Our firm has been a HITRUST External Assessor Organization since 2017, and in that time we have successfully helped dozens of organizations obtain and maintain HITRUST certifications. We have identified common pitfalls and other barriers to success and we’ve also learned some keys to success. In this article, I’ll break down some of the most basic information about HITRUST, what HITRUST certification is, and the HITRUST assessment process.
Why was HITRUST Created?
HITRUST was founded in 2007 as a not-for-profit, initially to develop and champion programs to safeguard sensitive information such as electronically protected health information (ePHI). HITRUST attempts to fill a void that some regulations such as HIPAA do not address. Over time, HITRUST has expanded its services and capabilities to support organizations as they manage information risk for global organizations across all industries and throughout the third-party supply chain – it’s still a common misbelief that HITRUST is only for organizations in the healthcare industry.
What is the Difference Between HIPAA & HITRUST?
HITRUST has its roots in HIPAA compliance and has grown to be a very useful mechanism for validating HIPAA compliance, but the modern implementation of HITRUST goes well beyond the health care industry. To learn more about HIPAA and HITRUST, check out our articles about HIPAA compliance gap assessments, HIPAA compliance reports, and “The Benefits of HITRUST Certification: Understanding HITRUST vs HIPAA.
Why is HITRUST Important?
HITRUST is important as an organization because it solves an industry-wide challenge: Providing certifiable assurance of information security program operating effectiveness and maturity. There are many information security frameworks and assessment methodologies, but most do not result in a formal certification, and most also do not utilize a maturity assessment model to allow consumers of the certification or report to evaluate the maturity of the organization’s security practices. To understand why a HITRUST certification is accepted so broadly and is considered a gold standard in the industry, download this overview document from HITRUST.
What is the HITRUST CSF?
The HITRUST has established the HITRUST CSF, which can be used by all organizations that create, access, store, or exchange sensitive and/or regulated data. The CSF includes a prescriptive set of requirements that seek to harmonize the requirements of multiple regulations and standards including ISO, NIST, PCI, HIPAA, CMMC, and many others.
What Does CSF Stand for in Hitrust CSF?
CSF stands for “Common Security Framework”, the foundation of all HITRUST programs and services which standardizes requirements from a broad variety of different information security frameworks, legal and regulatory requirements, by providing clarity and consistency, and reducing the burden of compliance. The CSF permits the delivery of HITRUST’s goal to facilitate the delivery of multiple compliance reports based on a single assessment.
How Much Does the HITRUST CSF Cost?
It is important to understand that access to the HITRUST CSF is free of charge. Anyone may download the HITRUST CSF and utilize it within their own organization to achieve a number of other goals aside from formal certification. For example, the HITRUST CSF is an excellent tool for understanding how various information security frameworks correlate or “map” to one another.
What is HITRUST Certification?
Assurance of a secure operating environment is a challenge that has rapidly spread across industries. Recent breaches have shown how supply chain attacks can have significant downstream impacts. The interesting thing to note is that most recent high-profile attacks could have been prevented through the application of sound cyber hygiene practices, such as those required of organizations undergoing HITRUST certification. Several examples include the usage of strong, advanced authentication mechanisms, the ability to identify and prevent the usage of weak credentials, and more.
HITRUST solves this dilemma through the application of the HITRUST Common Security Framework (CSF) and a Validated Assessment, which if an organization obtains certain levels of assurance, results in a formal certification that is good for up to two years.
What Does HITRUST Certified Mean?
In late 2021, HITRUST unveiled a revision to the assessment and certification portfolio for HITRUST. Instead of simply providing one level of assessment and certification, there are now three unique levels of assessment, with two of them including a path to certification.
Image source: HITRUST
What Certifications Does HITRUST Offer?
In response to industry needs, HITRUST continues to develop its offerings to address a broad variety of risk scenarios. While the legacy HITRUST CSF Validated Assessment (now the r2 Assessment and Certification) has been successfully supporting the needs of organizations in need of a strong level of assurance, other assessment products have been developed to support the needs of organizations that do not require such a high level of assurance as obtained from the r2. As a result, the bC and i1 assessments have been introduced; they are described in more detail below.
