Our firm has been a HITRUST External Assessor Organization for several years and in that time we have successfully helped dozens of organizations obtain and maintain HITRUST certifications. We have identified common pitfalls and other barriers to success and we’ve also learned some keys to success. In this article, I’ll break down some of the most basic information about HITRUST, what HITRUST certification is, and the HITRUST assessment process.
HITRUST was founded in 2007 as a not-for-profit, initially to develop and champion programs to safeguard sensitive information such as electronically protected health information (ePHI). HITRUST attempts to fill a void that some regulations such as HIPAA do not address. Over time, HITRUST has expanded its services and capabilities to support organizations as they manage information risk for global organizations across all industries and throughout the third-party supply chain – it’s still a common misbelief that HITRUST is only for organizations in the healthcare industry. HITRUST has its roots in HIPAA compliance and has grown to be a very useful mechanism for validating HIPAA compliance, but it has grown well beyond its roots in terms of industry coverage.
What is the Difference Between HIPAA & HITRUST?
Many companies that must comply with HIPAA have escaped deeper questions from relying on entities in the past by signing a business associate agreement and self-attesting compliance with HIPAA. This “taking your word for it” approach to HIPAA was concerning to healthcare providers who use service organizations to support processes. Large healthcare providers have begun to demand greater assurance that HIPAA controls are in place at service organizations.
IT audit firms offer HIPAA compliance gap assessments, HIPAA compliance reports (e.g., AICPA AT-C 315), and finally HITRUST certifications to address the market need for greater HIPAA compliance assurance. Simply put, HITRUST is a mechanism by which an organization can demonstrate compliance with HIPAA requirements. For a more in-depth explanation, check out our blog “The Benefits of HITRUST Certification: Understanding HITRUST vs HIPAA.”
Why is HITRUST Important?
HITRUST is important as an organization because it solves an industry-wide challenge: Providing certifiable assurance of information security program operating effectiveness and maturity. There are many information security frameworks and assessment methodologies, but most do not result in a formal certification, and most also do not utilize a maturity assessment model to allow consumers of the certification or report to evaluate the maturity of the organization’s security practices.
What is the HITRUST CSF?
The HITRUST has established the HITRUST CSF, which can be used by all organizations that create, access, store, or exchange sensitive and/or regulated data. The CSF includes a prescriptive set of requirements that seek to harmonize the requirements of multiple regulations and standards including ISO, NIST, PCI, HIPAA, and CMMC, and many others.
What Does CSF Stand for in Hitrust CSF?
CSF stands for “Common Security Framework”, the foundation of all HITRUST programs and services which standardizes requirements from a broad variety of different information security frameworks, legal and regulatory requirements, by providing clarity and consistency, and reducing the burden of compliance. The CSF permits the delivery of HITRUST’s goal to facilitate the delivery of multiple compliance reports based on a single assessment.
How Much Does the HITRUST CSF Cost?
It is important to understand that access to the HITRUST CSF is free of charge. Anyone may download the HITRUST CSF and utilize it within their own organization to achieve a number of other goals aside from formal certification. For example, the HITRUST CSF is an excellent tool for understanding how various information security frameworks correlate or “map” to one another.
What is HITRUST Certification?
Assurance of a secure operating environment is a challenge that has rapidly spread across industries. Recent breaches have shown how supply chain attacks can have significant downstream impacts. The interesting thing to note is that most recent high-profile attacks could have been prevented through the application of sound cyber hygiene practices, such as those required of organizations undergoing HITRUST certification. Several examples include the usage of strong, advanced authentication mechanisms, the ability to identify and prevent the usage of weak credentials, and more.
HITRUST solves this dilemma through the application of the HITRUST Common Security Framework (CSF) and a Validated Assessment, which if an organization obtains certain levels of assurance, results in a formal certification which is good for two years assuming satisfactory completion of an interim assessment.
To understand why a HITRUST certification is accepted so broadly and is considered a gold standard in the industry, download this overview document from HITRUST.
