Preface: In October and December of 2021, the HITRUST Alliance released a series of press releases addressing upcoming changes which include the rollout of new assessment types. This article is updated and based on the latest information available as of January 2022 and will be revised as necessary to provide enhanced clarity.
What is HITRUST Certified?
Put simply, HITRUST Certified organizations demonstrate compliance with a prescriptive set of requirements at a prescribed level of maturity in a manner intended to provide a moderate to high level of assurance depending on the level of certification desired.
Under the HITRUST CSF® Assurance Program Requirements “‘HITRUST CSF Certified’ refers to an organization that has met all CSF certification requirements as defined by HITRUST based on industry input and analysis. ‘CSF Certification’ involves performance of a validated assessment leveraging the MyCSFtool, the embedded HITRUST CSF control requirement statements, and the PRISMA maturity model. CSF certification provides relying entities with greater assurance that an assessed entity is appropriately managing risk. CSF certification is designed to remove the variability in acceptable security and privacy requirements by establishing a baseline defined by industry, removing unnecessary and costly negotiations and risk acceptance.”
How Do I Get HITRUST Certified?
If you are reading this, you may well be considering obtaining a HITRUST Certification. Some people may call it CSF certification, but the correct term is HITRUST certification. This post will walk you through the overall HITRUST certification process. You will learn the major steps needed to prepare, be assessed, and obtain the certification. We will also highlight some of the pitfalls to avoid along the way.
If you are not quite ready to dive into the HITRUST assessment processes, but would like to learn more about HITRUST, I recommend that you take a look at one of our earlier blogs that walks you through the basics of HITRUST compliance.
What is a HITRUST Certification?
Founded in 2007, HITRUST issues certifications to businesses and organizations that are independently assessed for compliance with its Common Security Framework (CSF). An organization can obtain HITRUST certification when all the required controls are fully implemented within the scoped environment. The CSF is designed for use by a variety of organizations that may create, access, store, or share sensitive data. The CSF incorporates commonly accepted standards such as ISO, NIST, PCI, HIPAA, and COBIT within its baseline security controls.
What are the Types of HITRUST Certification?
There are two forms of HITRUST certification:
- Implemented One-Year (i1) Validated Assessment
- Risk-based, Two-Year (r2) Validated Assessment
The certification which has been in place for well over ten years is the Risk-based, Two-Year (r2) Validated Assessment. The Implemented One-Year (i1) Validated Assessment is new and is intended to be a standardized certification that focuses on the implementation of “best practices” in a moderate risk environment. Learn more from the HITRUST FAQ for the i1 assessment.
How Do the HITRUST Certifications Differ?
The chart below provides a high-level overview of the various assessment (and certification) options available in the HITRUST portfolio of services:
Separating the assessments and certifications in detail is a topic that will likely warrant its own discussion in the future, but for now, there are three key differences worth focusing on:
- The i1 will be based on a static set of controls, unlike the r2, which is based on scoping factors. This will ensure everyone’s i1 certification will be roughly equal. The r2 certification will still vary in size from one organization to another.
- The i1 will be based simply on the implementation of controls. (No policy, procedure, implemented, measured, and managed like in the r2.)
- The i1 can lead to ONE year of certification, whereas the r2 can lead to two years of certification based on the completion of an interim assessment at the one-year mark.
Who Needs HITRUST Certification?
Most organizations seek HITRUST certification at the request of a valued client or business partner. Historically, HITRUST has been more prevalent in the healthcare industry where HIPAA is the driving force for compliance. Recent revisions of the CSF have improved coverage of frameworks which make the CSF and HITRUST certification more universal in nature. For example, the specific targeting of NIST 800-171 in the i1 assessment is a clear indicator HITRUST is working to gain traction in the government and defense spaces.
Why Do Organizations Need HITRUST Certification?
The request for HITRUST certification by a key client or business partner is typically sufficient motivation for any organization. However, we strongly suggest organizations consider the options available to them as HITRUST certification is a significant investment in both time, resources and capital, and should not be taken lightly. Quite often, SOC 2 is used as a stepping stone to get an organization into the “compliance mindset”. Bottom line is that there are other options or audits that a business may use to evidence its control environment used to secure sensitive data. Read here to learn more about the differences between SOC 2 and HITRUST.
What are the HITRUST Certification Requirements?
To achieve any HITRUST certification, the organization must exceed baseline scores for certification for requirements that are distributed across various domains. HITRUST scoping is more complex for the r2 assessment due to the usage of five different levels of maturity vs. one level of maturity for the i1 assessment.
What is a HITRUST Audit
Actually, HITRUST certification does not involve an audit. HITRUST certification involves assessments. How are HITRUST assessments different from an audit? Let’s explore the basic differences between audits and assessments:
- Audits are focused on ensuring compliance with a given framework or set of requirements. They are performed to ensure nothing is wrong.