The HITRUST Basic, Current-state (bC) Assessment. (New as of 2022)
Providing the lowest level of assurance (and also the lowest level of effort) is the HITRUST Basic, Current-state (bC) Assessment. The bC is a standardized self-assessment that focuses on “good hygiene” and performs simple validation through the application of the HITRUST Assurance Intelligence Engine to identify errors and omissions. The level of effort associated with this assessment is considered low, and it can be considered an alternative to the CAIQ, which is a product of the Cloud Security Alliance. Lastly, the Bc does not lead to any form of certification. Visit the HITRUST website to learn more about the bC assessment.
The HITRUST Implemented, 1-Year (i1) Validated Assessment + Certification. (New as of 2022)
This can be considered a standardized “best practices” assessment best suited for moderate risk situations where the bC assessment does not provide enough assurance and the r2 assessment addressed below is not reasonable. HITRUST has indicated the i1 assessment will be threat-adaptive, meaning that requirements will be added and removed to address the continuously-evolving threat landscape. The i1 assessment will feature a static (non-tailored) set of controls which is a departure from the legacy HITRUST assessment and certification approach. The level of effort associated with the i1 assessment is considered to be “moderate” according to HITRUST, however early indications show the i1 is significantly more effort than typical information security audits including SOC 2, ISO 27001, or PCI. The i1 can be performed as a readiness assessment, or through an external assessor organization, a validated assessment and issuance of a certification (valid for one year) by HITRUST can be performed.
Visit the HITRUST website to learn more about the i1 assessment and certification.
The HITRUST Risk-based, 2-Year (r2) Validated Assessment + Certification
This is the legacy HITRUST CSF Validated Assessment – nothing has really changed except the name. The r2 assessment retains its position as a tailored assessment that considers scoping factors to determine the size of the assessment. The r2 is most suitable for high-risk scenarios where a high level of assurance is required. The r2 assessment has no equal in the industry, but is considered to be a challenging and exhaustive assessment, involving five times the level of effort as the i1 assessment.
In our experience, FedRAMP is the most similar in terms of level of effort, but they are not equal in scope or depth of assessment. The r2 can be performed as a readiness assessment, or validated assessment with certification, similar to the i1 assessment, however – the r2 is valid for two years with the satisfactory completion of an interim assessment at the one-year mark. Visit the HITRUST website to learn more about the r2 assessment and certification.
To understand the detailed nuances between the various assessment and certification options, we suggest reviewing the HITRUST Assessments Portfolio Overview.
Is an Authorized CSF Assessor Required for HITRUST?
Yes! To achieve HITRUST certification, an organization is required to work with an External Assessor Organization which has been vetted and approved by HITRUST to perform validated assessments. At an organizational level, there are requirements around background, training, and certification of individual assessors.
To serve our clients as an external assessor organization, we maintain a staff of experienced and qualified assessors who are certified by HITRUST. Our HITRUST assessors complete annual training activities and hold industry licenses and certifications including the CCSFP, CHQP, CISA, CISSP, CPA, and others.
What is HITRUST MyCSF?
As mentioned above, access to the HITRUST CSF is free. The MyCSF tool, on the other hand, is a SaaS platform that allows organizations to navigate the HITRUST assessment process. It includes functions to allow the scoping and execution of the engagement, which includes the development of narrative responses, the linking of evidence to items, and scoring capabilities along with other advanced functions including powerful analytics and reporting capability.
What is CSF Certification & Assessment?
HITRUST certification and assessment are actually performed against a subset of the HITRUST CSF and the size of the assessment depends on the desired certification and potentially, scoping factors. If the organization wishes to undergo a formal HITRUST assessment, access to MyCSF is required. Access to MyCSF is offered on both a subscription model as well as a one-time assessment model. In our experience, most clients choose to obtain the subscription model as it offers two distinct advantages over the one-time-assessment model:
- Reduced assessment management costs: With a HITRUST MyCSF subscription, an organization can save both time and money by maintaining data and Corrective Action Plans (CAPs) from assessments, significantly reducing data entry by internal and external resources when performing future assessments. Without this, each assessment becomes a standalone activity and there is significant repetition of work between assessments.
