Wondering how to prepare for HITRUST? You've got the right place. This guide will walk you through HITRUST basics, how to get certified, and much more.
In 2021, healthcare data beaches hit a new record high, affecting 45 million people.
With an exorbitant amount of patient data, healthcare is one of the most at-risk industries for data breaches. Every second, new healthcare records are stored and transmitted between healthcare providers, pharmaceutical companies, and integrated technologies. So, it’s not surprising that one wouldn’t have to look too far to read about a healthcare data breach.
Those familiar with the world of cybersecurity recognize HITRUST as a preeminent data security standard for safeguarding healthcare information.
This resource will give you a stronger understanding of the HITRUST framework, including security benefits, costs and how to prepare for certification.
Let’s get started.
Click a topic below to quickly navigate to a section.
HITRUST stands for Health Information Trust Alliance. It was created in 2007 as an independent, not-for-profit organization with the goal to develop and enhance security programs designed to safeguard Protected Health Information, or PHI.
Initially, the Alliance was founded to create a third-party certification for the healthcare industry that also incorporates HIPAA controls, known as the HITRUST Common Security Framework (HITRUST CSF). Since its inception, the Alliance has broadened its services and capabilities to help organizations across multiple industries manage risk and compliance.
Nonetheless, HITRUST CSF remains a go-to security framework for healthcare organizations, with 81% of hospitals and 80% of health plans leveraging the framework.
The HITRUST CSF is a widely-adopted Common Security Framework (CSF) that provides organizations across industries with a comprehensive approach to implementing and demonstrating compliance with a broad range of security standards and regulatory frameworks.
This risk- and compliance-based framework encompasses a variety of security standards such as ISO 270001/2, SOC 2, PCI, SSAE 16, NIST, HIPAA, and many more. Because of its universal approach, organizations can implement HITRUST CSF to tailor their security programs based on organization type, size, systems and compliance requirements.
A HITRUST Validated Assessment is a certification for organizations that handle PHI or other forms of sensitive information that must be protected. The goal of HITRUST certification is to provide industries with a single, holistic approach to managing risk and demonstrating compliance. When an organization passes a HITRUST Validated Assessment and receives a certification letter, this letter and the associated report demonstrates to the organization’s customers and stakeholders that they have taken steps to rigorously protect the sensitive information in their care.
No. Any organization, regardless of industry, can seek HITRUST certification. Whether you’re seeking HITRUST for a startup, or a large organization, HITRUST can be a valuable framework to consider even outside of healthcare.
While we mostly refer to healthcare providers throughout this resource, more organizations are adopting HITRUST due its comprehensive nature.
While HITRUST is not federally mandated, it does encompass several federally-mandated controls including HIPAA, ISO and PCI, making it a desirable framework for companies that also need to demonstrate compliance in these frameworks.
HITRUST and HIPAA may sound similar and they may share similar aspects to protecting health information–but they’re actually very different.
For starters, HIPAA is a U.S. federal law. HIPAA, the Health Insurance Portability and Accountability Act of 1996, requires that covered entities and business associates protect sensitive health information. HIPAA is made up of three main rules:
HIPAA lays the groundwork for protecting PHI, but does not provide a framework for comprehensively implementing controls, nor does it provide a mechanism for an organization to demonstrate with a high degree of assurance that they have done so successfully.
HITRUST provides both the framework as well as the independent, third party report that enables organizations to prove that they have implemented the necessary controls to protect PHI.
As mentioned in the previous section, HITRUST CSF is a comprehensive security framework that addresses both security risk and compliance. Think of it as an “umbrella framework” that embodies the requirements of several other standards and regulations, such as HIPAA, PCI, and GDPR. While HITRUST isn’t a federal regulation like HIPAA, the majority of U.S. hospitals and health systems have adopted HITRUST, and many organizations require that their third parties become HITRUST certified.
HITRUST ultimately allows organizations to identify security measures that align with their risk factors, such as their organization type, company size, technology systems and regulatory requirements.
We cover this and more in our eBook: HITRUST® Certification: Is It Right For Your Organization?
There are many reasons organizations choose to get HITRUST certified.
For example, in the Healthcare industry, Healthcare providers’ reliance on technologies to store and transmit PHI has grown. With this adoption comes the need to demonstrate compliance with many other state and federal regulations, standards and security frameworks. HITRUST creates a streamlined approach to addressing these standards in one, single risk-based approach.
Below are some key benefits to investing in HITRUST:
Healthcare customers know that cyberthreats and risks are very real. They want to know that their information is being handled delicately and responsibly by healthcare organizations, and doesn’t fall into the wrong hands.
When an organization is HITRUST certified, they can easily demonstrate this to customers and third parties due to HITRUST’s status as a Gold Standard. HITRUST is essentially the most comprehensive of all frameworks, providing multiple levels of assurance of risk management and compliance. It is considered a rigorous, yet effective approach that strongly influences an organization’s stance as a leader in security.
HITRUST updates its methodologies, programs and solutions regularly to remain up-to-date on changing regulations. Companies that achieve the HITRUST r2 certification, i.e. the 2-year HITRUST certification are required to perform interim assessments every year, and recertify every two years. Companies that opt for the HITRUST i1 certification, must re-certify every year to stay current.
HITRUST embodies several types of security frameworks and standards, making it a holistic approach to healthcare data security. As a result, it’s easy for an organization to produce multiple reports with one assessment, if needed.
HITRUST is also a repeatable process. Once an organization achieves an initial certification, the process becomes easier and more cost-effective year after year.
Get the step-by-step comprehensive guide to securing your organization with this powerful framework.
HITRUST is one of the most demanding security frameworks to implement and certify against.
Ostendio is here to help.
