Preparing for HITRUST Certification: The How and Why for Healthcare Service Providers

Healthcare service providers often find themselves needing to provide third-party validation that they have the right level of security in place and are managing cyber risk appropriately. Depending on the type of business, a SOC 2 audit or HITRUST Certification is commonly required. Services providers and digital innovators within healthcare should have a strategic map of when and why a HITRUST Certification or SOC 2 audit would be the next best investment for their business. This article will focus on preparing for a HITRUST certification.

Achieving and maintaining this certification is not trivial in either the level of organizational effort or cost. Preparing for a HITRUST Certification is highly dependent upon the level of certification and the maturity of an organization.

Understanding HITRUST Certification

The Health Information Trust Alliance (HITRUST) Certification is a widely recognized security framework designed specifically for the healthcare industry. The HITRUST Common Security Framework (CSF) combines various security standards and best practices, including HIPAA, NIST, ISO, and others, into a comprehensive and scalable set of controls tailored to organizations that handle protected health information (PHI).

HITRUST Certification involves an assessment of an organization’s information security program against the HITRUST CSF controls. The rigorous certification process can assure healthcare organizations and their customers that the certified entity has implemented robust security controls to protect sensitive healthcare data.

Preparing for HITRUST Certification Simplified

The first step in preparing for HITRUST Certification is downloading the HITRUST CSF

With this documentation, perform a gap analysis or self-assessment to identify areas where the organization’s security program may not align with the HITRUST CSF requirements. This will help prioritize improvements and allow you to review the resources needed to address deficiencies or weaknesses.

Next, organizations should implement or update the necessary policies, procedures, and security controls to align with the HITRUST CSF. This may involve updating data protection measures, implementing new security technologies, and providing comprehensive security training for employees.

Lastly, the organization should work with an experienced HITRUST CSF Assessor that will review your security program, validate the implemented controls, and help prepare for the official HITRUST Certification assessment.

Your assessor will provide the artifacts and assessment findings to HITRUST through the MyCSF portal for your organization and the associated QA reservation system. Once HITRUST has performed the quality assurance and all is well, the healthcare business service can proudly display and leverage its certification achievement.

Investment and Maintenance Costs

The cost of obtaining and maintaining HITRUST Certification can be significant, particularly for small and mid-sized health IT and digital health companies. The initial certification process can range from $50,000 to $200,000 or more, depending on the organization’s size and complexity and the scope of the certification. So understanding the best path to make the most of this type of investment from preparation to ongoing maintenance and then meeting the interim requirements should be considered. This typically involves annual or biennial assessments, ongoing security monitoring, and periodic updates to policies and procedures. The ongoing maintenance costs can vary widely, but companies should expect to invest a significant portion of their annual IT budget in maintaining their HITRUST Certification. Doing so provides the risk-based security program needed to protect your business and support growth opportunities with others who understand the trust and value this type of certification provides.

Determining the Right Time for HITRUST Certification

The decision to pursue HITRUST Certification should be based on carefully evaluating the organization’s needs, market demands, and competitive landscape. Factors to consider include the organization’s size, the complexity of its information systems, the nature and expectations of its customer base, and the scope of the assessment.

In general, consider HITRUST Certification when there is a level of maturity and when a business can demonstrate a robust and well-documented information security program. The following are additional considerations to help determine the right time to pursue HITRUST Certification:

1. Growing business expectations: As more healthcare organizations require their vendors to demonstrate compliance with industry-specific security standards, HITRUST Certification can provide a competitive advantage and help build trust with existing and potential customers.

2. Risk management: Implementing the HITRUST CSF can help organizations proactively address security and enhance their overall risk management strategy. It provides a unified framework that addresses multiple regulatory requirements, state regulations, and industry standards. Leveraging this framework provides broad coverage and ease to keep data private and secured without assessing and reacting to every type of regulation change on the horizon.

3. Reputation enhancement: Achieving HITRUST Certification can help enhance an organization’s reputation and credibility in the healthcare industry, demonstrating a commitment to data security and privacy.

Determining the Right Type of HITRUST Certification

Understanding that organizations are evolving and maturing, HITRUST now provides options that give organizations flexibility and a path to certification in the HITRUST certification model.  