- Continuous real-time visibility of compliance stature: For more mature organizations which desire to move to a continuous monitoring methodology, the MyCSF tool can be leveraged to provide visibility into the organization’s risk posture throughout the assessment lifecycle.
While scoping factors are not applicable to the i1 assessment, for organizations pursuing certification of an r2 assessment, access to MyCSF is also required to determine the size of the assessment due to scoping factors. If your organization does not already have access to MyCSF, you can work with one of our auditors to scope the size and complexity of your assessment before you commit to the purchase of MyCSF access. We can also share insights into the various subscription options available.
Can MyCSF Replace My Current GRC Platform?
We often get this question – we have found that most organizations do not use MyCSF as its formal system of record for GRC purposes. MyCSF does offer some GRC capabilities, but most organizations leverage the features of a full-functioned GRC to supplement MyCSF usage. This is one reason why MyCSF supports integration with major GRC platforms and the HITRUST Assessment XChange.
How Long is HITRUST Certification Good For?
Since the bC assessment does not lead to certification, there is no defined renewal period. However, most organizations leverage an annual cadence for the solicitation and review of audit reports and questionnaires as part of their vendor management program.
The i1 certification is good for one year. Similar to other audits performed by organizations including SOC 1 reports, SOC 2 (how does it compare to HITRUST?), PCI (how does it compare to SOC 2?), HIPAA (what is the full scope?), and others, the full assessment must be performed annually and the certification issued by HITRUST each year. There are no interim or bridge assessments for the i1 assessment.
The r2 certification is valid for two years from the date of certification. That said, After one year of certification, an organization must undergo an interim assessment to ensure the organization has made satisfactory progress on any gaps identified during the initial certification assessment and has continued to operate the information security program in a satisfactory manner. If everything checks out, then the certification is maintained until the two-year mark, at which time a new, comprehensive validated assessment is required.
The interim assessment is generally a much smaller subset of the original number of requirement statements, but the testing and evaluation criteria are the same as during the initial assessment. It’s important to understand that if an organization undergoes a significant change to the size, scope, or major systems in the environment, a full assessment will be required even if the organization is due for an interim assessment. The bottom line is that the scope of the assessment cannot change significantly between the initial assessment and the interim assessment. If it does, a full assessment will be required. Be sure to talk to your assessor about this as part of your strategic plans if you have any questions.
Who Should Get HITRUST Certification?
This is often a challenging question to address. First of all, we typically suggest that organizations start with a SOC 2 audit as a starting point if they have not previously engaged in any form of information security examination. This is because SOC 2 is an excellent primer to get an organization used to the policy and implementation requirements which are greatly expanded for HITRUST. Think of it as training wheels. If SOC 2 is an option, then consider starting with SOC 2 before initiating HITRUST, or consider the benefits of both.
Next, the advice we give to our clients is that if there is a sufficient business justification to warrant HITRUST certification, then starting with a readiness assessment is the best way to set the organization up for a successful validated assessment. We know HITRUST compliance and certification is a major investment and requires significant resources to be successful. Our auditors are happy to talk through the selection criteria and help navigate discussions our clients may have with their customers when HITRUST certification is being requested.
Lastly, organizations should consider is undergoing an i1 assessment is a reasonable entry point for HITRUST certification. Even if an organization’s long-term plan is to obtain r2 certification, the i1 may offer an ideal starting point.
What Does HITRUST Certification Mean For My Organization?
HITRUST certification means that the organization has undergone a thorough assessment of the information security program focused around a given scope which is generally limited to one or more implemented systems. Generally, an organization does not pursue HITRUST certification for the entire organization, as the application of stringent information security requirements across the board is inefficient from a risk and resource allocation perspective.
The achievement of HITRUST certification requires:
- Satisfactory completion of a HITRUST validated assessment by an external assessor firm such as Linford & Company.
- Validation of the quality and accuracy of the assessment by HITRUST through the HITRUST quality assurance process.
Are you trying to compare HITRUST to other assessment frameworks in the cybersecurity space? If so, read this whitepaper comparing CSF, ISO 27001, and NIST 800-53.
What Types of HITRUST Assessments Are There?