Is an Authorized CSF Assessor Required for HITRUST?
Yes! To achieve HITRUST certification, an organization is required to work with an External Assessor Organization which has been vetted and approved by HITRUST to perform validated assessments. At an organizational level, there are requirements around background, training, and certification of individual assessors.
To serve our clients as an external assessor organization, we maintain a staff of experienced and qualified assessors who are certified by HITRUST. Our HITRUST assessors complete annual training activities and hold industry licenses and certifications including the CCSFP, CHQP, CISA, CISSP, CPA, and others.
What is HITRUST MyCSF?
As mentioned above, access to the HITRUST CSF is free. The MyCSF tool, on the other hand, is a SaaS platform that allows organizations to navigate the HITRUST assessment process. It includes functions to allow the scoping and execution of the engagement, which includes the development of narrative responses, the linking of evidence to items, and scoring capabilities along with other advanced functions including powerful analytics and reporting capability.
If the organization wishes to undergo a formal HITRUST assessment, access to MyCSF is required. Access to MyCSF is offered on both a subscription model as well as a one-time assessment model. In our experience, most clients choose to obtain the subscription model as it offers two distinct advantages over the one-time-assessment model:
- Reduced assessment management costs: With a HITRUST MyCSF subscription, an organization can save both time and money by maintaining data and Corrective Action Plans (CAPs) from assessments, significantly reducing data entry by internal and external resources when performing future assessments. Without this, each assessment becomes a standalone activity and there is significant repetition of work between assessments.
- Continuous real-time visibility of compliance stature: For more mature organizations which desire to move to a continuous monitoring methodology, the MyCSF tool can be leveraged to provide visibility into the organization’s risk posture throughout the assessment lifecycle.
Access to MyCSF is also required to properly scope a HITRUST assessment. If your organization does not already have access to MyCSF, you can work with one of our auditors to scope the size and complexity of your assessment before you commit to the purchase of MyCSF access.
Can MyCSF Replace My Current GRC Platform?
We often get this question – we have found that most organizations do not use MyCSF as its formal system of record for GRC purposes. MyCSF does offer some GRC capabilities, but most organization’s leverage the features of a full-functioned GRC to supplement MyCSF usage. This is one reason why MyCSF supports integration with major GRC platforms and the HITRUST Assessment XChange.
How Long is HITRUST Certification Good For?
Once obtained, a HITRUST certification is good for two years from the date of certification. After one year of certification, an organization must undergo an interim assessment to ensure the organization has made satisfactory progress on any gaps identified during the initial certification assessment and has continued to operate the information security program in a satisfactory manner. If everything checks out, then the certification is maintained until the two-year mark, at which time a new, comprehensive validated assessment is required.
The interim assessment is generally a much smaller subset of the original number of requirement statements, but the testing and evaluation criteria are the same as during the initial assessment. It’s important to understand that if an organization undergoes a significant change to the size, scope, or major systems in the environment, a full assessment will be required even if the organization is due for an interim assessment. The bottom line is that the scope of the assessment cannot change significantly between the initial assessment and the interim assessment If it does, a full assessment will be required. Be sure to talk to your assessor about this as part of your strategic plans if you have any questions.
Who Should Get HITRUST Certification?
This is often a challenging question to address. First of all, we often suggest that organizations start with a SOC 2 audit as a starting point if they have not previously engaged in any form of information security examination. This is because SOC 2 is an excellent primer to get an organization used to the policy and implementation requirements which are greatly expanded for HITRUST. Think of it as training wheels. If SOC 2 is an option, then consider starting with SOC 2 before initiating HITRUST.
Next, the advice we give to our clients is that if there is a sufficient business justification to warrant HITRUST certification, then starting with a readiness assessment is the best way to set the organization up for a successful validated assessment. We know HITRUST compliance and certification is a major investment and requires significant resources to be successful. Our auditors are happy to talk through the selection criteria and help navigate discussions our clients may have with their customers when HITRUST certification is being requested.
What Does HITRUST Certification Mean For My Organization?
