurance, results in a formal certification that is good for up to two years.
How Do I Get HITRUST Certified?
If you are reading this, you may well be considering obtaining a HITRUST Certification. Some people may call it CSF certification, but the correct term is HITRUST certification. This post will walk you through the overall HITRUST certification process. You will learn the major steps needed to prepare, be assessed, and obtain the certification. We will also highlight some of the pitfalls to avoid along the way.
If you are not quite ready to dive into the HITRUST assessment processes but would like to learn more about HITRUST, I recommend that you take a look at one of our earlier blogs that walks you through the basics of HITRUST compliance.
What is The Process to Become HITRUST Certified?
As of January 2023, there are three HITRUST assessments that can lead to certification:
- HITRUST Essentials, 1-Year (e1) Assessment
- HITRUST Implemented, 1-Year (i1) Assessment
- HITRUST Risk-based, 2-Year (r2) Validated Assessment
In response to industry needs, HITRUST continues to develop its offerings to address a broad variety of risk scenarios. The legacy HITRUST CSF Validated Assessment (now the r2 Assessment and Certification) has been successfully supporting the needs of organizations in need of a strong level of assurance for over a decade. In the meantime, other assessment products have been developed to support the needs of organizations that do not require such a high level of assurance as obtained from the r2. As a result, the e1 and i1 assessments have been introduced; they are described in more detail below.
The HITRUST Essentials, 1-Year (e1) Assessment. (Released in 2023)
Evaluating foundational cybersecurity controls and supporting quicker security assurance and lower effort than HITRUST i1 and r2 Assessments is the HITRUST Essentials, 1-year (e1) Assessment. The e1 is a standardized assessment that focuses on basic cyber-hygiene practices and provides an appropriate, suitable assessment for organizations of a lower-risk profile. Visit the HITRUST website to learn more about the e1 assessment.
The HITRUST Implemented, 1-Year (i1) Validated Assessment + Certification. (Released in 2022)
This can be considered a standardized “best practices” assessment best suited for moderate risk situations where the e1 assessment does not provide enough assurance and the r2 assessment addressed below is not reasonable. The i1 assessment is threat-adaptive, meaning that requirements will be added and removed to address the continuously evolving threat landscape. The i1 assessment features a static (non-tailored) set of controls which is a departure from the legacy HITRUST assessment and certification approach.
The level of effort associated with the i1 assessment is considered to be “moderate” according to HITRUST, however early indications show the i1 is significantly more effort than typical information security audits including SOC 2, ISO/IEC 27001:2022, or PCI. The i1 can be performed as a readiness assessment, or through an external assessor organization, a validated assessment and issuance of a certification (valid for one year) by HITRUST can be performed.
Visit the HITRUST website to learn more about the i1 assessment and certification.
The HITRUST Risk-based, 2-Year (r2) Validated Assessment + Certification
This is the legacy HITRUST CSF Validated Assessment – nothing has really changed except the name. The r2 assessment retains its position as a tailored assessment that considers scoping factors to determine the size of the assessment. The r2 is most suitable for high-risk scenarios where a high level of assurance is required. The r2 assessment has no equal in the industry, but is considered to be a challenging and exhaustive assessment involving five times the level of effort as the i1 assessment.
In our experience, FedRAMP is the most similar in terms of level of effort, but they are not equal in scope or depth of assessment. The r2 can be performed as a readiness assessment, or validated assessment with certification, similar to the i1 assessment, however – the r2 is valid for two years with the satisfactory completion of an interim assessment at the one-year mark. Visit the HITRUST website to learn more about the r2 assessment and certification.
To understand the detailed nuances between the various assessment and certification options, we suggest reviewing the HITRUST Assessments Portfolio Overview.
How Do the HITRUST Certifications Differ?
The chart below provides a high-level overview of the various assessment (and certification) options available in the HITRUST portfolio of services:
Image Source: HITRUST
Separating the assessments and certifications in detail is a topic that will likely warrant its own discussion in the future, but for now, there are three key differences worth focusing on:
- The e1 and i1 assessments are based on a static set of controls, unlike the r2, which is based on scoping factors. The r2 certification will still vary in size from one organization to another.