Readiness Assessment – A readiness assessment is designed to evaluate an organization’s readiness to successfully obtain HITRUST certification. This assessment may or may not be done through the MyCSF tool, and in lieu of a formal HITRUST report being issued, a list of gaps and remediation guidance is produced and provided to guide the client through the remediation process in preparation for an assessment.
Self Assessment – Organizations may choose to perform a self-assessment against the applicable CSF requirements within the myCSF tool. HITRUST will also perform a limited validation of the self-assessment results that can be shared with a relying user entity. We have seen organizations get good value from a self-assessment when they have the appropriate skills and expertise as well as score themselves fairly without bias. We have had a few clients perform a self-assessment and score themselves with perfect scores without providing sufficient support for us to come to the same conclusions. It pays to be hard on yourself during the self-assessment. It’s important to note a self-assessment does not result in certification. If certification is the goal, a validated assessment is required.
Validated Assessment – A validated assessment must be performed by a HITRUST assessor firm. A validated assessment requires an authorized external assessor to assess compliance with the applicable HITRUST CSF requirements. A validated assessment must be performed for an organization to become HITRUST certified. Upon completion of a validated assessment, an organization can pay a HITRUST certification fee, submit any corrective action plans, and have HITRUST spot-check the results of the validated assessment. If no significant issues are identified beyond what was identified in the validated assessment, an organization will receive a HITRUST certification and certification letter.
HITRUST Certification Cost
HITRUST compliance and certification costs vary by the type of assessment and whether certification is desired. For perspective, many of our SOC 2 clients have 80-100 controls tested within a SOC 2 report. Currently, an i1 validated assessment includes 219 specific requirements and A typical r2 validated assessment may have upwards of 350+ control requirements. Recent iterations have added more requirements to r2 validated assessments, so scoping of the assessment is required to determine level of effort.
For an i1 assessment, which is implementation-focused, the assessor will only assess the implementation of controls, so those 219 requirements will be assessed for implementation only.
However, requirements in an r2 validated assessment are assessed for three to five different maturity levels. That could mean an assessor has to look at 1500 or more pieces of documentation or evidence to complete a validated assessment. Another reason for the higher fees is that assessor firms must pay an annual fee to HITRUST each year to maintain their assessor status.
Fees for the i1 and r2 validated assessments range from $40,000/yr to $250,000/yr depending on the factors associated with the assessment. A quality external assessor firm will want to go through a basic scoping process to understand the scope of the assessment before issuing a formal quote.
HITRUST Implementation Levels
Each of the controls defined by HITRUST has three different implementation levels associated with them. The implementation levels build off of each other. This means a Level 3 implementation includes all of the level 1 and level 2 implementations as well. Implementation levels are built upon three unique risk factors:
- Organization factors: e.g., the type of organization or the size of the organization.
- System factors: e.g., internet connections, number of records, or the use of mobile devices in the organization.
- Regulatory factors: e.g., state or specialized industry requirements.
These levels are only relevant to r2 validated assessments since the bC and i1 assessments do not leverage scoping factors to tailor the assessment to the organization’s risk profile.
What Are the HITRUST Domains?
It’s important to understand how the hierarchy of requirements works within a HITRUST assessment.
Domains: The HITRUST CSF starts out at the domain level, which are major practice areas within information security and regulatory compliance. Examples of domains are Endpoint Protection, Risk Management, and Data Protection & Privacy.
Control Families: Controls are broken down from the domain level into control families. These can be thought of as a group of controls that may be spread across multiple domains. They are also commonly referred to as control objectives.
Requirement Statements: Requirement statements are the most detailed level of control assessment and are where evidence is obtained to assess the maturity of the organization’s operation of controls to address the requirement, which may vary in depth and detail based on the HITRUST implementation levels addressed above.
What is a HITRUST Control?
It’s important to understand there are some vernacular differences between HITRUST and the rest of the information security industry. Where the industry tends to focus on controls, HITRUST focuses on requirements in lieu of what we typically call controls.
