What is HITRUST Certified?
Put simply, HITRUST Certified organizations demonstrate compliance with a prescriptive set of requirements at a prescribed level of maturity in a manner intended to provide a given level of assurance depending on the level of certification desired.
Under the HITRUST CSF® Assurance Program Requirements “‘HITRUST CSF Certified’ refers to an organization that has met all CSF certification requirements as defined by HITRUST based on industry input and analysis. ‘CSF Certification’ involves performance of a validated assessment leveraging the MyCSFtool, the embedded HITRUST CSF control requirement statements, and the PRISMA maturity model. CSF certification provides relying entities with greater assurance that an assessed entity is appropriately managing risk. CSF certification is designed to remove the variability in acceptable security and privacy requirements by establishing a baseline defined by industry, removing unnecessary and costly negotiations and risk acceptance.”
How Do I Get HITRUST Certified?
If you are reading this, you may well be considering obtaining a HITRUST Certification. Some people may call it CSF certification, but the correct term is HITRUST certification. This post will walk you through the overall HITRUST certification process. You will learn the major steps needed to prepare, be assessed, and obtain the certification. We will also highlight some of the pitfalls to avoid along the way.
If you are not quite ready to dive into the HITRUST assessment processes but would like to learn more about HITRUST, I recommend that you take a look at one of our earlier blogs that walks you through the basics of HITRUST compliance.
What is a HITRUST Certification?
Founded in 2007, HITRUST issues certifications to businesses and organizations that are independently assessed for compliance with its Common Security Framework (CSF). An organization can obtain HITRUST certification when all the required controls are fully implemented within the scoped environment. The HITRUST CSF is designed for use by a variety of organizations that may create, access, store, or share sensitive data. The CSF incorporates commonly accepted standards such as ISO, NIST, PCI, HIPAA, and COBIT within its baseline security controls.
What are the Types of HITRUST Certifications?
As of January 2023, there are three HITRUST assessments that lead to certification:
- HITRUST Essentials, 1-Year (e1) Assessment
- HITRUST Implemented, 1-Year (i1) Assessment
- HITRUST Risk-based, 2-Year (r2) Validated Assessment
The certification which has been in place for well over ten years is the Risk-based, 2-Year (r2) Validated Assessment. The Implemented One-Year (i1) Validated Assessment has been available since early 2022 and is intended to be a standardized certification that focuses on the implementation of “best practices” in a moderate-risk environment. In early 2023, HITRUST introduced the 1-Year (e1) Assessment, which is focused on environments requiring entry-level assurance and focuses on essential cyber-hygiene practices. Visit the HITRUST website to learn more about the various HITRUST assessments.
How Do the HITRUST Certifications Differ?
The chart below provides a high-level overview of the various assessment (and certification) options available in the HITRUST portfolio of services:
Image Source: https://hitrustalliance.net/product-tool/hitrust-assessments/
Separating the assessments and certifications in detail is a topic that will likely warrant its own discussion in the future, but for now, there are three key differences worth focusing on:
- The e1 and i1 assessments are based on a static set of controls, unlike the r2, which is based on scoping factors. The r2 certification will still vary in size from one organization to another.
- The e1 and i1 are based simply on the implementation of controls, with minimal dependence on document policies, unlike r2 assessments which consider five levels of maturity: policy, procedure, implemented, measured, and managed.
- The e1 and i1 can lead to ONE year of certification, whereas the r2 can lead to two years of certification based on the completion of an interim assessment at the one-year mark. There is a rapid recertification process in place for the i1, which will focus on compliance with a subset of i1 requirements to be re-certified. There is no rapid recertification option for the e1 certification.
Who Needs HITRUST Certification?
Most organizations seek HITRUST certification at the request of a valued client or business partner. Historically, HITRUST has been more prevalent in the healthcare industry where HIPAA is the driving force for compliance. Recent revisions of the CSF have improved coverage of frameworks which make the CSF and HITRUST certification more universal in nature. For example, the specific targeting of NIST 800-171 in the e1 and i1 assessments is a clear indicator HITRUST is working to gain traction beyond the healthcare industry.
