HITRUST

Protection of patient and other sensitive healthcare information is a top priority for all healthcare organizations, which entails compliance with a growing range of regulations. Staying on top of all the relevant standards can be daunting for stakeholders across a broad array of healthcare service organizations, associates, and vendors.

HITRUST recently released the e1 and i1 versions, to enhance mitigation against evolving cyber threats and to speed up the transition to higher levels of assurance.

The Health Information Trust Alliance (HITRUST) strives to address such problems by:

  • Offering an integrated security strategy
  • Introducing a mechanism to certify compliance with HIPAA security criteria to a third-party assessor

HITRUST provides a comprehensive, risk-based certifiable framework that helps healthcare service providers of all types, sizes, and complexity integrate compliance with a wide range of regulations, standards, and best practices.

Speak to an Expert Download the HITRUST Guide

hitrust-logo-1-1-1
_Pngtree_fingerprint_recognition_technology_concept_a_5334449-removebg-preview

Why Choose Accorian?

We specialize in aiding organizations of various sizes in the healthcare industry

We are a full-service cybersecurity and compliance service providers

We have years of experience providing security compliance, information security implementation, and testing services.

As an authorized HITRUST CSF Assessor, our qualified security professionals can get you started with successfully scoping for your assessment and facilitating the process to reduce the cost, time, and resources.

HITRUST’s CSF

HITRUST developed and maintains the Common Security Framework (CSF), which provides a mechanism for standardizing Health Insurance Portability and Accountability(HIPAA) compliance and coordinating it with other national and international data security standards in addition to numerous state laws.

The HITRUST CSF certification allows healthcare organizations to perform a single assessment, by integrating more than 20 distinct standards and processes, to certify compliance with multiple initiatives, including a HIPAA compliance audit.

How Important Is HITRUST?

The healthcare sector generally drives and controls HITRUST enforcement, while HIPAA establishes specific consequences for data security violations.
The industry, including hospitals and payer requiring certification, has seen swift adoption of HITRUST and it is gaining ground as an expectation for service providers and vendors.

It's not always necessary to get HITRUST certification when implementing new technology, but it provides opportunities to streamline security and compliance as part of the implementation process.

When And Why Should You Adopt HITRUST?

You can benefit from HITRUST in a multitude of ways.

A Single Framework For Vital Certifications
+ -

The HITRUST architecture offers a single framework for synchronizing current worldwide security legislation and standards. The following are some examples of what it entails:

HIPAA
HITECH
NIST
PCI DSS
SOC
FTC
COBIT
GDPR
The Advantage of a Sterling Reputation
+ -

Providers and vendors that serve the healthcare sector may find that HITRUST gives them an edge in terms of market value and reputation.

The Security of Certification
+ -

If a client sends you a letter requesting HITRUST CSF certification, you can be ready with a certified data security program ahead of time. Here's to being proactive!

Offers Enhanced Security
+ -

HITRUST assessments enhance the security status and risk management procedures of your firm.

It’s Scalable
+ -

Controls are applicable to any size, kind, and complexity of organization.

Types of HITRUST Assessments

It may be a daunting task to choose the correct HITRUST assessment when you want to analyze and express assurances about the security of protected health information (PHI).

Consider assessments to guarantee that passing an audit by the Office of Civil Rights, the agency within the Department of Health and Human Services that implements the penalties related with the HIPAA Privacy and Security Rules.

The HITRUST CSF certification offers healthcare businesses a variety of examinations. Each of them serves a distinct goal and employs a different methodology. Let's take a closer look at each one to see which one is right for your organization.

01

HITRUST e1 Assessment

The e1 version offers ‘Good hygiene’ 44 control assurance for organizations with low-level info security risk. It is ideal for small organizations or start-ups with limited resources to differentiate themselves in the marketplace. It’s a faster option to establish a benchmark security posture and identify coverage gaps.

02

HITRUST Implemented, 1-Year (i1) Validated Assessment

This one-year certification is for healthcare organizations and business partners that need moderate assurance. It focuses on a list of controls that HITRUST chooses and updates every year. These controls are tested for how well they are being used. Our assessors will look over the assessment, make sure it is correct, and send it to HITRUST for approval.

03

HITRUST Risk-Based, 2-Year (r2) Validated Assessment

HITRUST CSF assessments look at the different controls that are in scope and how mature they are in the Policy, Procedure, Implemented, Measured, and Managed categories. HITRUST certifications can be earned through validated assessments if you receive a satisfactory assessment score.

