As a Certified HITRUST External Assessor Organization, Linford & Company has the information security and healthcare expertise to help your organization to become HITRUST certified. Whether you are just adopting the HITRUST Common Security Framework (CSF) or are looking for an assessor to validate your HITRUST self-assessment, our professionals will guide you step-by-step through the HITRUST certification process to ensure to help your company achieve its objectives.

To maintain our authorization to serve our clients as an external assessor organization, we maintain a pool of experienced and qualified assessors who are vetted by HITRUST. Our HITRUST assessors complete annual training activities and hold industry certifications including the CCSFP, CHQP, CISA, CISSP, GSNA and others.

HITRUST Certification Overview

The HITRUST Alliance (now known simply as HITRUST) was initially formed in 2007 to advocate programs that safeguard protected health information (PHI) and manage information risk for healthcare providers and their third-party service organizations. HITRUST has continuously developed a certifiable framework which is referred to as the HITRUST Common Security Framework (CSF) to help those entities who transmit and store sensitive data address their information security risk. The HITRUST CSF is based on regulatory and industry standards (e.g., HIPAA, ISO 27001, NIST, PCI DSS, CMMC, etc.) and is the most widely-adopted security framework in the U.S. healthcare industry and beyond. Through a formal certification process that sets it apart from other frameworks, HITRUST certification provides assurance to clients that their information is safe and secure with your organization.



HITRUST Audit & Assessment Services

All of our HITRUST audit services are provided in accordance with the HITRUST CSF Assurance Program. Linford & Company provides the following HITRUST audit services to our clients.

  • Readiness Assessment – As every organization is unique, each has a unique set of controls from the HITRUST CSF that is applicable to them. Our readiness assessment includes a scoping exercise where our team of professionals helps you identify the control framework within the HITRUST CSF that is applicable to your organization. We then work with your team to identify and map your organizational controls to the framework to identify “gaps” between the two. We provide recommendations for each finding that management may follow to remediate and prepare for a self-assessment and validated assessment needed for certification.
  • Validated Assessment – As a Certified HITRUST Assessor, Linford & Company can perform validated assessments that are required by HITRUST to issue a validated report and certification to an organization. Our services begin much before the validation assessment as we walk our clients through each of the steps of the HITRUST certification process. This includes providing guidance on setting up and using the MyCSF tool, reviewing the inputs used to generate the unique HITRUST CSF for your organization and providing additional direction as needed during your self-assessment to facilitate the process. Our involvement during these steps of the process results in an efficient validation assessment where we perform audit procedures to confirm the results of the self-assessment and submit to HITRUST for certification through the HITRUST assurance program.

Linford & Company performs each audit engagement using a proven phased approach to deliver the utmost value to each organization. Throughout all phases of the HITRUST assessments, we will capture and share knowledge and best practices for use throughout the organization. For more information, please contact us.


Benefits of Linford’s HITRUST Assessments

  • We understand that every client is different. This is one of the reasons we insist on conducting scoping activities (getting to know your organization in terms of size, complexity and major systems in use) before we provide you with a quote for services. We want to ensure we are providing you with an accurate quote based on our experience delivering dozens of HITRUST assessments each year.
  • We customize our delivery approach to fit the needs of our clients. In addition to the MyCSF, we leverage collaborative tools which provide project management and communication support during our engagements, which ensures everyone is on the same page in terms of assessment progress.
  • Linford & Co. maintains a staff of seasoned, experienced professionals. We follow the expert model, which means every HITRUST certification auditor is an expert in the fields of IT audit and information security, bringing 15 years or more of experience in the IT management and auditing fields.


Request a HITRUST Assessment & Certification

Common HITRUST Assessment/Certification Questions

How much does a HITRUST assessment cost?

