Preparing for HITRUST Certification
Here’s how to do it, why you should, and two checklists to help you succeed
The most effective way to meet the relentless challenges of the digital age is through a robust cybersecurity and regulatory compliance program. Several cybersecurity frameworks have been developed over time as roadmaps toward this goal and one, arguably, has become the gold standard.
The HITRUST CSF is a certifiable framework adopted by thousands of organizations, large and small, throughout the U.S. and beyond, as the most efficient means to achieve, demonstrate, and assure cybersecurity and compliance. Release of CSF v11.3 in April 2024 reaffirmed the HITRUST commitment to providing a comprehensive, up-to-date framework that continues to address evolving cyberthreats and regulatory requirements and meets the needs of your business.
The proven methodology of The HITRUST Approach is a unique, comprehensive pathway to information risk management and compliance that delivers the most robust assurance option available: HITRUST Certification.
Preparation is Key to Successful Certification
Preparing well for the official HITRUST Validated Assessment is an essential first step in a successful HITRUST Certification process. Smart preparation, in the form of a Readiness Assessment, enables you to evaluate the security of your organization, identify compliance gaps and security vulnerabilities, and remediate them prior to your Validated Assessment. It is far more economical and efficient to resolve issues during the preparation or readiness phase than after the official assessment has been completed by a qualified External Assessor.
On your journey to HITRUST Certification, Readiness is a critical step to ensuring that all controls are working up to the HITRUST Certification Standards. Once ready, your organization will be ready to conduct your first Validated Assessment for Certification. Here's a look at two types of organizations HITRUST trains and authorizes to assist customers on the journey: Here’s how they work together to help you:
- Readiness Licensees are organizations authorized by HITRUST to conduct Readiness Assessments and provide consulting on the HITRUST Framework and approved methodologies. A Readiness Assessment will help you identify compliance gaps and security vulnerabilities and remediate them before you engage an External Assessor to conduct the Validated Assessment.
- External Assessors are organizations approved by HITRUST to perform assessment services and conduct HITRUST Validated Assessments using the HITRUST Framework and methodology. They are trained and vetted resources that organizations of any size can depend on to assess performance and compliance with security control requirements and, when needed, help you develop corrective action plans.
You can find a list of External Assessors and Readiness Licensees on the HITRUST website.
To clarify their roles, think about the two assessments this way. When you want to obtain a valid driver’s license, for example, you don’t just walk into the DMV without preparing. Your readiness assessment is like practicing for your official driving test. Your guide (i.e., Readiness Licensee) helps you (1) study the rules of the road, (2) assess your vehicle for roadworthiness, ensuring all lights, signals, and brakes are working properly, (3) make repairs as needed, and (4) perform a test drive or practice run to prepare for the official test.
Once you are ready, your examiner (i.e, External Assessor) will conduct your official test and submit the results to the DMV (HITRUST) for a final review and approval. If everything looks good and your test goes well, you'll be able to obtain your license (HITRUST Certification). By preparing well the first time, you significantly improve your chances of passing.
Choosing Your HITRUST Certification Level
HITRUST offers three certifications representing three security assurance levels. You will need to determine which level is right for your organization by choosing either:
- Essentials 1-Year (e1) Validated Assessment
- Implemented 1-Year (i1) Validated Assessment
- Risk-Based, 2-Year (r2) Validated Assessment
HITRUST CSF v11.3 helped reduce process redundancy and user effort by enabling r2 assessments to build on the successful work of i1 assessments, which decreases the average r2 assessment size without compromising control coverage. This also provides an approved path for organizations who wish to begin their certification journey at the i1 level. They can later choose to upgrade their certification to r2 and apply their efforts from i1 toward that objective.
Note that e1, i1, and r2 Validated Assessments are required to earn HITRUST Certification and can only be performed by an Authorized HITRUST External Assessor.
For either i1 or r2 certification, HITRUST recommends a Readiness Assessment be performed to prepare you for the official Validated Assessment that will be required to achieve HITRUST Certification.
Checklist 1: The Five-Step HITRUST Certification Process
The five-step certification process below is described in a HITRUST Certification Guide available on the HITRUST website.