The HITRUST CSF Assurance Program recommends a 2-step process:
There are two common types of HITRUST assessments: a readiness assessment and a validated assessment.
Previously known as a HITRUST Self-Assessment, the HITRUST Readiness Assessment permits organizations to work on their own, or with an experienced consultant, to assess their existing security program against the HITRUST controls that are in scope for the organization and determine how close they are to ready to undergo the rigorous testing required to pass a Validated Assessment and get certified.
This readiness assessment will provide a valuable gap analysis to help the organization understand how much work is needed to complete the required control implementation before they begin their audit. . In fact, HITRUST recommends it. Additionally, for a small fee HITRUST will issue a Readiness Report that the organization can use to show their clients and stakeholders that they are on the path towards HITRUST validated assessment.
To complete a HITRUST readiness assessment, you will need to purchase a subscription to the HITRUST MyCSF platform to identify your risk and scoping factors and access the specific control requirements targeted for your organization.
A validated HITRUST assessment is performed by an independent third party, called an authorized external HITRUST CSF assessor. After selecting an assessor, an organization will need to purchase a MyCSF subscription as well as a validated assessment report from HITRUST. The assessor will review and validate the organization’s maturity scores for the applicable set of controls and submit their assessment to HITRUST for review.
If the organization scores high enough on each of the 19 domains of a HITRUST assessment, HITRUST will make the determination to grant them a letter of certification with their validated assessment report.
There are direct and indirect HITRUST costs. Overall, the cost of a HITRUST certification can be expensive, but it varies by organization.
Let's break down these costs.
Direct costs are fees to HITRUST and fees to your assessor.
For a small-sized company, HITRUST fees may range from a few thousand to $15K, and assessor fees can start at $30,000.
For large companies with more risk, costs can be on the higher end. Direct costs can reach $175,000.
HITRUST is not a walk in the park. It will cost your team time and productivity as well.
Employees will need to prepare, collect and submit evidence for certification, which will cost productivity and other opportunities. Depending on your risk profile, you may be implementing 300 up to potentially 2000 controls. Just demonstrating compliance with each control can take approximately 30 minutes to an hour per control, not to mention making decisions about how to implement them, selecting and deploying tools, writing policies and procedures, implementing the control throughout the organization, and keeping track to make sure it is being managed correctly day in and day out. Many organizations opt to hire 1-2 full time staff to prepare for and pass their HITRUST assessments.
In addition to labor, indirect costs also include software and tools needed for execution.
Costs and fees will result from your overall risk profile, size of company, technology needed, and hours spent preparing and submitting evidence. It’s important to budget time to prepare for HITRUST certification. Some companies could take 18 or even 24 months to prepare for their first Validated Assessment.
Now that we’ve covered a summary of costs, it’s important to reframe your mindset. You should think about HITRUST as an investment, rather than a cost. It’s normal to get sticker shock from the costs and fees associated, but the long-term value of HITRUST cannot be ignored. Think of it as an investment in an ongoing, comprehensive, risk management program.
Preparing for HITRUST is no easy task. There are hundreds of man-hours required, evidence to collect and submit, and external assessors to vet.
HITRUST is daunting, but it’s doable. With the right team and support, the HITRUST process can be a smooth-sailing, successful experience for all involved.
Below are five tips that will help you prepare for HITRUST certification.
When seeking a HITRUST certification, everyone should be made aware–and we mean everyone. Employees, stakeholders, assessors and HITRUST. You’ll definitely need buy-in from executives, but everyone should understand their role in the process.
Even employees that don’t have a direct impact or relationship with a HITRUST audit should understand that the company is undergoing the process of revamping and improving its security programs. It will likely impact them at some point as the organization improves its policies and procedures, thus directly impacting how people perform their jobs.
In the previous section we reviewed the indirect HITRUST costs. Be sure to allocate time to your team, especially your IT team. They will be taking on the majority of the HITRUST workload. Your security, operations and IT departments will be the ones doing the heavy lifting, so don’t neglect to include them from the onset and budget the necessary time and resources to them. Many auditors recommend working with experienced HITRUST consultants as well as hiring at least one full time person to support the HITRUST assessment.
HITRUST requires records for each audited period. You will be asked when you’ve updated your systems, policies and procedures, and you’ll need the evidence to back up those claims. Be ready with any documentation to support changes to your operations. If you already have an integrated risk management platform with built-in documentation, you’re already a step ahead.
It may take your team weeks to months to collect and prepare evidence, so having a system in place to easily retrieve the latest documents and notes for your HITRUST certification (now and in the future) will make your life easier.
For your HITRUST process to be successful, your organization will need to understand its scope and security maturity level. While HITRUST CSF is a flexible framework and can be tailored to nearly any organization, it’s important to purchase a MyCSF subscription early in the process to gain access to, and begin to understand your specific risk factors to ensure you are applying the framework appropriately. Working with an outside HITRUST vendor can help you understand your company’s risk factors and set them appropriately.
HITRUST takes a lot of time and effort, and it’s an ongoing process requiring recertification every two years, with an annual review. While the process gets easier, the first HITRUST attempt is rigorous.
If you need the extra hand, don’t overlook the benefit of hiring a HITRUST preparer. If you are going to work with a HITRUST vendor, it’s valuable to seek one out early on in the process. A HITRUST preparer can help you with your readiness assessment and get you in shape for the real deal.
Like many security frameworks, HITRUST is not a checkbox. A HITRUST Certification is valid for two years, though a scaled-down, interim review on the first anniversary as well as ongoing maintenance is required.
After you receive certification, your compliance team will need to complete Corrective Active Plans for any deficiencies, keep up to date on HITRUST CSF updates, continue to operate ad-hoc, daily, monthly, quarterly and annual controls, and prepare for the next assessment.
Copyright ©2022 Ostendio, Inc.
All rights reserved