It is suggested that new clients do a self-assessment first to get a sense of where they are standing in terms of their score. Our assessors take the time to help clients understand all parts of the assessment and give helpful suggestions for improving scores in areas where they are low.

04

HITRUST Interim Assessment

As required by HITRUST, all validated assessments must be followed by an interim assessment within the first year after certification. The interim assessment checks to see if the controls still work and looks at how well any Corrective Action Plans that were made during the initial validation process are being followed.

05

Bridge Assessment

What happens when an organization that is already HITRUST CSF certified can't finish its next HITRUST CSF Validated Assessment before its current certificate expires? In such a case, the Bridge Assessment fills the gap.

A Bridge Assessment is similar to an Interim Assessment since it only looks at a limited number of controls and gives an organization a temporary certificate that is acceptable for 90 days. This lets the organization keep working with those who requested HITRUST certification and also finish the next Validated Assessment.

Who should get an e1 Certification

The e1 certification can be used for reliable, efficient cybersecurity reviews of:

  • New business units
  • Recently deployed technology platforms
  • Prospective or newly onboarded third-party business partners such as vendors
  • Existing, lower-risk vendors (e.g., those who handle little to no PII)
  • Scope, systems, or vendors with minimum inherent risk but that are part of a system with greater aggregate risk
  • An organization’s practices in support of M&A transactions (buy side or sell side)
  • Near-term review and baseline scoring of a newly acquired organization's initial cybersecurity maturity
  • And use to show justification for more favorable cyber insurance premiums

Accorian’s HITRUST Services

Our team of experts have extensive experience helping clients comply with healthcare security standards and information security. Our HITRUST assessor’s recommendations are transparent and actionable.

We know the complexity of day-to-day IT and security operations, so we’ll never deliver a standard auditor guide or playbook response. We make sure you fully understand and can execute recommendations, personalized for you. From HIPAA to HITRUST and any needs in between, we can support your organization.

GAP Assessment
Facilitated Self – Assessment
Validation/Certification
Interim Assessment
Bridge Assessment
Continuous Monitoring of Framework Compliance
Third-Party Risk Management Program
Healthcare Risk Analysis & Advisory

HITRUST GUIDE

DOWNLOAD NOW

 

Resources

Article

HITRUST CERTIFICATION: IMPORTANCE IN HEALTHCARE

Being HITRUST-certified is one-way companies can demonstrate their commitment to security and privacy to clients and partners Healthcare is one of the most highly regulated industries regarding privacy and security. There is a good reason for this, too, as personal health information (PHI) is some of the most valuable information for cybercriminals and people that commit fraud. According to the US Department of Health and Human Services 2020 Healthcare Breach Report, the average cost per breached record is $499 and can be sold for over $1000. As a result, PHI has become highly targeted by criminals, and to combat this, regulations and security standards have been created to ensure that businesses protect this information correctly. This article will discuss a popular security framework and certification in the healthcare industry called HITRUST. What is HITRUST Certification? HITRUST, created in 2007, is a standards and certification body that helps organizations manage information security, privacy, and regulatory compliance. Organizations that achieve HITRUST certification have passed the framework checks and have shown an ability to adhere to the security requirements of HIPAA.  Then there is the HITRUST CSF framework. What is HITRUST CSF The HITRUST CSF is a certifiable security and privacy controls framework that provides organizations with a comprehensive, flexible, and efficient approach to regulatory compliance and risk management. Developed in collaboration with data protection professionals, the HITRUST CSF provides structure, transparency, guidance, and cross-references to 40+ authoritative sources, standardizing requirements and providing clarity and consistency. The HITRUST CSF is regularly updated as mapped authoritative sources change and new sources are introduced. Because the HITRUST CSF is both risk- and compliance-based, organizations of varying risk profiles can customize the security and privacy control baselines through various factors, including organization type, size, systems, and regulatory requirements. The HITRUST CSF assurance program combines aspects of many popular security frameworks, including ISO, NIST, PCI, and HIPAA. So it’s not limited to just evaluating companies based on HIPAA requirements. There is a roadmap that organizations can follow to achieve data security and compliance with HIPAA.  Why is HITRUST Important in Healthcare? Whether you are a healthcare provider or a processor of healthcare information, you have a big responsibility to ensure that you protect that information. Not only is this heavily mandated through regulations like HIPAA, but your potential clients will want to know that you can uphold these standards as part of their requirements for doing business with you. Being HITRUST certified is one-way companies can demonstrate their commitment to security and privacy to potential clients and business partners. HITRUST vs. HIPAA The relationship between HITRUST and HIPAA can be confusing at first. However, it’s essential to understand that they are not the same but are closely related. HIPAA stood for the Health Insurance Portability & Accountability Act and was passed by Congress in 1996. While HIPPA is a regulation created by lawmakers, HITRUST is a framework developed by security experts that covers key aspects of HIPAA compliance and draws from dozens of other authoritative sources, as well. One of the issues organizations face with HIPAA compliance is translating somewhat vague requirements into quantifiable and measurable criteria and objectives. HITRUST helps companies achieve this by providing a framework for identifying the organization's appropriate administrative, technical, and physical safeguards.  HITRUST Certification Requirements Now that we’ve discussed the value of HITRUST in the healthcare industry, let’s look at how a company can become certified. For an organization to become HITRUST certified, it must undergo a validated assessment by a HITRUST assessor firm. The company must purchase a MyCSF subscription from HITRUST and a certification report credit. Upon completion of the validated...

