HITRUST Certification
More than a HITRUST Assessor – we’re a long-term partner.
The Leading HITRUST Assessor
From its very beginning, Intraprise Health has been committed to becoming the leading HITRUST Assessor in the country and in 2011, Intraprise Health became the first 100% healthcare-focused HITRUST Certified Assessor.
For over 10 years, we have helped guide hundreds of healthcare organizations including tech startups, multi-national companies, hospitals, health systems and insurers to achieve a successful certification. Our deep HITRUST expertise has resulted in a track record of 100 % successful first-time certification submissions.
We have honed our approach and methodology to develop industry-leading expertise on CSF adoption and certification. Our HITRUST team works with you to help you adopt the HITRUST CSF and ultimately become a more secure organization.
What is HITRUST Certification?
The HITRUST Cybersecurity Framework (CSF) is one of the world’s most widely trusted set of information security frameworks. It provides comprehensive guidance to meet state-level cybersecurity requirements, as well as providing criterion for risk-based assessment of your IT system’s confidentiality, integrity and availability.
While the framework is not legally mandated, a growing number of healthcare organizations use it as their north star to navigate complex compliance requirements, enhance IT resilience and help them leverage up-to-date cybersecurity best practices.
HITRUST certification is a credential issued by HITRUST (Health Information Trust Alliance). It is obtained through a combination of self-assessment and third-party audit, leading to an official accreditation from HITRUST which demonstrates that your organization meets the company’s exacting security standards.
Why Seek HITRUST Certification?
Enhanced Security
99.4% of HITRUST certified organizations have not experienced a single security breach in the last two years.
Simplified Compliance
HITRUST assessments cover all aspects of healthcare cybersecurity regulations – making it easy to demonstrate compliance.
Competitive Advantage
HITRUST certification demonstrates your dedication to best-in-class security to patients and employees.
HITRUST Assessment Types
Intraprise Health provides assessor services for the implemented, one year (i1) and the industry-standard risk-based, two year (r2) HITRUST Assessments. These assessment types provide organizations of all sizes and maturity levels options for HITRUST certification. Our experts can help you decide which option is best for your organization.
The Implemented, 1-Year (i1) Validated Assessment is a “best practices” assessment and recommended for situations that present moderate risk or where a baseline risk assessment is needed.
- Moderate level of effort and assurance
- One-year certification Period
- Static, predetermined set of 219 control statements
- Requires 1-year recertification or transition to r2 assessment
- Limited CSF and compliance coverage
The industry-standard HITRUST Risk-Based, 2-Year (r2) Validated Assessment is a tailorable assessment that continues to provide the highest level of assurance for situations with greater risk exposure due to data volumes, regulatory compliance, or other risk factors.
- High level of effort and assurance
- Two-year certification period
- Dynamically generated control statements based on scoping factors
- Requires 1-year Interim, and 2-year recertification maintenance
- Wide range of CSF and compliance coverage
HITRUST Leadership
Out of almost 100 HITRUST Assessors, Intraprise Health is one of the very few Assessor firms to be awarded two (2) member seats on the national HITRUST Assessor Council. We were also one of five (5) Assessors to be chosen by HITRUST for a seat on the even more select Quality Assurance subcommittee. Assessors were chosen to be on the Quality Assurance subcommittee by HITRUST based upon the quality of their HITRUST submissions.
Our Certified Practitioner consultants are a team of “HITRUST-ninjas”, and often work directly with the HITRUST Alliance to enhance the CSF including setting quality standards for the HITRUST CSF Assurance Program and Methodology.
This type of recognition from the HITRUST Alliance is a manifestation of our combined experience, depth and proven excellence through our work with clients of all types, sizes and complexity seeking to become HITRUST Certified.
Our Differentiators
- Industry-leading certification success rate
- Recognized for quality submissions and proven methodology
- Numerous joint presentations and educational workshops
- Executive-level relationships with HITRUST’s leadership team
Our Process
Scoping
Following a Kick-Off meeting, a secure collaboration site will be launched followed by procurement of a subscription to the HITRUST Alliance’s MyCSF Portal (*subscription purchased directly through HITRUST). Next, our team of HITRUST Certified Practitioners work with you to complete the Administrative Details and Factors questionnaire. The purpose of this questionnaire is to ensure alignment with business objectives and be prepared to answer the scoping questions that will be presented in the MyCSF portal. This is a critical phase pf the process as it establishes the foundation for the remainder of the process and identifies the number of control requirements you will need to comply with in order to become HITRUST Certified.
HITRUST Assessment
After we have scoped your certification “object” and the number of applicable security controls, the Intraprise Health team will guide your organization through the HITRUST Self-Assessment. Upon completion of the Self-Assessment, a list of Action Items for all 19 domains of the HITRUST CSF will be provided resulting in a comprehensive plan of action to improve overall compliance towards your HITRUST Certification. The Action Items will include remediation suggestions, such as revisions to your organization’s specific responses as well as revisions to policy and process documentation. Our team will also provide certain tools which we have developed over the last 10 years to assist your team to perform its work through the following phases.
HITRUST Remediation
During the remediation phase, your organization will be responsible for addressing the Action Items provided in the work plan utilizing Domain Workbooks and tools provided to your team. But know that Intraprise Health leverages its depth, knowledge and expertise as one of the longest tenured HITRUST Assessors to deliver a consultative not an “auditor” approach to facilitate your progress through this phase. Intraprise Health’s HITRUST Practitioners will continue to meet with your organization’s primary point of contact on a recurring basis to identify remediation progress and assess readiness. When all Action Items have been addressed, Intraprise Health will perform an Adoption Review in preparation for the Validated Assessment.
*Customers looking for additional remediation assistance can engage directly with our Information Security Management Program (ISMP) team of consultants.
Validation
As the first part of the final phase of the Certification journey, Intraprise Health will perform an Adoption Review which is our proprietary methodology to assess your readiness for certification submission to the HITRUST Alliance. This serves as a critical check-point so all are collectively prepared to submit with a high degree of confidence. Finally, Intraprise Health’s security team will perform a rigorous assessment of the completed assessment and remediation progress along with supporting evidence of implemented controls to validate HITRUST CSF compliance utilizing a proven rubric formula. Finally, Intraprise Health will package and submit the assessment to HITRUST via their MyCSF portal. Intraprise Health acts as the liaison with HITRUST throughout the entire submission and certification process.
Certification Maintenance
HITRUST Interim Assessment (*r2 Only)
Maintaining your HITRUST Certification is an ongoing endeavor. A HITRUST Interim Assessment is due 12 months from the initial HITRUST Certification anniversary date. The Interim Assessment is a representation that a Qualified CSF Assessor (i.e., Intraprise Health) has performed an objective security assessment to evaluate whether you continue to demonstrate sustained compliance with the HITRUST CSF.
Re-Certification
A HITRUST Validated Assessment for Re-Certification is due 24 months from the initial HITRUST Certification anniversary date. The Re-Certification is based on the then current version of the HITRUST CSF and follows a very similar process as the original certification. To ensure the meaningful adoption of the HITRUST CSF and to allow for strict adherence to the requirements of the HITRUST CSF Assurance Program, Intraprise Health structures our HITRUST Certification and Re-Certification engagements around the same four phases.
For more information and details about the Interim, Re-Certification or Certification Maintenance programs please contact us.