  • Fees for a HITRUST Validated Assessment range from $40,000/yr to $250,000/yr depending on the factors associated with the assessment. It is important to remember that the cost varies greatly based on the size and complexity of the environment being assessed. If you are looking for a more accurate estimate of fees, you should work with an experienced firm like Linford & Co. to properly scope the assessment before a quote is provided.
  • The fees paid to the HITRUST assessor firm are in addition to the fees paid to HITRUST to obtain access to HITRUST’s MyCSF tool, which is typically done via a subscription which varies from $10,000/yr to $30,000/yr based on the needs of the organization.
  • To learn more about fees associated with HITRUST assessments, read our article on What is HITRUST?

How long does a HITRUST Assessment take?

  • Preparing for the assessment generally takes longer than the assessment itself. Clients often spend 1-2 months performing a readiness assessment with the assistance of our assessors, followed by 2-3 months of remediation and then 2-3 months are consumed as part of a required “settling period” during which the organization is operating the controls in the environment as required by HITRUST. Then following this 5-8 month process, the actual assessment begins.
  • The assessment itself is required to be completed within a span of 90 days. In most cases, clients finish the bulk of their work on the assessment in 8-10 weeks.
  • Once the assessment is completed, the results are submitted to HITRUST and undergo a quality assurance review, which occasionally results in some additional assessment work by both the client and the assessor. HITRUST has significantly improved the schedule performance of its QA program, and this phase typically takes less than two months.
How Long Does a HITRUST assesment take

What are the biggest challenges for organizations preparing for HITRUST certification?

  • Procedural documentation: In our experience as assessors, this is by far the biggest challenge for organizations seeking to achieve certification through HITRUST. Organizations often have sound policies in place, and also have implemented controls appropriately, but have not invested sufficient time and resources in establishing formal procedures and other institutional processes which are an important part of demonstrating the level of maturity HITRUST requires. By working closely with an assessor as part of the readiness assessment, organizations can identify weaknesses in this area and resolve gaps before the validated assessment.
  • Not allocating enough resources: HITRUST is typically a very large assessment compared to SOC 2, NIST CSF and other frameworks. A typical engagement includes 250 requirement statements (and a large engagement may have 450+ requirement statements) which are evaluated on five different levels. Compare this to a SOC 2 engagement which typically includes less than 100 controls assessed largely at the implementation level only. All of this leads to a significant draw on organizational resources that the organization must take into account to be successful.

Why Work with Linford for HITRUST Assessments?

  • We have experience delivering HITRUST assessments for a broad variety of HITRUST certified companies, from data center providers, to health care exchanges, to data analytics platforms and everything in between, we have worked with our clients to help them understand how HITRUST requirements apply to them, demystifying what can otherwise be a very intimidating assessment process.
  • We don’t make you talk to a gatekeeper or salesperson who knows very little about the actual nuances of the assessment process. When you contact Linford & Co. you speak directly to an experienced auditor who can answer questions you may have about your assessment needs.
  • We focus on the power of project management as part of the assessment process. Whether you lead the way in managing the project, or if you need support from your assessor performing project management activities, we are here to help with a variety of tools and resources to help reduce the complexity of the assessment process.

What are some tips I should know when considering HITRUST?

  • Consider alternate assessments. Some clients may be open to using a SOC 2 audit report in lieu of HITRUST certification. In this case, it is often wise to start with SOC 2 and then grow into HITRUST as demand grows due to increased cost and resources demands of HITRUST.
  • When you do scope the coverage of your assessment, do so wisely and cover only the services that are most relevant to the user entities that are demanding HITRUST certification.
  • Leverage SOC 2 audit reports from services providers, or ideally, the Shared Responsibility and Inheritance mechanisms available through HITRUST.
  • Perform a thorough self-assessment with the support of a qualified assessor and identify specific evidence to support scores.
  • Consider leaving out measured and managed scoring and evidence for the first year. Focus on the policy, procedure, and implementation maturity levels since those combine for the majority of the score for each requirement.
  • Know your available resources and have resources available to remediate both policy and procedural gaps as well as implementation gaps.