What is HITRUST?

The Health Information Trust Alliance or HITRUST is a non-profit that provides a certifiable Common Security Framework (CSF) for data protection and to manage risk in the healthcare industry. HITRUST delivers an integrated approach with numerous regulations, standards, and components that enable organizations to manage information risk.

A HITRUST CSF certification enables healthcare organizations to prioritize, assess and remediate cybersecurity vulnerabilities before a data breach occurs, discover compliance gaps, and prove that they are committed to protecting customer data.

Who Does HITRUST Apply to?

All healthcare organizations, and third-party business associates that handle, create, access, exchange, or store electronic Protected Health Information (ePHI) must be HITRUST CSF certified. These include:

  • Hospitals
  • Health networks
  • Physician offices
  • Pharmacies
  • Insurance companies
  • Healthcare providers and vendors

The CSF addresses numerous regulatory requirements, and privacy and security standards, including:

  • NIST
  • HIPAA
  • FTC
  • PCI
  • COBIT
  • Red Flags
  • ISO
  • PCI-DSS

What is a HITRUST Assessment?

HITRUST offers three types of assessments.

  • Validated assessments

A “Validated assessment” is conducted and validated by a trusted third-party HITRUST assessor. The assessment is then submitted to HITRUST for approval and certification.

To ensure a successful HITRUST CSF assessment and HITRUST compliance, the certification scope must first be determined. The best assessor firms work with their clients to determine the appropriate scope based on the organization’s size, types of systems deployed, and business requirements, while also minimizing the time and cost of certification.

Next, the assessor performs the HITRUST Readiness Assessment to audit the entity’s policies, procedures, and certification implementation capabilities. Any existing gaps that need to be remediated – for example, implement new policies or update existing IT security controls for in-scope systems – are also identified. Then these controls are moved into the active remediation stage by developing a Corrective Action Plan (CAP).

Finally, the HITRUST Validated assessment is submitted to HITRUST for certification. Once obtained, this certification has a life of two years.

  • Self-assessments

A HITRUST self-assessment is performed internally within the healthcare organization to proactively identify gaps in information,data security, and compliance posture. However, the self-assessment does not lead to HITRUST certification.

  • Bridge Assessments

The Bridge assessment is for organizations seeking HITRUST CSF recertification. It is considered a temporary certificate, valid for 90 days after the previous CSF certification expires. 

It also provides a way for the business to demonstrate that its control environment is not likely to have degraded since expiration of the prior certification and that it intends to complete a new certification.

What are HITRUST Controls

There are 14 control categories in HITRUST:

  • Category 0.0: Information security Management
  • Category 0.1: Access Control Security
  • Category 0.2: Human Resources Security
  • Category 0.3: Risk management Policy
  • Category 0.4: Information security Policy
  • Category 0.5: Information security Organization
  • Category 0.6: Regulatory Framework Compliance
  • Category 0.7: Asset Management Security
  • Category 0.8: Physical and Environmental Security
  • Category 0.9: Communications and Operations Security
  • Category 0.10: Information Systems Management
  • Category 0.11: Security Incident Management
  • Category 0.12: Business Continuity Management
  • Category 0.13: Privacy Security Practices

Each of these categories includes multiple objectives, and each goal consists of numerous references. In total, there are 49 objectives and 156 references. However, the individual controls to be implemented for compliance depend on the entity’s needs and the applicability of control specifications.

Differences between HITRUST and SOC 2

Systems and Organizations Control 2 (SOC 2) is an audit procedure for companies and third parties that store customer data in the cloud. SOC 2 focuses on handling data as per 5 trust principles:

  • Security
  • Availability
  • Processing integrity
  • Confidentiality
  • Privacy

Security is the only criteria that must be covered in the SOC 2 report. The other four trust criteria are optional.

SOC 2 is useful for all kinds of organizations in any industry. HITRUST CSF can also be used in many industries. However, it is most useful for healthcare organizations working with ePHI.

SOC 2 Type II reports are prepared by CPA firms, confirming if a company has well-designed and effective controls to protect data in the cloud. HITRUST CSF validated reports must be prepared by a HITRUST CSF assessor.

In the SOC 2 report, a company’s management identifies their own controls. The HITRUST CSF outlines the controls that must be implemented by organizations seeking certification. If requirements score below a certain threshold, a Corrective Action Plan (CAP) must be submitted which will be reviewed by HITRUST prior to certification.

Another key difference between SOC 2 and HITRUST is that SOC 2 is an attestation report, whereas HITRUST is a certification.

How Do I Get HITRUST Certified?

To achieve compliance, covered entities must implement HITRUST CSF controls, and verify implementation through self-assessment or through an external validated assessment. The time required to achieve compliance depends on the organization’s level of readiness, and the number of measures required to implement the required controls.

An initial self-assessment can help determine certification readiness, followed by an external assessment to review required processes and controls. The complete assessment can take 2-8 weeks, depending on the organization’s size and scoped environment. Validation takes approximately 6 weeks before HITRUST certification is awarded.

For smooth HITRUST certification, it’s best to follow a systematic 7-step certification process:

  1.     Adopt the Common Security Framework (CSF) and its 19 domains
  2.     Adopt the HITRUST security controls, requirements and control objectives
  3.     Implement the right technologies to secure ePHI
  4.     Document all policies, risk assessments and technical configurations required during assessment
  5.     Conduct a self-audit to find gaps in regulatory compliance and security risks
  6.     Hire a HITRUST-approved CSF assessor for external audit
  7. Certify your CSF with HITRUST

Key Takeaways

  • Health Information Trust Alliance (HITRUST) provides a certifiable framework called the Common Security Framework (CSF)
  • HITRUST CSF enables healthcare organizations to manage sensitive information risk and achieve compliance
  • Healthcare organizations and third-party business associates that handle electronic Protected Health Information (ePHI) must be HITRUST CSF certified
  • Three types of HITRUST assessments are possible: validated assessments, self-assessments and bridge assessments