Why Do Organizations Need HITRUST Certification?
The request for HITRUST certification by a key client or business partner is typically sufficient motivation for any organization. However, we strongly suggest organizations consider the options available to them as HITRUST certification is a significant investment in both time, resources, and capital, and should not be taken lightly. The e1 or i1 assessments are an excellent starting point for organizations that desire to obtain HITRUST certification but do not require the higher level of assurance the r2 assessment and certification provide.
Quite often, SOC 2 is used as a stepping stone to get an organization into the “compliance mindset”. Bottom line is that there are other options or audits that a business may use to evidence its control environment used to secure sensitive data. Read here to learn more about the differences between SOC 2 and HITRUST.
Tip: HITRUST offers a variety of programs for smaller firms as well as startup or venture-backed organizations which can help reduce the costs associated with getting started with HITRUST.
What are the HITRUST Certification Requirements?
To achieve any HITRUST certification, the organization must exceed baseline scores for certification for requirements that are distributed across various domains. HITRUST scoping is more complex for the r2 assessment due to the usage of five different levels of maturity vs. one level of maturity for the e1 and i1 assessments.
What is a HITRUST Audit?
Strictly speaking, HITRUST certification does not involve an audit. HITRUST certification involves assessments. How are HITRUST assessments different from an audit? Let’s explore the basic differences between audits and assessments:
- Audits are focused on ensuring compliance with a given framework or set of requirements. They are performed to ensure nothing is wrong.
- Assessments are focused on defining the current state of the environment within the context of a given ideal state. Assessments help identify weaknesses and measure the delta between the current state and the ideal state.
Here are a few other differences worth noting when comparing HITRUST to other audits and assessments.
- An audit generally results in some form of audit report, and within the world of infosec this is often in the form of an auditor’s opinion about the implementation and operation of controls over a period of time (or even a point in time) – the audit report is NOT a certification, which is why the concept of “SOC 2 certification” is misleading as it does not exist.
- Certification confirms that an organization meets requirements associated with some formal standard. In this case, the HITRUST CSF is the standard, and HITRUST is the recognized accrediting body. Most frameworks in use do not have any such structure behind them.
- In some cases, an assessment is based on some legal or regulatory set of requirements. Examples of this are HIPAA or GDPR – while these are often used for audits, there are no certifications associated with them – another good example of where marketing terms are often used to describe something that does not exist. Learn more about the benefits of HITRUST certification and how it differs from HIPAA.
How to Prepare for a HITRUST Assessment
While you will need to receive and submit a validated assessment to HITRUST for certification, it is recommended that your organization start out with a self-assessment or readiness assessment. A HITRUST self-assessment is performed internally by your own personnel against CSF while a readiness assessment is typically performed by an independent third party. Either of these assessments will help familiarize your business with CSF requirements and identify any control gaps that should be addressed before going forward with a validated assessment.
We recommend organizations have a readiness assessment performed by the HITRUST External Assessor Organization which will ultimately be performing their validated assessment. This provides you with the assessor’s perspective of the gaps that need to be addressed and allows you an opportunity to discuss any differing opinions regarding those gaps and how best to address them. Either way, be sure to be thorough. This is the time to catch any shortcomings. If you perform a self-assessment independently, the last step of preparation is to engage a HITRUST External Assessor Organization to perform your validated assessment.