- The e1 and i1 are based simply on the implementation of controls, with minimal dependence on document policies, unlike r2 assessments which consider five levels of maturity: policy, procedure, implemented, measured, and managed.
- The e1 and i1 can lead to ONE year of certification, whereas the r2 can lead to two years of certification based on the completion of an interim assessment at the one-year mark. There is a rapid recertification process in place for the i1, which will focus on compliance with a subset of i1 requirements to be re-certified. There is no rapid recertification option for the e1 certification.
Is an Authorized CSF Assessor Required for HITRUST?
Yes! To achieve HITRUST certification, an organization is required to work with an External Assessor Organization that has been vetted and approved by HITRUST to perform validated assessments. At an organizational level, there are requirements around background, training, and certification of individual assessors.
To serve our clients as an external assessor organization, we maintain a staff of experienced and qualified assessors who are certified by HITRUST. Our HITRUST assessors complete annual training activities and hold industry licenses and certifications including the CCSFP, CHQP, CISA, CISSP, CPA, and others.
What is a HITRUST Audit?
Strictly speaking, HITRUST certification does not involve an audit. HITRUST certification involves assessments. How are HITRUST assessments different from an audit? Let’s explore the basic differences between audits and assessments:
- Audits are focused on ensuring compliance with a given framework or set of requirements. They are performed to ensure nothing is wrong.
- Assessments are focused on defining the current state of the environment within the context of a given ideal state. Assessments help identify weaknesses and measure the delta between the current state and the ideal state.
Here are a few other differences worth noting when comparing HITRUST to other audits and assessments.
- An audit generally results in some form of audit report, and within the world of information security this is often in the form of an auditor’s opinion about the implementation and operation of controls over a period of time (or even a point in time) – the audit report is NOT a certification, which is why the concept of “SOC 2 certification” is misleading as it does not exist.
- Certification confirms that an organization meets requirements associated with some formal standard. In this case, the HITRUST CSF is the standard, and HITRUST is the recognized accrediting body. Most frameworks in use do not have any such structure behind them.
- In some cases, an assessment is based on some legal or regulatory set of requirements. Examples of this are HIPAA or GDPR – while these are often used for audits, there are no certifications associated with them – another good example of where marketing terms are often used to describe something that does not exist. Learn more about the benefits of HITRUST certification and how it differs from HIPAA.
How to Prepare for a HITRUST Assessment
While you will need to receive and submit a validated assessment to HITRUST for certification, it is recommended that your organization start out with a self-assessment or readiness assessment. A HITRUST self-assessment is performed internally by your own personnel against CSF, while a readiness assessment is typically performed by an independent third party. Either of these assessments will help familiarize your business with CSF requirements and identify any control gaps that should be addressed before going forward with a validated assessment. Read here to learn about potential HITRUST self-assessment pitfalls to avoid.
We recommend organizations have a readiness assessment performed by the HITRUST External Assessor Organization which will ultimately be performing their validated assessment. This provides you with the assessor’s perspective of the gaps that need to be addressed and allows you an opportunity to discuss any differing opinions regarding those gaps and how best to address them. Either way, be sure to be thorough. This is the time to catch any shortcomings. If you perform a self-assessment independently, the last step of preparation is to engage a HITRUST External Assessor Organization to perform your validated assessment.
Do You Need the HITRUST MyCSF Tool?
Another important item to decide is how much you plan to use the MyCSF tool for documenting the self and validated assessments performed for HITRUST certification. HITRUST gives you two options for using the MyCSF tool:
- Purchase A CSF Report – Access for only the assessment (90 days); ($3k-6k)
- Subscription – Full access year-round for an annual fee ($15k-50k)
Both will work. Each has its pros and cons. The first option is less expensive; however, you only have access to the tool for 90 days to complete a self-assessment and for your HITRUST External Assessor Organization to complete the validation of your assessment. The subscription option is more expensive, but may be worth it in the long run if you plan to maintain your HITRUST certification on an ongoing basis. The annual subscription allows you to track compliance throughout the year, access your information in the tool at any time, and roll forward the custom control set from CSF, as well as updates into your next year’s assessment.