View More

Article

HITRUST® introduces the leaner version of the Validated HITRUST Assessment – The Implemented, 1-Year (i1) Validated Assessment + Certification

HITRUST, recently, announced the implementation of a new annual HITRUST Assessment + Certification, the i1. The aim of this release is to provide a cybersecurity assessment that remains continuously relevant by utilizing the latest threat intelligence to address information security risks and emerging cyber threats like ransomware and phishing.  Experts highly tout the "Gold Standard" for information security assurances as the original HITRUST Validated Assessment, which is now dubbed the r2. The HITRUST Risk-based, 2-Year r2 Validated Assessment + Certification uses the HITRUST CSF® cybersecurity framework to unify and harmonize controls from many regulatory and industry frameworks, including HIPAA, GDPR, and PCI-DSS. It often considered as a sort of “one framework to rule them all”, and organizations that implement a properly scoped HITRUST r2 Assessment can include more than 40 authoritative sources to conform to a variety of cybersecurity regulations and standards. The HITRUST a 2-year risk-based and tailorable assessment, which continues to provide the highest level of assurance for situations with greater risk exposure due to data volumes, regulatory compliance, or other risk factors. The new HITRUST Implemented, 1-Year (i1) Validated Assessment + Certification is the first information security assessment of its kind and possesses attributes that other assurance programs do not have. The assessment's design and control selection place it in a new category of threat-adaptive information security assessments, which evolve with emerging risks and new threats while also retiring irrelevant controls. The HITRUST i1 Assessment is designed to: Designed to maintain control requirements that mitigate existing and emerging threats by providing updates as new threats are identified. The assessment is threat-adaptive, prescriptive, and concentrates on controls that are relevant to risk. Sunset controls that have lost relevance and have limited assurance value based on the effort required to comply or assess. Delivers greater reliability than other moderate assurance options due to its unique control selection and assurance program design. The HITRUSTi1 Validated Assessment + Certification is a “best practices” assessment that consists of 219 pre-selected controls. The design of the assessment was based on relevant information security risks and emerging cyber threats. It provides coverage for numerous standards, such as NIST 800-171, GLBA Safeguards Rule, HIPAA Security Rule, and Health Industry Cybersecurity Practices (HICP). Although the HITRUST i1 is a leaner version of the r2, the evaluation process is still incredibly rigorous and provides the same credibility associated with the original HITRUST Assessment. Examination of the Five Maturity Levels Tested in r2 and i1 Assessments Policy– Detail management’s requirements for the organization and in=scope systems Procedures– Document the organization’s methods for implementing policies Implemented– Demonstrate how the organization implemented policies and procedures Measured– Examine how the organization evaluates its program Managed– Show how the organization continuously manages risk Conclusion Although some organizations may consider the i1 assessment to be less assuring than the r2 assessment, the i1 provides several benefits due to its threat-adaptive approach paired with an annual assessment cycle. The HITRUST i1 concentrates solely on the implemented PRISMA maturity level, thus limiting the scope of assessment and helping reduce the preparation required. The i1 considers particular "Evaluative Elements" to confirm the complete implementation of each control, and an organization can be evaluated based solely on the level of implementation. An i1 assessment can serve as either a readiness assessment, (which includes an identification and remediation report), or a validated assessment, (which includes a requirements check and an official certification.) It’s recommended that every organization start with a readiness assessment to get a detailed report on your organization’s cybersecurity posture and remediation requirements before performing a Validated i1 Assessment. This is important in finding vulnerabilities within your organization...