Another important item to decide is how much you plan to use the MyCSF tool utilized for documenting the self and validated assessments performed for HITRUST certification. HITRUST gives you two options for using the MyCSF tool:
- Purchase A CSF Report – Access for only the assessment (90 days); ($3k-6k)
- Subscription – Full access year-round for an annual fee ($15k-50k)
Both will work. Each has its pros and cons. The first option is less expensive; however, you only have access to the tool for 90 days to complete a self-assessment and for your HITRUST External Assessor Organization to complete the validation of your assessment. The subscription option is more expensive, but may be worth it in the long run if you plan to maintain your HITRUST certification on an ongoing basis. The annual subscription allows you to track compliance throughout the year, access your information in the tool at any time, and roll forward the custom control set from CSF, as well as updates into your next year’s assessment.
The following chart illustrates the basic differences between the report-only and subscription options:
What is the Process for Completing a Validated HITRUST Assessment?
At this point, let’s assume you have performed a self/readiness assessment, remediated any control gaps, obtained access to the MyCSF tool, and engaged a HITRUST Certified CSF Assessor.
One important item to keep in mind is that all testing must be performed within a 90-day window, so organizations should consider resource availability and potential disruptions when planning for the assessment. The assessment process is not complicated in terms of process, but most organizations that struggle do so because of the enormity of the assessment.
How Many Controls are Required for HITRUST Certification?
Most r2 assessments contain 300-400 requirement statements, with 250 being a typical minimum. The e1 and i1 assessments will include a static number of requirements with the current e1 containing 44 requirements and the current i1 including 182 requirements. Not all individual requirement statements are mandatory to be compliant for certification, but all requirement statements are evaluated based on scores that are averaged across each of the 19 domains in MyCSF.
What are the Steps for HITRUST Certification?
The validated assessment process is generally a three-phased process:
- The organization scores itself and enters supporting evidence and a narrative in MyCSF.
- The external assessor performs validation testing which includes evidence reviews and on-site testing if needed.
- The finalized assessment is submitted to HITRUST for review and potential certification.
Step One: Narrative, Self-Scoring, and Evidence Collection
This requires you or a member of your organization to evaluate your compliance with each required control against the one (1) or five (5) maturity levels depending on the assessment type as noted:
- Process (r2)
- Procedure (r2)
- Implementation (e1, i1, r2)
- Measure (r2)
- Managed (r2)
Along the way, you will supply certain evidence and a narrative based on guidance and other requests from your assessor. Controls are grouped within 19 different assessment domains. Once you’ve documented your assessment for all of the controls within a domain, you will submit the domain to your Certified CSF Assessor. This portion of the process typically takes four to six weeks for an r2 assessment and much less for an e1/i1 assessment.
Step Two: Assessor Review and Validation Testing, Submission to HITRUST
Upon receiving a submitted domain, the assessor begins validating your self-assessment scoring against the available evidence. Similarly, your assessor will be following HITRUST’s sampling guidance to test the controls against the same maturity levels.
If your assessments agree, the assessor will record the agreement in the tool and document the procedures performed to validate the assessment.
If the assessor disagrees with your self-assessment ratings, he/she may return a control back to you in the MyCSF tool with comments.
If your assessor performed a readiness assessment (often referred to as a gap assessment) and you’ve addressed all the findings, you will have minimized the likelihood of running into surprises or disagreements between the self and validated assessments. If you skipped the preparation phase and did not perform a thorough self-assessment/readiness assessment or did not adhere to the HITRUST scoring methodology, this could be a very drawn-out, iterative process to come to an agreement. This portion of the process typically takes another four to six weeks for an r2 assessment, and much less for an e1/i1 assessment.
Step Three: HITRUST Review, Quality Assurance, and Certification
Once you and your assessor agree on scores and all evidence has been collected and entered into MyCSF by the assessor, the assessor submits the assessment to HITRUST for review. There are several phases of review and quality assurance (QA) the assessment must go through. First, a basic check for obvious issues (missing comments, missing attachments, etc.) is performed. Following this step, a QA analyst reviews the assessment and may request additional documentation, evidence, or clarification of testing activities, scoping factors or any component of the assessment HITRUST determines requires follow-up prior to issuance of the report and certification letter. This process typically takes anywhere from four to six weeks.