The following chart illustrates the basic differences between the report-only and subscription options:
What is the Process for Completing a Validated HITRUST Assessment?
At this point, let’s assume you have performed a self/readiness assessment, remediated any control gaps, obtained access to the MyCSF tool, and engaged a HITRUST Certified CSF Assessor.
One important item to keep in mind is that all testing must be performed within a 90-day window, so organizations should consider resource availability and potential disruptions when planning for the assessment. The assessment process is not complicated in terms of process, but most organizations that struggle do so because of the enormity of the assessment.
How Many Controls Are Required for HITRUST Certification?
Most r2 assessments contain 300-400 requirement statements, with 250 being a typical minimum. The e1 and i1 assessments will include a static number of requirements with the current e1 containing 44 requirements and the current i1 including 182 requirements. Not all individual requirement statements are mandatory to be compliant for certification, but all requirement statements are evaluated based on scores that are averaged across each of the 19 domains in MyCSF.
What Are the Steps for HITRUST Certification?
The validated assessment process is generally a three-phased process:
- The organization scores itself and enters supporting evidence and a narrative in MyCSF.
- The external assessor performs validation testing which includes evidence reviews and on-site testing if needed.
- The finalized assessment is submitted to HITRUST for review and potential certification.
Step One: Narrative, Self-Scoring, and Evidence Collection
This requires you or a member of your organization to evaluate your compliance with each required control against the one (1) or five (5) maturity levels depending on the assessment type as noted:
- Process (r2)
- Procedure (r2)
- Implementation (e1, i1, r2)
- Measure (r2)
- Managed (r2)
Along the way, you will supply certain evidence and a narrative based on guidance and other requests from your assessor. Controls are grouped within 19 different assessment domains. Once you’ve documented your assessment for all of the controls within a domain, you will submit the domain to your Certified CSF Assessor. This portion of the process typically takes four to six weeks for an r2 assessment and much less for an e1/i1 assessment.
Step Two: Assessor Review and Validation Testing, Submission to HITRUST
Upon receiving a submitted domain, the assessor begins validating your self-assessment scoring against the available evidence. Similarly, your assessor will be following HITRUST’s sampling guidance to test the controls against the same maturity levels.
If your assessments agree, the assessor will record the agreement in the tool and document the procedures performed to validate the assessment.
If the assessor disagrees with your self-assessment ratings, he/she may return a control back to you in the MyCSF tool with comments.
If your assessor performed a readiness assessment (often referred to as a gap assessment) and you’ve addressed all the findings, you will have minimized the likelihood of running into surprises or disagreements between the self and validated assessments. If you skipped the preparation phase and did not perform a thorough self-assessment/readiness assessment or did not adhere to the HITRUST scoring methodology, this could be a very drawn-out, iterative process to come to an agreement. This portion of the process typically takes another four to six weeks for an r2 assessment, and much less for an e1/i1 assessment.
Step Three: HITRUST Review, Quality Assurance, and Certification
Once you and your assessor agree on scores and all evidence has been collected and entered into MyCSF by the assessor, the assessor submits the assessment to HITRUST for review. There are several phases of review and quality assurance (QA) the assessment must go through. First, a basic check for obvious issues (missing comments, missing attachments, etc.) is performed. Following this step, a QA analyst reviews the assessment and may request additional documentation, evidence, or clarification of testing activities, scoping factors or any component of the assessment HITRUST determines requires follow-up prior to issuance of the report and certification letter. This process typically takes anywhere from four to six weeks.
How Long Does It Take to Become HITRUST Certified?
For most organizations pursuing certification for the first time, it will take six to nine months to prepare for the assessment (which includes performing a readiness assessment, remediation, and allowing for the settling period required by HITRUST). It is then another three months to complete the validated assessment and obtain certification. Due to differences in the level of effort, the r2 assessment will naturally take longer to prepare for because of the multiple levels of maturity involved in the assessment. Preparation for an e1 or i1 assessment is expected to be more in line with preparations for a SOC 2 audit, which generally takes two to six months to prepare for, and then another four to six weeks to complete the assessment.
