What is HITRUST?
The HITRUST Cyber Security Framework (CSF) is a Risk Management Framework which helps organizations protect sensitive information (i.e., PII, PHI) by leveraging industry standards and authoritative sources relevant to the information security and privacy industry.
The HITRUST CSF harmonizes existing controls and requirements from standards, regulations, business and third-party requirements and offers the following:
- Incorporates both compliance and risk management principles
- Defines a process to effectively and efficiently evaluate compliance and security risk, which includes the HIPAA Final Rule Requirements
- Supports HITRUST CSF certification
What are the HITRUST certification levels?
HITRUST offers 3 certification levels which are designed to provide varying degrees of assurance based on an organization's needs and risk profile and include:
- e1: “Essentials, 1-year” (e1) certification is the foundational level, focusing on basic cybersecurity hygiene and is comprised by 44 defined controls that are considered essential foundational control requirements based on a range of standards and guidance. The e1 certification is designed as an annual assessment to be completed annually and requires less effort and resources to achieve compared to i1 and r2.
- i1: “Implemented, 1-year” (i1) certification leverages a proven set of HITRUST-curated controls designed to ensure that an organization is exercising leading security practices to implement a strong and cybersecurity program. The i1 Assessment falls between the foundational HITRUST e1 Essentials and the more rigorous r2 Expanded Practices Risk-based Assessments2.
- r2: “Risk based, 2-year”, (r2) is the most comprehensive level of HITRUST certification, providing the highest level of assurance. The r2 certification involves a rigorous assessment process and includes a wide range of controls to ensure robust cybersecurity and risk management practices and requires higher resource investment.
These levels build on each other, with increasing rigor and comprehensiveness as you move from e1 to r2. Each level is designed to meet different organizational needs and risk profiles, ensuring that there is a suitable certification option for every organization.
The following matrix highlights the key differences between the HITRUST certification levels e1, i1, and r2:
Table 1 HITRUST Certification levels comparison
How do I prepare for a HITRUST certification?
Preparing for a HITRUST certification involves several key steps to ensure your organization meets the rigorous standards set by the HITRUST CSF framework. Here are some guidelines to help you get ready:
Figure 1 HITRUST preparation steps
By following these steps and leveraging the resources available within your organization and from HITRUST, you can effectively prepare for the HITRUST certification and ensure that your organization meets the highest standards of security and compliance.
How do I register for a HITRUST assessment?
- Contact HITRUST: You can reach out to HITRUST directly via their contact information provided in emails or on their website. For example, you can contact them at 1-855-HITRUST (855-448-7878) or https://hitrustalliance.net/
- Fill Out the Registration Form: On the HITRUST website, there is a form you can fill out to get started with the registration process.
- Engage with an Authorized External Assessor: Select a HITRUST Authorized External Assessor that offers tactical and strategic advisory such as Palindrome Technologies to guide you through the certification process. We can provide valuable insights and help ensure that your organization meets all the necessary requirements.
By following these steps and leveraging the resources available within your organization and from HITRUST, you can effectively register for a HITRUST assessment and ensure that your organization meets the highest standards of security and compliance.
For more information get the service brief or schedule a complementary call to answer your questions: