Wipfli logo
Insights - Articles, Blogs and on-demand webcasts

Articles & E-Books


What is HITRUST, and why does it matter?

Sep 22, 2020

Among many security and compliance experts, HITRUST® has become a well-known name with a lot of weight behind it. And that’s for a very good reason. But before we get into why HITRUST is important, let’s talk about what, exactly, HITRUST is.

What is HITRUST?

Founded in 2007, HITRUST is an organization focused on security, privacy and risk management. It developed the HITRUST CSF® to provide organizations with a comprehensive security and privacy program designed to manage data, compliance and risk. It has become the most widely adopted security and privacy framework across industries globally.

By certifying against the HITRUST CSF, an organization can demonstrate its compliance with the framework to anyone who needs that reassurance, from healthcare providers, hospitals and insurance companies, to any other organization needing assurances.

The nice thing about HITRUST is that it has mapped to different frameworks and regulations — such as those laid out by the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO) and the Health Insurance Portability and Accountability Act (HIPAA) — into one central control repository. Being in compliance with the HITRUST CSF framework helps you to be in compliance with all these other frameworks and regulations, helping you cut down on the overall amount of time and effort your organization has to spend annually on compliance. Just take a second and think about how nice it would be to know that your organization is complying with HIPAA or any of the other regulatory requirements by performing a single assessment. That’s the kind of peace of mind HITRUST aims to provide to assessed organizations and recipients alike.

Why HITRUST matters

HITRUST matters because it helps you manage risk, reduce the chances of a data breach and prove to outside parties that you take security and compliance seriously.

HITRUST has 19 domains that get assessed when you undergo HITRUST CSF Certification. These domains cover a huge range of security and privacy concerns. Their end goal is to make sure you have all the necessary controls in place to drastically reduce the risk your organization takes on via its day-to-day operations.

To provide some examples, HITRUST wants to make sure your organization is doing things like securing mobile devices, releasing patches to prevent hackers from exposing a vulnerability and gaining access to your systems, reviewing the security programs of your vendors to ensure your data is in safe hands, and restricting who has elevated privileges to your network. It wants to ensure you have business continuity, disaster recovery and breach response plans.

While undergoing HITRUST CSF Certification, your organization can uncover existing gaps in its controls and determine what it needs to implement to close those gaps and reduce its risk.

The HITRUST CSF also provides the added value of being a continuous program. You recertify every two years, and for the years in between, you perform an interim checkup that randomly selects different controls and determines whether those controls are still being followed. This way, you can get annual reassurance that your controls are in place and operating effectively, and that you remain in compliance with important regulations.

So, now you can see why HITRUST has some weight behind its name — and why many companies require HITRUST CSF Certification from the third-party vendors they work with. No matter if you’re a hospital, insurance company, tech company or other type of service provider, if you handle any type of personally identifiable information (PII), achieving HITRUST CSF Certification is a very good idea.

What else you should know about HITRUST before getting started

HITRUST provides two assessment options.

The first is a readiness assessment (sometimes called a gap assessment or a self-assessment). It’s how you determine what you already have in place that meets the HITRUST CSF requirements and what you don’t. Plus, it further identifies what you need to do to address any gaps.

The second is a validated assessment, which is required for HITRUST CSF Certification. It must be conducted by a HITRUST Approved External Assessor. The assessor uses HITRUST CSF’s assessment methodology, and the controls are scored using HITRUST’s maturity approach to control implementation.

MyCSF® is HITRUST’s web-based assessment tool that helps organizations track and streamline the entire compliance and risk management process — filling out parameters, determining scope and uploading evidence. It’s also the same tool used by External Assessors to perform validated assessments.

Working with an assessor like Wipfli from the get-go can help improve your organization’s efficiency and understanding, since they know HITRUST inside and out and can help you navigate the requirements and overall process. If you’d like to learn more about how Wipfli can help, click here.

Or continue reading on:

HITRUST vs HIPAA: What is the difference?

HITRUST vs SOC 2: Leveraging the best path to assurance

Common misconceptions from a HITRUST Authorized External Assessor

The path to HITRUST Certification: Five reasons to start now


Jacqueline Cooper, CPA, MBA, CCSFP, CISA
View Profile