HITRUST Certification is a process which verifies that an IT organization has met the security requirements of the Health Industry Trust Alliance (HITRUST). It is a certification which provides protection to consumers and organizations by reducing fraud, data breaches, and identity theft. HITRUST Certification ensures that all systems in an IT environment have been assessed for compliance with HITRUST’s security framework and standards. The HITRUST Framework Security Requirements are reviewed annually to ensure they are up-to-date with evolving threats. Achieving HITRUST Certification requires implementation of controls for all six domains of the Security Framework: Identity & Access Management, Risk Assessment & Mitigation, Data Protection Administration & Management, Systems Security Administration & Management, Network Security Administration & Management, Application Security Administration & Management.


HITRUST Assessment

The HITRUST CSF is a comprehensive framework that provides organizations with the ability to assess their security programs and identify gaps, as well as measure progress. The HITRUST CSF can be used by organizations to assess the effectiveness of existing security programs, identify potential threats and control gaps so that they can close or mitigate any risks. The goal of this is to protect sensitive data from being compromised in an attack or misuse by employees. One form of assessment is a self-assessment survey on an organization’s compliance with current standards, policies and procedures. Organizations will have their own specific needs for their information security program; the scale and complexity of each type of organization will vary substantially which means that there will be different challenges for different levels of maturity in an organization’s information security program. It is important to note that no one size fits all solution exists when it comes to assessing IT risk management programs – every organization has its own unique challenges and goals which make it critical for companies to tailor information protection practices according to their specific needs. HITRUST Certified Security Foundation (CSF) is an assessment framework created by HITECH Act guidelines set forth by NIST that provides organizations with the ability to measure the effectiveness of existing security programs, identify potential

Security Framework

HITRUST Security Framework (HITSF) is a voluntary initiative that offers guidance to organizations on how to protect sensitive information and comply with a variety of regulations. It also provides a mechanism for exchanging security-related data about an organization’s information systems and the threats they might face. The HITRUST Security Framework has three main components: The framework encourages organizations to do everything possible to protect sensitive information, reduce risks, and detect, respond to, and recover from attacks. It is not necessary for all organizations – either healthcare or non-healthcare related –to follow the complete framework in order to meet their needs. The strategy includes four levels of compliance: Audit Ready Plus; Audit Ready; Basic Compliance; and Risk Assessment Only (RAO). Organizations can choose which level they want based on their specific need. Any organization that chooses Level 3 or higher will be required by law to undergo periodic external audits every five years unless they are self-surveying their own system’s security controls at least once every three years (known as “self audit”).

Organizations that undergo HITRUST certification are able to show they have implemented the necessary controls to protect sensitive data. This, in turn, gives customers and business partners the confidence that their data will be safe when it is shared with the certified organization. HITRUST certification also provides organizations with a competitive advantage, as more and more companies are requiring their business partners to be HITRUST certified.

If you are considering HITRUST certification for your organization, we recommend starting with the HITRUST Self-Assessment Questionnaire (SAQ). The SAQ will help you understand what HITRUST is and if your organization is ready to undergo the certification process. Once you have completed the SAQ, we recommend working with a HITRUST Authorized Certification Body (ACB) to complete the certification process.

HITRUST has certified over 3500 organizations in more than 50 countries across a variety of industries. HITRUST certification is recognized by the US Department of Defense, the US Department of Homeland Security, and numerous state governments. HITRUST is also aligned with other major security frameworks, such as ISO 27001 and NIST CSF.

If you have any questions about HITRUST certification, please contact us. We are here to help you navigate the HITRUST certification process and ensure that your organization is successful in achieving HITRUST certification. HITRUST-certified organizations are recognized as leaders in data security and privacy, and we are proud to be one of them.