Per HITRUST, a control objective is the desired outcome of the successful implementation and operation of a control. HITRUST requirements are the activities, which performed according to HITRUST specifications will result in the effective operation of a control and achievement of the control objective. I’ll break this down:
Control Objective: The organization ensures organizational personnel are qualified to perform assigned duties in the areas of information security and incident response.
Control: Background checks, education verification, and reference checking will be used to perform screening activities.
Requirement: Perform background screening and assess risk for all personnel prior to the start of employment.
Maturity Levels & Scoring
Scoring for the i1 assessment is relatively simple. For an i1 Validated Assessment to achieve certification, no assessment domain’s straight-average score can be lower than 83% when considering only the “implementation” score associated with a given requirement and the evaluative elements associated with it.
However, scoring in an r2 assessment is much more complicated.
To receive certification following an r2 validated assessment, you must have at least a score of 62% (HITRUST 3-) or greater in each domain with corrective action plans for any requirements scoring less than 62%. One key lesson we have learned is that if it is your organization’s first time through HITRUST, you might consider focusing on policy, procedure, and implementation scores as opposed to measured and managed scores. Identifying metrics related to certain processes can be difficult at times. If you have a 75% score without evidence of measured and managed, you are meeting the HITRUST requirement.
When organizations hold themselves out as HITRUST certified, they don’t typically offer the score from the Validated assessment. As a result, ask yourself if it’s worth the brain cells to go after a few extra points. That same time could be focused on documenting policies and procedures that are not in place and implementing required controls. Remember that a perfect policy, procedure, and implementation score gets you a 75% which does not even require a corrective action plan for a requirement.
The following illustration shows the maximum points available for each HITRUST maturity level when undergoing an r2 assessment.
- Policy – 15%
- Procedure – 20%
- Implemented – 40%
- Measured – 10%
- Managed – 15%
HITRUST scoring is a complex topic. For a more in-depth breakdown, take a look at How to Score HITRUST CSF Controls?
What is HITRUST Inheritance?
HITRUST inheritance, also known as the Shared Responsibility Model, is valuable to organizations utilizing services from other HITRUST certified entities. For example, if your organization is planning to obtain HITRUST certification for a SaaS platform that is hosted in AWS the organization can reduce the number of requirements it is responsible for during the assessment by inheriting compliance with approximately 10% of their requirements.
The inheritance process is simple to navigate and is one of the first activities performed during the assessment. In some cases, the requirement is inherited at a rate of 100%, which means no responsibility lies with the client organization. In other cases, the requirement may be inherited at 50% which means even though the cloud service provider may be partially responsible for a requirement, the client organization must still address their compliance with that requirement during an assessment. For more information on how to inherit controls in the HITRUST process, visit the HITRUST Shared Responsibility and Inheritance Program.
HITRUST Lessons Learned: Keys to Success
To summarize, here are some tips to make for a smoother adoption of HITRUST:
- When you do scope the coverage of your i1 or r2 assessment, do so wisely and cover only the services that are most relevant to the user entities that are demanding HITRUST certification.
- Leverage SOC 2 when possible, consider using SOC 2 as a starting point in your journey to HITRUST compliance, and explore if the i1 assessment is an appropriate step in your HITRUST journey if the r2 certification is your intended goal.
- Perform a thorough self-assessment and identify specific evidence to support scores.
- Consider leaving out measured and managed scoring and evidence for the first year. Focus on the policy, procedure, and implementation of maturity levels since those combine for the majority of the score for each requirement (75%).
- Know your resources and have resources available to remediate both policy and procedural gaps as well as implementation gaps. Although the i1 assessment is implementation-focused, there are many requirements associated with policy and procedure documentation.
Also, please contact us with any HITRUST-related questions. We are happy to consult about providing a HITRUST assessment for your organization.
This article was originally published on 9/26/2018 and was updated on 5/25/2022.
Richard Rieben is a Partner and HITRUST practice lead at Linford & Co., where he leads audits and assessments covering various frameworks including HITRUST, SOC, CMMC, and NIST. With over 20 years of experience in IT and cybersecurity and various certifications including PMP, CISSP, CCSFP, GSNA, and CASP+, Richard is skilled in helping growing organizations achieve their information security and compliance goals. He holds a Bachelor of Science in Business Management and an MBA from Western Governors University.