View More

Article

The Journey from HIPAA Compliance to HITRUST Certification

In today’s complex technological world, there is always the danger of a hostile threat environment lurking around the corner, waiting to manipulate the potholes in the processes and technology. People and organizations with malicious intent always try to act upon such opportunities and cause everlasting damage to the organization’s reputation and finances. In such a scenario, securing information and information assets of the organization are of paramount importance. There are several ways to secure information and information assets within an organization. Some organizations may deploy strict controls like access control, secure equipment sitting area, authorization, and authentication, etc. The healthcare industry is no different and is not safe from the malicious intent of hackers and trespassers. Sensitive healthcare information like patient data, patient recovery status, personal information, etc. always needs to be safeguarded. Hence, the Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996, which outlines protection and security standards for health care data. HIPAA is a public law that can be considered landmark legislation when it was enacted in the ‘90s.  Before its enactment, there were no security standards or requirements for protecting health care information.  While HIPAA is an act that details standards for compliance, HITRUST is an organization that helps you achieve those standards by the means of industry-acclaimed certification. Transitioning from HIPAA Compliance to HITRUST Certification When an organization transitions from being HIPAA Compliant to being getting HITRUST certified, is not a straightforward and simple journey altogether. This involves a lot of effort and adjustments along the way on the part of the organization. Often organizations who are HIPAA compliant, assume, that getting HITRUST certification is an easy walk. But in reality, the path to HITRUST certification is very robust and cumbersome. HITRUST certification is an exhaustive and comprehensive certification process and organizations often must scale up their efforts to get compliant. The common pitfalls or roadblock often faced by organizations in the journey from HIPAA to HITRUST are: HITRUST requires exhaustive policies and procedures to be in place spread across 19 domains of Information Security. Organizations often fall short of producing the exhaustiveness or robustness in their documentation that HITRUST mandates HITRUST certification process mandates the actual implementation of solutions and security controls. In many cases, organizations that are HIPAA compliant do not have enough security controls in place to be even eligible for HITRUST certification HIPAA compliance is a self-declaration made by the management of the organization keeping in view the security posture of the entity. In most cases when the organization goes for HITRUST certification, it comes as a revelation as they do not clear the HITRUST certification because of not having a good enough security posture. HITRUST certification is a very comprehensive and robust assessment of the security posture of an entity HITRUST mandates the storage and secure treatment sensitive and covered information should get. Covered information includes ePHI, PII, etc. In comparison to HIPAA, HITRUST is more particular and employs strict measures about the secure handling of ePHI As opposed to HIPAA, which has defined penalties for security breaches, the enforcement of HITRUST is dependent on the healthcare industry itself, typically covered entities like hospitals and payers, requiring HITRUST CSF Certification of vendors HITRUST also claims that with their framework, you can “assess once and report many” – which means that a HITRUST Certification can be used as the building block to attain other certifications and reports such as a SOC II or NIST 800-53.  Thus, HITRUST can be labeled as more versatile and comprehensive How to attain HITRUST Certification? Without a standardized framework, process, and certifying body, HIPAA...

View More

Article

Risk Management Framework – Managing & Measuring what matters

A risk management program allows you to manage overall information security risk.  It is an approach to identify, quantify, mitigate, and monitor risks.  The reason to look at risk in a comprehensive manner is to make sure no one area is getting too much attention or, too little. Frameworks also help you identify the bigger elements of risk that need review and mitigation. Additionally, it help you to prioritize the treatment of certain risks. The adherence to risk frameworks also helps give your customers comfort that a standard risk management is in place and hence, reduce your audit burden.  Typically, a Risk Management program comprises of the following phases: Risk identification Risk analysis Risk evaluation Risk treatment Risk Monitoring A good risk management framework will have the following characteristics: Comprehensive in types of risks it covers Practical for an organization to implement Updated with current real-world risks Based on controls that can be reviewed and audited Reliable so that your vendors and customers can accept it There are many risk management frameworks that one can choose from and it important to understand the advantages of each. Common risk management frameworks include: NIST CSF SOC 2 ISO 27001 HITRUST NIST (National Institute of Standards and Technology) framework is a comprehensive cybersecurity framework (CSF).  It is very widely accepted across different company sizes and business domains. Most cyber-security professionals are well aware of this framework as it is readily available.  Although widely available and very popular there is no certified third-party audit mechanism. Hence, it can only be self-assessed.   SOC 2 Type 2 is an internal controls report based on the scope you define.  It is widely used in the United States to show the maturity of your controls.  A CPA firm that is part of the American Institute of CPAs (AICPA) conducts the audit & issues an assessment report.  The AICPA does not audit/review the assessment for completeness or quality.  HITRUST CSF is a framework that came leverages NIST, SOC, and ISO along with others to create a more comprehensive standard.  It is widely implemented in the United States by organisations in the healthcare space.  Unlike others, although there are external assessors that are involved in the certification process, HITRUST reviews all assessments and issues the certificate. Additionally, among all the frameworks above it tends to be the most expensive to implement.  It is important to choose a framework that matches your long-term security goals & needs.  At Accorian, we work with all of the above frameworks. We help organizations choose the right framework and aid with the implementation. This is done by augmenting our team into your security team to help steer the rollout, aid with query resolution, choosing of the right controls & workaround during mitigation advisory, facilitating the selection of vendors & products and end to end program management. 