How Does HITRUST Certification Work?
As stated above, the final step in the process is the issuance of a certification letter by HITRUST.
The HITRUST e1 certification is valid for one year and must be renewed annually, in full.
The HITRUST i1 certification is valid for one year and is renewed either through a full re-assessment or rapid recertification which consists of roughly 60 requirements.
The HITRUST r2 certification is valid for two years with the expectation that:
- The organization continues to monitor the effective operation of controls over the period.
- There have been no data security breaches that are required to be reported to federal or state agencies.
- There are no significant changes in the business or its security policies and practices.
- Annual progress is being made on Corrective Action Plans (CAPs) identified in the assessment, and recommendations on how they should be managed are being addressed.
- The timely completion of an interim assessment by a Certified CSF Assessor.
How Long Does It Take to Become HITRUST Certified?
For most organizations pursuing certification for the first time, it will take six to nine months to prepare for the assessment (which includes performing a readiness assessment, remediation, and allowing for the settling period required by HITRUST). It is then another three months to complete the validated assessment and obtain certification. Due to differences in the level of effort, the r2 assessment will naturally take longer to prepare for because of the multiple levels of maturity involved in the assessment. Preparation for an e1 or i1 assessment is expected to be more in line with preparations for a SOC 2 audit, which generally takes two to six months to prepare for, and then another four to six weeks to complete the assessment.
How Much Does It Cost to Become HITRUST Certified?
“How much does HITRUST cost?” This is a very typical question many clients ask during initial conversations. That question leads to a complex answer since there are three primary costs associated with achieving (and maintaining) HITRUST certification. HITRUST should not be considered a one-and-done assessment for the organization – as true compliance with HITRUST requirements requires the integration of a culture of security and compliance within the organization.
Organizations can expect to make three primary investments to achieve and maintain HITRUST certification:
- Fees for access to MyCSF and assessment objects – The fees to access MyCSF and to obtain a validated assessment report (which is required for certification) will range from $20k to $50k+ annually for most organizations.
- HITRUST External Assessor Assessment Fees – There are the fees paid to your assessor firm (your auditor) and they generally range from $40k to $250k+ annually. These fees can vary quite broadly based on the type of assessment (e1/i1/r2, readiness/validated) as well as the scope of the assessment. Any quality assessor firm will be willing to walk you through the scoping process to understand the size and complexity of the environment before quoting a specific price. The fees are most significant in the first year as this typically involves a readiness assessment as well as the first validated assessment, and then fees drop significantly as the organization transitions to the interim assessment and then a fresh validated assessment.
- Internal costs tied to resources, tools, personnel, and capital – Just like a home requires ongoing investment to be designed, built, and maintained, your organization will need to make an investment in the people, processes, and technologies which serve as the structure of your HITRUST compliance program. It is difficult to place a rough figure on this due to variations between organizations, but the organization should be aware these investments will be significant.
We hope this has helped you understand the process of obtaining a HITRUST certification. The HITRUST process can be lengthy and requires preparation and planning. However, it can provide your clients and partners peace of mind knowing your organization has taken the steps necessary to protect the sensitive data in your possession.
As Linford & Co is a HITRUST External Assessor Organization, we would be happy to assist you with any of your HITRUST compliance needs. Please contact us to arrange a consultation or with any additional questions you may have about our HITRUST Audit & Certification services.
This article was originally published on 1/3/2018 and was updated on 3/22/2023.
Richard Rieben is a Partner and HITRUST practice lead at Linford & Co., where he leads audits and assessments covering various frameworks including HITRUST, SOC, CMMC, and NIST. With over 20 years of experience in IT and cybersecurity and various certifications including PMP, CISSP, CCSFP, GSNA, and CASP+, Richard is skilled in helping growing organizations achieve their information security and compliance goals. He holds a Bachelor of Science in Business Management and an MBA from Western Governors University.