- Assessments are focused on defining the current state of the environment within the context of a given ideal state. Assessments help identify weaknesses and measure the delta between the current state and the ideal state.
Here are a few other differences worth noting when comparing HITRUST to other audits and assessments.
- An audit generally results in some form of audit report, and within the world of infosec this is often in the form of an auditor’s opinion about the implementation and operation of controls over a period of time (or even a point in time) – the audit report is NOT a certification, which is why the concept of “SOC 2 certification” is misleading as it does not exist.
- Certification confirms that an organization meets requirements associated with some formal standard. In this case, the HITRUST CSF is the standard, and HITRUST is the recognized accrediting body. Most frameworks in use do not have any such structure behind them.
- In some cases, an assessment is based on some legal or regulatory set of requirements. Examples of this are HIPAA or GDPR – while these are often used for audits, there are no certifications associated with them – another good example of where marketing terms are often used to describe something that does not exist. Learn more about the benefits of HITRUST certification and how it differs from HIPAA here.
How to Prepare for a HITRUST Assessment
While you will need to receive and submit a validated assessment to HITRUST for certification, it is recommended that your organization start out with a self-assessment or readiness assessment. A self-assessment is performed internally by your own personnel against CSF while a readiness assessment is typically performed by an independent third party. Either of these assessments will help familiarize your business with CSF requirements and identify any control gaps that should be addressed before going forward with a validated assessment.
We recommend organizations have a readiness assessment performed by the HITRUST External Assessor Organization who will ultimately be performing their validated assessment. This provides you the assessor’s perspective of the gaps that need to be addressed and allows you an opportunity to discuss any differing opinions regarding those gaps and how best to address them. Either way, be sure to be thorough. This is the time to catch any shortcomings. If you perform a self-assessment independently, the last step of preparation is to engage a HITRUST External Assessor Organization to perform your validated assessment.
Another important item to decide is how much you plan to use the MyCSF tool utilized for documenting the self and validated assessments performed for HITRUST certification. HITRUST gives you two options for using the MyCSF tool:
- Purchase A CSF Report – Access for only the assessment (90 days); ($3k-6k)
- Subscription – Full access year-round for an annual fee ($15k-50k)
Both will work. Each has its Pros and Cons. The first option is less expensive; however, you only have access to the tool for 90 days to complete a self-assessment and for your HITRUST External Assessor Organization to complete the validation of your assessment. The subscription option is more expensive, but may be worth it in the long run if you plan to maintain your HITRUST certification on an ongoing basis. The annual subscription allows you to track compliance throughout the year, access your information in the tool at any time, and roll-forward the custom control set from CSF as well as updates into your next year’s assessment.
The following chart illustrates the basic differences between the report-only and subscription options:
What is the Process for Completing a Validated HITRUST Assessment?
At this point, let’s assume you have performed a self/readiness assessment, remediated any control gaps, obtained access to the MyCSF tool, and engaged a Certified CSF Assessor.
One important item to keep in mind is that all testing must be performed within a 90-day window, so organizations should consider resource availability and potential disruptions when planning for the assessment. The assessment process is not complicated in terms of process, but most organizations that struggle do so because of the enormity of the assessment.
How Many Controls are Required for HITRUST Certification?
Most r2 assessments contain 300-400 requirement statements, with 250 being a typical minimum. i1 assessments will include a static number of requirements, currently expected to be 219. Not all individual requirement statements are mandatory to be compliant for certification, but all requirement statements are evaluated based on scores which are averaged across each of the 19 domains in MyCSF.
What are the Steps for HITRUST Certification?
The validated assessment process is generally a three-phased process:
- The organization scores itself and enters supporting evidence and a narrative in MyCSF
- The external assessor performs validation testing
- The finalized assessment is submitted to HITRUST for review and potential certification
Step One: Narrative, Self-Scoring and Evidence Collection
This requires you or a member of your organization to evaluate your compliance with each required control against the five (5) maturity levels:
Along the way, you will supply certain evidence and a narrative based on guidance from your assessor. Controls are grouped within 19 different assessment domains. Once you’ve documented your assessment for all of the controls within a domain, you will submit the domain to your Certified CSF Assessor. This portion of the process typically takes four to six weeks.
Step Two: Assessor Review and Validation Testing, Submission to HITRUST
Upon receiving a submitted domain, the assessor can begin validating your self-assessment. HITRUST requires that assessors come on-site (for at least a portion of the time) to perform their validation assessment, although this requirement has been lifted temporarily during the ongoing pandemic. Similarly, your assessor will be following HITRUST’s sampling guidance to test the controls against the same maturity levels.
If your assessments agree, the assessor will record the agreement in the tool and document the procedures performed to validate the assessment.