View More

Article

1 Minute Guide to the Updated HITRUST Scoring & Metrics for 2020

At the start of the year, HITRUST released an updated methodology for scoring requirements. This will ensure that organizations focus on maintaining a robust program with implemented controls for enhancing security posture and adherence to HITRUST. Hence, if you’re on the path to HITRUST or new to it, the following will be applicable to you: HITRUST will now place a greater influence on implementation of controls It can potentially increase the number of Corrective Action Plans (CAPs) due to gaps in implementation. The increase in CAP’s in implementation would correspond with a decrease in the number of CAPs attributed to gaps in policies and procedures as well as an increase in the scores for managed & measured if implemented well. A greater emphasis will be placed on procedure in comparison to policy. HITRUST wants to ensure that SOPs are well documented, but more importantly, followed with workflows and ownership. Assessors and enterprises will now be able to objectively score each control using the Control Maturity Rubric. Managed now holds greater importance in comparison to measured. The key takeaways are as follows: 1) Change in weightage Maturity LevelsOldNewPolicy25%15%Procedure25%20%Implemented25%40%Measured15%10%Managed10%15% 2) Updated HITRUST Control Maturity Rubric An objectively defined control maturity rubric is in place. It will aid in quantifying current state of controls during self-assessments for HITRUST prospective enterprises & for validated assessments. There are 5 tiers for assessing the strength of the control (policy, procedure, implementation, measurement and management) and 5 tiers for assessing coverage and adherence. 3) Applicability The new scoring rubric is applicable for all myCSF material created and all assessments (self and validated) submitted to HITRUST in the year 2020. 4) Will the new scoring metrics impact already certified organizations? Not yet, but it will play a role in re-certification. The metrics associated with the original assessment will be applicable for the interim assessment.  Due to the updated assessment guidelines, companies up for re-certification will be required to implement their CAPs associated with implementation. In turn, this will aid in increasing your implementation score, and, consequently, increase your scores for measured and managed.

View More

Article

We are proud of our client, Novus Health Systems, for achieving HITRUST r2 certification. Congratulations.

“We are proud of our client, Novus Health Systems, for achieving HITRUST r2 certification. Congratulations.” In today’s ever-changing threat landscape, HITRUST is continually innovating to find new and creative approaches to address challenges, said Jeremy Huval, Chief Innovation Officer, HITRUST. This achievement places Novus in an elite group of organizations worldwide that have earned this certification. Read More

View More

Article

KPI Ninja Earns HITRUST r2 Certification for Information Security

Congratulations to our client KPI Ninja by Health Catalyst on their HITRUST certification! The certification ensures KPI Ninja meets the key compliance requirements included across a wide rang of industry standards and frameworks, and federal and state regulations. Read More

View More

Article

“Congratulations Inovaare Corporation on their HITRUST certification! Glad we could play a part in it.”

Inovaare Corporation, a compliance, and operations management software provider leading digital transformation within the healthcare industry, today announced its platform, data center, and offices earned Certified status for information security by HITRUST.HITRUST CSF® Certification validates Inovaare is committed to meeting key regulations and protecting sensitive information. To know More Click Here

View More

Article

“Congratulations to our client FastTrack for getting HITRUST certified.”