HITRUST certification means that the organization has undergone a thorough assessment of the information security program focused around a given scope which is generally limited to one or more implemented systems. Generally, an organization does not pursue HITRUST certification of the entire organization, as the application of stringent information security requirements across the board is inefficient from a risk and resource allocation perspective.
- Satisfactory completion of a HITRUST validated assessment by an external assessor firm such as Linford & Company.
- Validation of the quality and accuracy of the assessment by HITRUST through the HITRUST quality assurance process.
Are you trying to compare HITRUST to other assessment frameworks in the cybersecurity space? If so, read this whitepaper comparing CSF, ISO 27001, and NIST 800-53.
What Types of HITRUST Assessments Are There?
Readiness Assessment – A readiness assessment is designed to evaluate an organization’s readiness to successfully obtain HITRUST certification. This assessment may or may not be done through the MyCSF tool, and in lieu of a formal HITRUST report being issued, a list of gaps and remediation guidance is produced and provided to guide the client through the remediation process in preparation for an assessment
Self Assessment – Organizations may choose to perform a self-assessment against the applicable CSF requirements within the myCSF tool. HITRUST will also perform a limited validation of the self-assessment results that can be shared with a relying user entity. We have seen organizations get good value from a self-assessment when they have the appropriate skills and expertise as well as score themselves fairly without bias. We have had a few clients perform a self-assessment and score themselves with perfect scores without providing sufficient support for us to come to the same conclusions. It pays to be hard on yourself during the self-assessment. It’s important to note a self-assessment does not result in certification. If certification is the goal, a validated assessment is required.
Validated Assessment – A validated assessment must be performed by a HITRUST assessor firm. A validated assessment requires an authorized external assessor to assess compliance with the applicable HITRUST CSF requirements. A validated assessment must be performed for an organization to become HITRUST certified. Upon completion of a validated assessment, an organization can pay a HITRUST certification fee, submit any corrective action plans, and have HITRUST spot-check the results of the validated assessment. If no significant issues are identified beyond what was identified in the validated assessment, an organization will receive a HITRUST certification and certification letter.
HITRUST Certification Cost
HITRUST compliance is not inexpensive. For one, because it’s a more robust set of requirements than many other standards and frameworks. For perspective, many of our SOC 2 clients have 80-100 controls tested within a SOC 2 report. A typical HITRUST validated assessment may have upwards of 300 control requirements.
In addition, the maturity of each control to address the requirements must be assessed for five different maturity levels. That could mean an assessor has to look at 1500 or more pieces of documentation or evidence to complete a validated assessment. Another reason for the higher fees is that assessor firms must pay an annual fee to HITRUST each year to maintain their assessor status. HITRUST Validated Assessment fees range from $40,000/yr to $250,000/yr depending on the factors associated with the assessment.
HITRUST Implementation Levels
Each of the controls defined by HITRUST has three different implementation levels associated with them. The implementation levels build off of each other. This means a Level 3 implementation includes all of the level 1 and level 2 implementations as well. Implementation levels are built upon three unique risk factors:
- Organization factors: e.g., the type of organization or the size of the organization.
- System factors: e.g., internet connections, number of records, or the use of mobile devices in the organization.
- Regulatory factors: e.g., state or specialized industry requirements.
What Are the HITRUST Domains?
It’s important to understand how the hierarchy of requirements works within a HITRUST assessment. We’ll cover this at a high level here, but it can be reviewed in detail in this article, “An Expert’s Guide to the HITRUST Framework.” There are three primary levels to understand:
Domains: The HITRUST CSF starts out at the domain level, which are major practice areas within information security and regulatory compliance. Examples of domains are Endpoint Protection, Risk Management, and Data Protection & Privacy.
Control Families: Controls are broken down from the domain level into control families. These can be thought of as a group of controls that may be spread across multiple domains. They are also commonly referred to as control objectives.
