What is HITRUST, and why does it matter?

Among many security and compliance experts, the Health Information Trust Alliance or HITRUST® has become a well-known name with a lot of weight behind it. And that’s for a very good reason. But before we get into why HITRUST is important, let’s talk about what, exactly, HITRUST is and its significance in the realm of information security and data protection.

What is HITRUST?

Founded in 2007, HITRUST is an organization focused on security, privacy and risk management. It developed the HITRUST Common Security Framework (CSF) (HITRUST CSF) to provide organizations with a comprehensive security and privacy program designed to manage data, compliance and risk. It has become the most widely adopted security and privacy framework across industries globally, particularly in healthcare.

By becoming HITRUST certified, an organization can demonstrate its HITRUST compliance with the framework to anyone who needs that reassurance, from healthcare providers, hospitals and insurance companies, to any other organization needing assurances about the protection of sensitive information.

The nice thing about HITRUST is that it has mapped to different frameworks and regulations — such as those laid out by the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO) and the Health Insurance Portability and Accountability Act (HIPAA) — into one central control repository. Being in compliance with the HITRUST CSF framework helps you to be in compliance with all these other frameworks and regulations, helping you cut down on the overall amount of time and effort your organization has to spend annually on compliance. Just take a second and think about how nice it would be to know that your organization is complying with HIPAA or any of the other regulatory requirements by performing a single HITRUST assessment. That’s the kind of peace of mind HITRUST aims to provide to assessed organizations and recipients alike.

Why HITRUST matters

HITRUST matters because it helps you manage risk, reduce the chances of a data breach and prove to outside parties that you take security and compliance seriously, especially when it comes to protecting patient data and other sensitive information in healthcare settings.

HITRUST has 19 domains that get assessed when you undergo HITRUST CSF Certification. These domains cover a huge range of security and privacy concerns. Their end goal is to make sure you have all the necessary HITRUST controls in place to drastically reduce the risk your organization takes on via its day-to-day operations.

To provide some examples, the HITRUST security framework wants to make sure your organization is doing things like securing mobile devices, releasing patches to prevent hackers from exposing a vulnerability and gaining access to your systems, reviewing the security programs of your vendors to help ensure your data is in safe hands, and restricting who has elevated privileges to your network. It wants to help ensure you have business continuity, disaster recovery and breach response plans.

While undergoing the HITRUST CSF Certification process, your organization can uncover existing gaps in its controls and determine what it needs to implement to close those gaps and reduce its risk. This process often involves a thorough gap analysis to identify areas for improvement.

The HITRUST CSF also provides the added value of being a continuous program. You recertify every two years, and for the years in between, you perform an interim HITRUST audit that randomly selects different controls and determines whether those controls are still being followed. This way, you can get annual reassurance that your security controls are in place and operating effectively, and that you remain in compliance with important regulations like HIPPA.

So, now you can see why HITRUST has some weight behind its name — and why many companies require HITRUST CSF Certification for third-party assurance from the vendors they work with. No matter if you’re a hospital, insurance company, tech company or other type of service provider, if you handle any type of personally identifiable information (PII), achieving HITRUST CSF Certification is a very good idea to enhance your overall cybersecurity posture.

What else you should know about HITRUST before getting started

HITRUST provides multiple assessment types to meet different organizational needs and compliance requirements.

The first is a readiness assessment (sometimes called a gap assessment or a self-assessment). It’s how you determine what you already have in place that meets the HITRUST CSF requirements and what you don’t. Plus, it further identifies what you need to do to address any gaps in your security controls.

The second is a validated assessment, which is required for HITRUST CSF Certification. It must be conducted by a HITRUST Approved External Assessor. The assessor uses HITRUST CSF’s assessment methodology, and the controls are scored using HITRUST’s maturity approach to control implementation.

Additionally, HITRUST has introduced new assessment options to cater to different organizational needs:

1. The e1 assessment: A streamlined approach for smaller organizations or those with less complex environments.
2. The i1 assessment: An intermediate option that balances rigor and efficiency.
3. The r2 assessment: The most comprehensive assessment, typically used for full HITRUST certification.

MyCSF® is HITRUST’s web-based assessment tool that helps organizations track and streamline the entire compliance and risk management process — filling out parameters, determining scope and uploading evidence. It’s also the same tool used by External Assessors to perform validated assessments.

Working with an assessor like Wipfli from the get-go can help improve your organization’s efficiency and understanding, since Wipfli knows the HITRUST approach inside and out and can help you navigate the HITRUST requirements and overall process. If you’d like to learn more about how Wipfli can help, click here.

Or continue reading on:

• HITRUST vs HIPAA: What is the difference?
• HITRUST vs SOC 2: Leveraging the best path to assurance
• Common misconceptions from a HITRUST Authorized External Assessor