It’s a bird! It’s a plane! It’s… HITRUST! But what exactly is HITRUST? Well, that is a complicated question.
HITRUST is a risk management framework, but it’s also an organization. The HITRUST Alliance is a private entity that created the Common Security Framework (CSF), a certifiable framework that integrates and harmonizes various standards and regulations. The Alliance also developed supporting certifications (e1, i1, r2, etc.) and the MyCSF® assessment platform, a tool designed to streamline evaluations and reporting.
The HITRUST Alliance governs and supports the full ecosystem of its assurance programs. In short, it holds both the gavel and the sword when it comes to HITRUST programming.
At its core, HITRUST is an information protection standards organization and certifying body. Their mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries throughout the third-party supply chain.
While the HITRUST CSF is industry-agnostic, it has become the gold standard for healthcare organizations seeking to demonstrate a serious commitment to security, privacy, and compliance. Still, with existing frameworks like HIPAA, SOC 2, NIST, PCI, and ISO already in use, many organizations understandably ask:
Is HITRUST really necessary?
What is HITRUST Certification?
HITRUST certification serves both as a recognized outcome and a powerful tool for demonstrating trust in an organization’s security and privacy practices. It provides third-party assurance to customers and stakeholders that appropriate safeguards are in place.
To achieve this certification, HITRUST offers three core types of assessments, each tailored to an organization’s size, risk profile, and assurance needs. All three assessment types are built on the HITRUST CSF, which integrates and harmonizes requirements from over 100 authoritative sources. These include HIPAA, NIST, COBIT, ISO 27001, SOC 2, and GDPR, combined into a single, scalable control framework. This allows organizations to address multiple compliance obligations through one comprehensive assessment. Here is a brief overview of the three progressive assessment and certification types:
Essentials, 1-Year (e1) assessment and certification for foundational cybersecurity
- Provides entry-level assurance focused on the most critical cybersecurity controls and demonstrates that essential cybersecurity hygiene is in place
- 44 controls testing “implementation” scoring only
Implemented, 1-Year (i1) assessment and certification for leading security practices (2 years with rapid recertification in year 2)
- Provides a moderate level of assurance that addresses cybersecurity leading practices and a broader range of active cyber threats than the e1 assessment
- 182 controls testing “implementation” scoring only
Risk-based, 2-Year (r2) assessment and certification for expanded practices (with an interim assessment in year 2)
- Provides a high level of assurance that focuses on a comprehensive risk-based specification of controls with an expanded approach to risk management and compliance evaluation
- ~375 controls, on average, testing “policy, procedure, and implementation” scoring
There are also new AI Security and Risk Management assessments and certifications, as well as the ability to add-on frameworks to the r2 certification and tailor it to your organization’s needs. Our recent article provides a more detailed breakdown and comparison of each certification type.
How Does the HITRUST Process Work?
Understanding your customers’ assurance needs is essential when selecting the appropriate HITRUST certification type. Regardless of which option you choose, the certification process is rigorous, standardized, and closely governed.
Every certification is reviewed and approved by the HITRUST Alliance. This level of oversight is critical. Without it, the certification would lose its credibility. This governance is often lacking in other standards-based frameworks. The structure and thoroughness of the HITRUST process are intentional, ensuring that the trust conveyed through certification is both consistent and meaningful.
The outcome of the certification is a validated assessment report and a certification badge, which can be used on your website, in documentation, or even in marketing materials. These are issued by the HITRUST Alliance through the MyCSF platform, in partnership with your certified External Assessor.
How HITRUST Compares to Other Frameworks
Bottom line: HITRUST doesn’t replace these, it consolidates and aligns them. Now that we understand what HITRUST is, our next article debunks three common myths about what it isn’t.
How Can Schneider Downs Help?
As an Authorized HITRUST External Assessor Firm, Schneider Downs has a strong track record with HITRUST protocols, providing trusted guidance and support throughout the certification process. For more information, contact our HITRUST team at: [email protected].
About IT Risk Advisory
Schneider Downs’ team of experienced risk advisory professionals focus on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization, but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.
To learn more, visit our dedicated IT Risk Advisory page.