HITRUST provides three certification options:

  1. e1 HITRUST Certification
  2. i1 HITRUST Certification
  3. r2 HITRUST Certification

With the release of version 11 of the HITRUST CFS Framework, each certification option is 100% stackable.  This means that all the controls evaluated in the lowest level will be present in each higher level.  This allows for organizations to start with the e1 certification and graduate to an i1, and then graduate to an r2 over time as they grow and mature in their security practice with little in the way of lost effort since each higher-level assessment will build on the previous work that was done.

Most organizations will start with a readiness engagement and work with an assessor organization to prepare for a specific type of HITRUST Certification. Readiness involves understanding the controls and looking at what an organization needs to demonstrate compliance with the specific controls for the type of assessment that they are working towards. As an organization moves to a higher-level certification, the controls increase and become more complex, building on what was done at the previous certification level.

The e1 HITRUST Certification is a one-year certification and comprises 44 controls. The best way to think about this certification is that it is a security hygiene assessment that covers basic security concepts. The focus of this set of the most critical cybersecurity controls is to demonstrate that an organization has implemented the controls and that the controls are operational. There is a limited focus on policy and procedure elements to support the operational nature of meeting the controls.

The i1 HITRUST Certification is a one-year certification comprised of 182 controls (which includes the 44 controls of the e1 certification). This certification also considers active cyber threats as part of the security controls evaluated in the assessment. The certification aims to demonstrate that the organization has implemented a strong set of cybersecurity controls and that the controls are operational. Again, the i1 is focused on assessing the implemented nature of the controls; however, there is a limited focus on policy and procedure elements to support the operational nature of meeting the controls.   While this is a one-year certification, HITRUST offers a rapid recertification process in the second year.  The rapid recertification process consists of approximately 60 of the 182 controls evaluated in year two to determine if compliance has been maintained.

The r2 HITRUST Certification is a two-year certification.  This certification provides the highest level of assurance and is a risk-based assessment of the organization’s operating environment.  This type of assessment looks in-depth at several components around each control:

  1. Policy                                       (accounts for 15% of overall score)
  2. Procedure                               (accounts for 20% of overall score)
  3. Implementation                      (accounts for 40% of overall score)
  4. Measured                                (accounts for 10% of overall score)
  5. Managed                                 (accounts for 15% of overall score)

When an organization creates its assessment object (components or entities in the scope of the assessment and the resulting relevant HITRUST controls), it will be asked scoping questions about the number of transactions, facilities, how applications are accessed, and what additional regulatory factors a company might need to be compliant with given its business model.   Based on the associated risk factors and active cyber threats, the assessment object will be built based on the organization’s risk level.  HITRUST states that the average r2 assessment is around 375 controls; however, this number can go much higher based on the regulatory controls selected during the assessment scoping phase. 

While the r2 Certification is a two-year certification, there is a requirement for an r2 Interim Assessment in year 2.   

 The Interim assessment has two components:

  1. Ensuring continued compliance by evaluating 1 control from each of the 19 Domains.
  2. Evaluation of any required controls that needed a corrective action plan (CAP) in year 1.

The interim assessment’s goal is to ensure that a random selection of initial controls is still in place and operating as assessed in year 1.  Any controls that need corrective action plans (CAPS) are evaluated to ensure that progress is being made toward completing the CAP Milestones in accordance with the plan.

Supporting the HITRUST Pursuit

HITRUST Certification can be a valuable investment when executive support and proper planning have been done. There are many details and a need to demonstrate an ongoing security and compliance program. Healthcare service providers should not consider a HITRUST assessment unless they are well prepared. If this certification is on your roadmap, many actions can help you build maturity and ensure your HITRUST pursuit is successful. By understanding the requirements, preparing for the certification process, and strategically determining the right time to pursue certification, organizations can strengthen their security posture, build trust with customers, and, ultimately, achieve what is becoming the security foundation in a competitive healthcare market.

Clearwater can help you plan and fulfill gaps in your current security strategy, so you have a clear picture of what you need to do, the cost implications, and the support necessary to achieve your goals. From our security programs with vCISO services and HITRUST pre-assessment to engaging with our HITRUST-certified assessors for your desired certificate level, we’re here to help businesses of all sizes within the healthcare ecosystem be more secure, compliant, and resilient.


Sign up to receive our monthly newsletter featuring resources curated specifically to your concerns.

Related Blogs

With Us