Requirement Statements: Requirement statements are the most detailed level of control assessment and are where evidence is obtained to assess the maturity of the organization’s operation of controls to address the requirement, which may vary in depth and detail based on the HITRUST implementation levels addressed above.
What is a HITRUST Control?
It’s important to understand there are some vernacular differences between HITRUST and the rest of the information security industry. Where the industry tends to focus on controls, HITRUST focuses on requirements in lieu of what we typically call controls.
Per HITRUST, a control objective is the desired outcome of the successful implementation and operation of a control. HITRUST requirements are the activities, which performed according to HITRUST specifications will result in the effective operation of a control and achievement of the control objective. I’ll break this down:
Control Objective: The organization ensures organizational personnel are qualified to perform assigned duties in the areas of information security and incident response.
Control: Background checks, education verification, and reference checking will be used to perform screening activities.
Requirement: Perform background screening and assess risk for all personnel prior to the start of employment.
Maturity Levels & Scoring
To receive a HITRUST certification you must have at least a score of 62% (HITRUST 3-) or greater in each domain with corrective action plans for any requirements scoring less than 62%. One key lesson we have learned is that if it is your organization’s first time through HITRUST, you might consider focusing on policy, procedure, and implementation scores as opposed to measured and managed scores. Identifying metrics related to certain processes can be difficult at times. If you have a 75% score without evidence of measured and managed, you are meeting the HITRUST requirement.
When organizations hold themselves out as HITRUST certified, they don’t typically offer the score from the Validated assessment. As a result, ask yourself if it’s worth the brain cells to go after a few extra points. That same time could be focused on documenting policies and procedures that are not in place and implementing required controls. Remember that a perfect policy, procedure, and implementation score gets you a 75% which does not even require a corrective action plan for a requirement.
The following illustration shows the maximum points available for each HITRUST maturity level.
- Policy – 15%
- Procedure – 20%
- Implemented – 40%
- Measured – 10%
- Managed – 15%
HITRUST scoring is a complex topic. For a more in-depth breakdown, take a look at How to Score HITRUST CSF Controls?
What is HITRUST Inheritance?
HITRUST inheritance, also known as the Shared Responsibility Model, is valuable to organizations utilizing services from other HITRUST certified entities. For example, if your organization is planning to obtain HITRUST certification for a SaaS platform that is hosted in AWS the organization can reduce the number of requirements it is responsible for during the assessment by inheriting compliance with approximately 10% of their requirements.
The inheritance process is simple to navigate and is one of the first activities performed during the assessment. In some cases, the requirement is inherited at a rate of 100%, which means no responsibility lies with the client organization. In other cases, the requirement may be inherited at 50% which means even though the cloud service provider may be partially responsible for a requirement, the client organization must still address their compliance with that requirement during an assessment. For more information on how to inherit controls in the HITRUST process, visit the HITRUST Shared Responsibility and Inheritance Program.
HITRUST Lessons Learned: Keys to Success
To summarize, here are some tips to make for a smoother adoption of HITRUST:
- When you do scope the coverage of your assessment, do so wisely and cover only the services that are most relevant to the user entities that are demanding HITRUST certification.
- Leverage SOC 2 when possible, and consider using SOC 2 as a starting point in your journey to HITRUST compliance.
- Perform a thorough self-assessment and identify specific evidence to support scores.
- Consider leaving out measured and managed scoring and evidence for the first year. Focus on the policy, procedure, and implementation maturity levels since those combine for the majority of the score for each requirement (75%).
- Know your resources and have resources available to remediate both policy and procedural gaps as well as implementation gaps
This article was originally published on 9/26/2018 and was updated on 8/18/2021.
Richard is a leader in the HITRUST practice with Linford & Company and performs a variety of other assessments including SOC, HIPAA and NIST. He has guided more than 100 clients on their compliance journeys and holds a variety of certifications including the PMP, CISSP, GSNA and CCSFP as well as the CASP+, CySA+, Security+ and others from CompTIA, which he supports actively as a member of the Subject Matter Expert Governance Committee. He also holds an MBA from Western Governors University.