How Long is HITRUST Certification Good For?
The e1 certification is good for one year. This supports most third-party risk management processes in which most organizations leverage an annual cadence for the solicitation and review of audit reports and questionnaires as part of their vendor management program.
The i1 certification is good for one year. Similar to other audits performed by organizations including SOC 1 reports, SOC 2, PCI, HIPAA, and others, the full assessment must be performed annually and the certification issued by HITRUST each year. Recently, HITRUST introduced a method to achieve recertification for the i1 based on a process called rapid recertification, which will allow qualified entities to achieve recertification based on a reduced number of requirements.
The r2 certification is valid for two years from the date of certification. That said, After one year of certification, an organization must undergo an interim assessment to ensure the organization has made satisfactory progress on any gaps identified during the initial certification assessment and has continued to operate the information security program in a satisfactory manner. If everything checks out, then the certification is maintained until the two-year mark, at which time a new, comprehensive validated assessment is required.
The interim assessment is generally a much smaller subset of the original number of requirement statements, but the testing and evaluation criteria are the same as during the initial assessment. It’s important to understand that if an organization undergoes a significant change to the size, scope, or major systems in the environment, a full assessment will be required even if the organization is due for an interim assessment. The bottom line is that the scope of the assessment cannot change significantly between the initial assessment and the interim assessment. If it does, a full assessment will be required. Be sure to talk to your assessor about this as part of your strategic plans if you have any questions.
How Much Does It Cost to Become HITRUST Certified?
“How much does HITRUST cost?” This is a very typical question many clients ask during initial conversations. That question leads to a complex answer since there are three primary costs associated with achieving (and maintaining) HITRUST certification. HITRUST should not be considered a one-and-done assessment for the organization – as true compliance with HITRUST requirements requires the integration of a culture of security and compliance within the organization.
Organizations can expect to make three primary investments to achieve and maintain HITRUST certification:
- Fees for access to MyCSF and assessment objects – The fees to access MyCSF and to obtain a validated assessment report (which is required for certification) will range from $20k to $50k+ annually for most organizations.
- HITRUST External Assessor Assessment Fees – These are the fees paid to your assessor firm (your auditor) and they generally range from $40k to $250k+ annually. These fees can vary quite broadly based on the type of assessment (e1/i1/r2, readiness/validated) as well as the scope of the assessment. Any quality assessor firm will be willing to walk you through the scoping process to understand the size and complexity of the environment before quoting a specific price. The fees are most significant in the first year as this typically involves a readiness assessment as well as the first validated assessment, and then fees drop significantly as the organization transitions to the interim assessment and then a fresh validated assessment.
- Internal costs tied to resources, tools, personnel, and capital – Just like a home requires ongoing investment to be designed, built, and maintained, your organization will need to make an investment in the people, processes, and technologies that serve as the structure of your HITRUST compliance program. It is difficult to place a rough figure on this due to variations between organizations, but the organization should be aware these investments will be significant.
Summary
We hope this has helped you understand the process of obtaining a HITRUST certification. The HITRUST process can be lengthy and requires preparation and planning. However, it can provide your clients and partners peace of mind knowing your organization has taken the steps necessary to protect the sensitive data in your possession.
As Linford & Co is a HITRUST External Assessor Organization, we would be happy to assist you with any of your HITRUST compliance needs. Please contact us to arrange a consultation or with any additional questions you may have about our HITRUST Audit & Certification services.
This article was originally published on 1/3/2018 and was updated on 10/4/2023.
Richard Rieben is a Partner and HITRUST practice lead at Linford & Co., where he leads audits and assessments covering various frameworks including HITRUST, SOC, CMMC, and NIST. With over 20 years of experience in IT and cybersecurity and various certifications including PMP, CISSP, CCSFP, GSNA, and CASP+, Richard is skilled in helping growing organizations achieve their information security and compliance goals. He holds a Bachelor of Science in Business Management and an MBA from Western Governors University.