How to Prepare for HITRUST Certification: Gaining Organizational Support


More than 81 % of U.S. hospitals and health systems and 80 % of U.S. health plans use the HITRUST Common Security Framework (CSF). It provides an implementation standard that is understood and accepted throughout the healthcare industry. Having HITRUST certification in place shows other healthcare entities that you take your security seriously.

Now what?

You and your cybersecurity colleagues have done your research. You know the HITRUST framework is top-notch and addresses federal and state regulations and several security frameworks. Executives of your organization see the value in the HITRUST CSF that will help you assess and manage your organization’s information security. You’ve got the green light. Where do you go from here? Education. From executive leadership to front line employees, everyone needs to understand and accept the level of effort and commitment it takes to properly adopt the HITRUST CSF. Organizing educational sessions with stakeholders and identifying an organizational champion (someone that is very visible, respected and influential in the organization) to assist in sending the message.

What’s next? Engaging staff throughout the organization

It’s critical for staff in every corner of your organization to understand the HITRUST Certification process. They also need to truly understand that the process will undoubtedly result in changes throughout the organization — whether HR, PR, food services or at the executive level. The third-party vendors with which staff contract can often be the source of a costly security breach. Every department’s information needs to be assessed and remedied if necessary if you’re to rest easily on your organization’s cybersecurity laurels.

The importance of spending time up front, explaining the process and its benefits to organizational stakeholders, cannot be overstated. You may want to consider from the outset creating a way to regularly communicate with internal audiences about progress toward certification.

Staff involved in the certification process need to be honest with themselves about the time commitment required for the project and what it may unveil; past experience indicates people often believe they’re performing better than they are when it comes to security. Keep in mind it’s a journey, not a sprint. And it can take up to a year, including remediating security gaps identified in the assessment.

When addressing Domain 10, Password Protection, for instance, the HR department may have a requirement that states, “Passwords are not displayed when entered.” They may think this, coupled with the privacy filters they’ve just purchased for staff working with confidential information and the training session they just held, just about covers passwords. But this requirement will be measured more in depth, evaluating it against five levels of EACH requirement: policy, procedure, implemented, measured and managed.

Questions the department may need to further address include:

  • Is a policy or standard in place?
  • Is there a process or procedure to support the policy? Who performs each function and when?
  • Has it been implemented?
  • Is it being measured and tested by management to ensure it’s operating as designed? Who measures compliance and how often do they do that?
  • Are the measured results being managed to ensure corrective actions are taken as needed? Who takes action – and what action do they take – if non-compliance is found? How is it determined if safeguards are effective or not?

The process is organization-wide and complex. There are no simple yes or no answers. But it is a thoughtful, deliberate process that will help each and every department improve the way they operate. Achieving HITRUST Certification means your organization has put the time and thought necessary into protecting your patients and clients’ information. It means your organization will be more trusted by the people you care for. And it’s good for business. Business Insider reports that of organizations that have been breached, 22% lost customers, 29% lost revenue and 23% lost business opportunities.

To be successful, certification facilitators need to share with employees how beneficial this process is to management efforts as well as to the organization’s security and, ultimately, the people they serve.

Because in the end, HITRUST Certification shows the world that you take the responsibility of protecting the information that you have been entrusted with very seriously.
Watch our HITRUST Essentials Webinar and Learn How to Prepare for HITRUST Certification