What Is HITRUST Certification and Why Do You Need It?
Posted on: September 8th, 2020 09:38 am
Updated on: May 29th, 2024 02:36 pm
A recent report showed that healthcare is the biggest target for cyberattacks globally. But with large vendor networks, increasingly complex IT systems and a range of regulations to contend with – under HIPAA, Meaningful Use, PCI, COBIT and ISO – the sector struggles to manage these risks.
That is why a growing number of organizations rely on HITRUST certification to ensure compliance and manage cyber threats.
Expect to learn:
- Why HITRUST is so important for healthcare entities
- What it takes to achieve a HITRUST certification
- Three common misunderstandings about HITRUST certification
Understanding HITRUST Certification
What is HITRUST?
The Health Information Trust Alliance (HITRUST) is an organization that helps safeguard sensitive patient data by providing data protection standards and certification. They are among the most widely used or evidence-backed standards, with recent research showing that 99.4% of HITRUST certified organizations have not experienced a single security breach in the last two years.
To put this in perceptive, one study found that 88% of U.S. healthcare entities experienced at least one breach in the last year. So given that the healthcare sector accounts for 18.2% of all HITRUST certifications, we can conclude with confidence that HITRUST certified organizations are substantially safer than others.
But what exactly is it that these organizations are going to HITRUST for?
What is the HITRUST Common Security Framework (CSF)?
The HITRUST CSF is the leading information security framework for the healthcare industry. It was developed to address the multitude of security, privacy and regulatory challenges facing healthcare organizations through a comprehensive and flexible framework of prescriptive and scalable security controls.
The CSF includes federal and state regulations and standards, incorporating a risk-based approach that provides specific criteria to assess the protection of confidentiality, integrity, and availability of information systems — all particularly relevant to healthcare.
HITRUST and Compliance Explained
Who Must Comply with HITRUST?
Based on the search volume for phrases like “HITRUST vs HIPAA”, compliance is a regular source of confusion. So let’s be clear:
- The HITRUST CSF is not mandated by the federal government
- No organization is forced by law to gain certification
- “HITRUST compliance” is not a legal concern
However, this confusion is understandable because many organizations use HITRUST as a key part of their compliance efforts. Why? HITRUST maps its framework around various regulations and cybersecurity standards – including HIPAA, SOC 2, NIST, ISO 27001 and others – to make certification a reasonable proxy for compliance. Equally, HITRUST certification helps leaders prove compliance – which is a growing challenge for healthcare entities.
Three Reasons Healthcare Organizations Use HITRUST
1. “Gold Standard” of Healthcare Data Security
Healthcare payors, and an increasing number of health systems and hospitals, are requiring their business associates to become HITRUST certified because the certification demonstrates that the organization has made a dedicated commitment to maintain the greatest level of protection for their customer’s ’healthcare data.
2. Scalable and Cost-Effective
By including federal and state regulations and standards, and incorporating a risk-based approach, the HITRUST CSF helps organizations address rapidly evolving information security challenges affecting every healthcare organization no matter of size.
Because of its consolidated controls approach, an organization can generate multiple reports addressing legislative, regulatory or best practice frameworks with just one assessment, creating a well-established, robust, and documented security program to present whenever needed.
Though it is a rigorous process, once certified, the organization can respond more thoroughly and faster, using fewer resource hours in a repeatable manner. This can significantly reduce the burden of a continuous stream of arduous and lengthy security questionnaires that are a customary part of doing business as a healthcare technology or services company.
3. Competitive Advantage
Healthcare organizations’ customers are aware and concerned about the ever-growing threat to their data security. They understand the importance of working with organizations who are educated on these threats and have taken the necessary steps to make sure they are protected according to the highest standards in the industry.
HITRUST Certification demonstrates that an organization is a leader in security, privacy, and compliance because they have the certification to back it up. This credibility and status in the healthcare industry sets an organization apart.
On-Demand Webinar
HITRUST Essentials: Listen as Michael Parisi from HITRUST joins Intraprise Health’s Ryan Patrick for a discussion about the HITRUST Program.
How to Achieve HITRUST Certification
The HITRUST Certification process consists of:
- An initial baseline self-assessment, utilizing the MyCSF web application
- A Corrective Action Plan(s) — based on responses and associated remediation needs
- A validated self-assessment by a CSF Assessor (which Intraprise Health has been since 2011)
- A final submission to the HITRUST Alliance (who certifies the information provided).
| Evaluation Criteria | Weight |
| Policy | 15% |
| Procedures | 20% |
| Implemented | 40% |
| Measured | 10% |
| Managed | 15% |
For each assigned control in MyCSF, a submitter must score themselves on five evaluation criteria, which are then weighted differently by the HITRUST Alliance during submission.:
For each evaluation criterion, under each control, submitters assign a compliance score for themselves based on their level of maturity, which is measured on a scale of 0-100 and in increments of 25.
HITRUST will provide a report of findings to the submitting organization, indicating that the security controls, as identified in the CSF, were of a sufficient or insufficient maturity level to be deemed adequate, both, objectively and in relation to peers in the healthcare industry.
Ultimately, the overall maturity level score determines whether you achieve HITRUST Certification.
Optimize Your HITRUST Application with Intraprise Health
Intraprise Health is one of the longest-tenured, 100% healthcare-focused, HITRUST Certified Assessors. Our executives hold ST Assessor Council, and have presented at the HITRUST 2017, 2018 and 2019 Annual Conferences.
We have taken our clients — covered entities and business associates — through the certification process while helping them to simplify the complexities of HITRUST. Our deep and varied experience, proven methodology, client partnerships, and purpose-built tools make the journey to certification easier to navigate.
For more information about our HITRUST services, please contact us to start the conversation.