If the assessor disagrees with your self-assessment ratings, he/she may return a control back to you in the MyCSF tool with comments.
If your assessor performed a readiness assessment (often referred to as a gap assessment) and you’ve addressed all the findings, you will have minimized the likelihood of running into surprises or disagreements between the self and validated assessments. If you skipped the preparation phase and did not perform a thorough self-assessment/readiness assessment or did not adhere to the HITRUST scoring methodology, this could be a very drawn-out, iterative process to come to an agreement. This portion of the process typically takes another four to six weeks.
Step Three: HITRUST Review, Quality Assurance, and Certification
Once you and your assessor agree on scores and all evidence has been collected and entered into MyCSF by the assessor, the assessor submits the assessment to HITRUST for review. There are several phases of review and quality assurance (QA) the assessment must go through. First, a basic check for obvious issues (missing comments, missing attachments, etc.) is performed. Following this step, a QA analyst reviews the assessment and may request additional documentation, evidence, or clarification of testing activities, scoping factors or any component of the assessment HITRUST determines requires follow-up prior to issuance of the report and certification letter. This process typically takes anywhere from six to ten weeks.
How Does HITRUST Certification Work?
As stated above, the final step in the process is the issuance of a certification letter by HITRUST.
The HITRUST i1 certification is valid for one year and is renewed on the basis of a full assessment.
The HITRUST r2 certification is valid for two years with the expectation that:
- The organization continues to monitor the effective operation of controls over the period.
- There have been no data security breaches that are required to be reported to federal or state agencies.
- There are no significant changes in the business or its security policies and practices.
- Annual progress is being made on Corrective Action Plans (CAPs) identified in the assessment.
- The timely completion of an interim assessment by a Certified CSF Assessor.
How Long Does It Take to Become HITRUST Certified?
For most organizations pursuing certification for the first time, it will take six to nine months to prepare for the assessment (which includes performing a readiness assessment and remediation and allowing for the settling period required by HITRUST), and then another three months to complete the validated assessment and obtain certification. Due to differences in level of effort, the r2 assessment will naturally take longer to prepare for because of the multiple levels of maturity involved in the assessment. Preparation for an i1 assessment is expected to be more in line with preparations for a SOC 2 audit, which generally takes two to six months to prepare for, and then another four to six weeks to complete the assessment.
How Much Does It Cost to Become HITRUST Certified?
“How much does a HITRUST audit cost?” This is a very typical question many clients ask during initial conversations. That question leads to a complex answer since there are three primary costs associated with achieving (and maintaining) HITRUST certification. HITRUST should not be considered a one-and-done assessment for the organization – as true compliance with HITRUST requirements requires the integration of a culture of security and compliance within the organization.
Organizations can expect to make three primary investments to achieve and maintain HITRUST certification:
- Fees for access to MyCSF and assessment objects. The fees to access MyCSF and to obtain a validated assessment report (which is required for certification) will range from $20k to $50k+ annually for most organizations.
- HITRUST External Assessor Assessment Fees – There are the fees paid to your assessor firm (your auditor) and they generally range from $30k to $250k+ annually. These fees can vary quite broadly based on the type of assessment (i1/r2, readiness/validated) as well as the scope of the assessment. Any quality assessor firm will be willing to walk you through the scoping process to understand the size and complexity of the environment before quoting a specific price. The fees are most significant in the first year as this typically involves a readiness assessment as well as the first validated assessment, and then fees drop significantly as the organization transitions to the interim assessment and then a fresh validated assessment.
- Internal costs tied to resources, tools, personnel, and capital. Just like a home requires an ongoing investment to be designed, built, and maintained, your organization will need to make an investment in the people, processes, and technologies which serve as the structure of your HITRUST compliance program. It is difficult to place a rough figure on this due to variations between organizations, but the organization should be aware these investments will be significant.
We hope this has helped you understand the process of obtaining a HITRUST certification. The HITRUST process can be lengthy and requires preparation and planning. However, it can provide your clients and partners peace of mind knowing your organization has taken the steps necessary to protect the sensitive data in your possession.
As a HITRUST External Assessor Organization, we would be happy to assist you with any of your HITRUST compliance needs. Please contact us to arrange a consultation or with any additional questions you may have about our HITRUST Audit & Certification services.
This article was originally published on 1/3/2018 and was updated on 1/18/2022.
Richard is a leader in the HITRUST practice with Linford & Company and performs a variety of other assessments including SOC, HIPAA and NIST. He has guided more than 100 clients on their compliance journeys and holds a variety of certifications including the PMP, CISSP, GSNA and CCSFP as well as the CASP+, CySA+, Security+ and others from CompTIA, which he supports actively as a member of the Subject Matter Expert Governance Committee. He also holds an MBA from Western Governors University.