<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=323641658531367&amp;ev=PageView&amp;noscript=1">

If you’re reading this blog, you’re likely very aware that HITRUST certification and its proprietary MyCSF (Common Security Framework) is increasingly becoming the default choice for healthcare organizations. According to HITRUST’s over 80% of hospitals and health plans with over 500,000 members have adopted the framework.

In addition, over 4,500 professionals have obtained Certified Common Security Framework Practitioner (CCSFP) Designation and over 10,000 healthcare vendors have also adopted the certified framework. These numbers continue to grow – showing that HITRUST is here to stay.

Ever-increasing risk from cybercriminals combined with human error and malicious insiders is undermining healthcare cybersecurity. Healthcare data, a treasure trove of valuable information, is always under attack. HITRUST was developed to be the one overarching framework to ensure a comprehensive set of baseline security controls and to establish a single benchmark for organizations. HITRUST also wanted to follow the methodology of “Asses Once, Report Many” to reduce costs and to have a single, unified approach to compliance across organizations.

What makes HITRUST different to HIPAA?

Organizations handling Protected Health Information (PHI) already have to comply with HIPAA, so what is the difference between HIPAA and HITRUST?

  • HITRUST builds on HIPAA
  • HITRUST is tailored to the organization – HIPAA applies to everyone
  • HIPAA is a Federal requirement
  • HIPAA has defined penalties for security breaches. HITRUST is dependent on the healthcare industry itself.
  • Lastly, HITRUST CSF Certification is MUCH more rigorous than a HIPAA audit.

Are you thinking about HITRUST Certification?

Two words: be prepared.

HITRUST certification is a resource heavy initiative, and before you get started, you need to ensure that you have completed a scoping exercise to assess your current level of maturity. Involve a 3rd party assessor early in the process to avoid pitfalls. Ostendio can offer expert advice for HITRUST preparation and we work with a number of approved HIRUST assessor partners.

You should also be aware that HITRUST has three different report types which are:


  • Affordable
  • Quickly completed
  • Used as a stepping stone

CSF Validated

  • Requires an independent third-party assessor
  • Requires onsite testing

CSF Certified

  • Requires an independent third-party
  • Minimum maturity rating of 3+ for all domains

The requirements for HITRUST certification have changed for 2018. Additional protocols and requirements in version 9 include 75 core control statements, up from 66. These controls are based on FedRAMP (Federal Risk and Authorization Management Program), EHNAC (Electronic Healthcare Network Accreditation Commission), HIPAA OCR Audit Protocol and DHS requirements.

The lowest number of controls that must be assessed in a security assessment is 75 (version 9). For certification, your average level of compliance for the 75 required controls needs to equate to “Implemented”. The number of controls is not standardized – they differ by company. Again, we highly recommend getting expert support early on in the process to avoid pitfalls. If you under assess your final certified report may not be sufficient for your customer.  If you over assess, you may find it difficult to meet the requirements.

It is vitally important to note that both your HITRUST preparer and the approved 3rd -party assessor you choose should remain independent of each other. That is why Ostendio works with a number of approved HITRUST assessors – to keep the relationship independent.

Once you are Certified (which will typically take anything from 6-18 months), the HITRUST certification is valid for two years. But there’s no resting on your laurels. You’ll have an interim review about every 12 months, or if there are major material changes within the company such as an ownership change or an acquisition.

Tips Before Beginning HITRUST Certification

  • Document everything. If you didn’t document it, it didn’t happen.
  • Track everything. HITRUST requires you to provide historical records for the period being audited.
  • Proper scoping is essential. You need to assess your current maturity level, and determine whether you have the internal resources available and committed
  • Engage a HITRUST expert early on in the process – we have a list of helpful questions to ask your HITRUST vendors before engaging with them
  • The assessment typically takes longer than you think it will
  • Passing the audit doesn’t necessarily equate to improved security

Ready to get started? Have any other questions? Contact us today to discuss your pathway to HITRUST success.

Post by Ostendio
March 14, 2018