Step 1: Identify your security and privacy controls by reviewing the HITRUST Framework, available for eligible organizations to download at no cost.
Step 2: Understand your organization’s current risk posture by performing a HITRUST Readiness Assessment. The Readiness Assessment will identify potential compliance gaps and security vulnerabilities for remediation and can be used as the basis for a conversation with an External Assessor.
Step 3: Your journey to certification will include preparing for and performing a HITRUST Assessment. The HITRUST MyCSF portal can streamline your efforts, collect information about your organization’s ability to mitigate risk and meet compliance obligations, and help you prepare for a Validated Assessment.
Step 4: HITRUST Assurance and Compliance teams will review your Validated Assessment and, assuming a passing score, will issue your HITRUST Certification. The HITRUST Assurance Program provides prescriptive methodology and granular oversight to ensure the consistency and quality of all HITRUST Assessments.
Step 5: Receive your HITRUST Letter of Certification, which is valid for two years with an r2 Assessment and one year with an i1 Assessment or e1 Assessment. Maintain your r2 Certification by completing an interim assessment at the one-year mark. Since the i1 and e1 Certifications are valid for one year, recertification is required annually.
For organizations seeking assistance in preparing for a HITRUST Validated Assessment, HITRUST Readiness Services are available from authorized Readiness Licensees, including 24By7Security.
Checklist 2: Preparing for HITRUST Certification
Following is a simple checklist to help you prepare effectively for your HITRUST Validated Assessment and Certification.
- Determine which level of security assurance and certification is most suitable for your organization.
- Choose from e1, i1, or r2 depending on your current security and compliance posture and the size and nature of your business.
- Review the HITRUST Framework to identify the controls and requirements that will need to be implemented for the level you select.
- Identify key stakeholders within your organization and establish a HITRUST team, ensuring that all relevant departments are represented.
- Engage a Readiness Licensee to conduct a HITRUST Readiness Assessment against the HITRUST Framework at the security assurance level you have selected.
- Designated team members will be called upon to furnish existing documentation, policies, and procedures related to cybersecurity and compliance, for review by the Readiness Licensee.
- Internal audits, external testing, and other assessment tools used by the Readiness Licensee will identify compliance gaps and security vulnerabilities, as well as controls that have not been properly implemented or are missing.
- Documentation will be updated in accordance with HITRUST controls and requirements.
- Prioritize and conduct remediation activities to address deficiencies in order to fully implement the security assurance level you have chosen. This remediation step is essential to a successful Validation Assessment and Certification.
- Conduct final preparations for your Validated Assessment, including receiving any coaching, guidance, and training necessary to prepare you for the Assessment.
HITRUST Also an Excellent Option for Healthcare
HITRUST has a long and useful history in healthcare. One of the original HITRUST Frameworks was designed specifically for HIPAA compliance, and new HIPAA regulations have been added over time to keep compliance requirements fully current and accurate.
Members of the healthcare industry understand that they must achieve compliance with HIPAA Rules, including the Security Rule and Privacy Rule, even though their compliance does not earn official HIPAA certification. That’s because HIPAA does not offer certification.
HITRUST addresses this gap for healthcare entities who adopt the HITRUST Framework, undergo a Validated Assessment by an External Assessor, and successfully obtain HITRUST Certification. This process is a very effective way to achieve and demonstrate HIPAA compliance and to maintain it year after year, since assessments must be completed either annually or biannually depending on which level of security assurance was selected by the healthcare provider or business associate.
HITRUST Certification is a powerful way to demonstrate HIPAA compliance to the HHS Office for Civil Rights, who is responsible for identifying and penalizing non-compliant behaviors, as well as other healthcare regulators and auditors.
Summary
The HITRUST Framework has been adopted by thousands of organizations as the most efficient means to achieve, demonstrate, maintain, and assure cybersecurity and compliance.
Preparing well for HITRUST Certification and the required Validated Assessment is essential, and the services of a Readiness Licensee are invaluable at this stage. Think of your Validated Assessment as a driving test—you wouldn’t take it without first preparing for it.
Get started by contacting us for a complimentary HITRUST Readiness Briefing.