A total team effort involving our assessor team, along with the FastTrack team. FastTrack today announced that it has attained HITRUST’s prestigious CSF® Certification for key implemented systems and infrastructures that support our suite of Life & Disability Transformation Solutions, exceeding strict regulatory and industry-defined requirements for comprehensive security and risk management compliance. To know More Click Here

View More

Article

Accorian Achieves HITRUST CSF Assessor Designation

Accorian a leading provider of cyber security services, today announced that it has been designated as a HITRUST CSF® Assessor by HITRUST. With this achievement, Accorian, is now approved to provide services using the HITRUST CSF, a comprehensive security framework that addresses the multitude of security, privacy and regulatory challenges facing organizations in order to comply with healthcare (HIPAA, HITECH), third-party (PCI, COBIT), government (NIST, FTC) and other industry specific regulations and standards. CSF Assessors are critical to helping uphold information security and privacy standards for various industries of varying size and complexity and are a core component of the HITRUST CSF program by providing trained resources to assess compliance with security control requirements and document corrective action plans that align with the HITRUST CSF. HITRUST CSF Assessors such as Accorian, serve as a key component of the program by providing assessment and remediation services to all industries that deal with PHI and/or PII. “We are very excited to become a HITRUST CSF Assessor firm as we continue to see a need for security framework for companies,” said Premal Parikh, Managing Director of Accorian. “With our focus on health care companies, this achievement is the perfect complement to it.” “HITRUST has been working with the industry to ensure the appropriate information protection requirements are met when sensitive information is accessed or stored in a cloud environment,” said Ken Vander Wal, Chief Compliance Officer of HITRUST. “We are pleased that Accorian has taken the steps necessary to become a designated HITRUST CSF Assessor, and we expect their customers to have confidence in this designation.” For more information please contact Shalin Kadakia", Marketing Manager, Accorian. info@accorian.com www.accorian.com

View More

Resources

Article

HITRUST CERTIFICATION: IMPORTANCE IN HEALTHCARE

Being HITRUST-certified is one-way companies can demonstrate their commitment to security and privacy to clients and partners Healthcare is one of the most highly regulated industries regarding privacy and security. There is a good reason for this, too, as personal health information (PHI) is some of the most valuable information for cybercriminals and people that commit fraud. According to the US Department of Health and Human Services 2020 Healthcare Breach Report, the average cost per breached record is $499 and can be sold for over $1000. As a result, PHI has become highly targeted by criminals, and to combat this, regulations and security standards have been created to ensure that businesses protect this information correctly. This article will discuss a popular security framework and certification in the healthcare industry called HITRUST. What is HITRUST Certification? HITRUST, created in 2007, is a standards and certification body that helps organizations manage information security, privacy, and regulatory compliance. Organizations that achieve HITRUST certification have passed the framework checks and have shown an ability to adhere to the security requirements of HIPAA.  Then there is the HITRUST CSF framework. What is HITRUST CSF The HITRUST CSF is a certifiable security and privacy controls framework that provides organizations with a comprehensive, flexible, and efficient approach to regulatory compliance and risk management. Developed in collaboration with data protection professionals, the HITRUST CSF provides structure, transparency, guidance, and cross-references to 40+ authoritative sources, standardizing requirements and providing clarity and consistency. The HITRUST CSF is regularly updated as mapped authoritative sources change and new sources are introduced. Because the HITRUST CSF is both risk- and compliance-based, organizations of varying risk profiles can customize the security and privacy control baselines through various factors, including organization type, size, systems, and regulatory requirements. The HITRUST CSF assurance program combines aspects of many popular security frameworks, including ISO, NIST, PCI, and HIPAA. So it’s not limited to just evaluating companies based on HIPAA requirements. There is a roadmap that organizations can follow to achieve data security and compliance with HIPAA.  Why is HITRUST Important in Healthcare? Whether you are a healthcare provider or a processor of healthcare information, you have a big responsibility to ensure that you protect that information. Not only is this heavily mandated through regulations like HIPAA, but your potential clients will want to know that you can uphold these standards as part of their requirements for doing business with you. Being HITRUST certified is one-way companies can demonstrate their commitment to security and privacy to potential clients and business partners. HITRUST vs. HIPAA The relationship between HITRUST and HIPAA can be confusing at first. However, it’s essential to understand that they are not the same but are closely related. HIPAA stood for the Health Insurance Portability & Accountability Act and was passed by Congress in 1996. While HIPPA is a regulation created by lawmakers, HITRUST is a framework developed by security experts that covers key aspects of HIPAA compliance and draws from dozens of other authoritative sources, as well. One of the issues organizations face with HIPAA compliance is translating somewhat vague requirements into quantifiable and measurable criteria and objectives. HITRUST helps companies achieve this by providing a framework for identifying the organization's appropriate administrative, technical, and physical safeguards.  HITRUST Certification Requirements Now that we’ve discussed the value of HITRUST in the healthcare industry, let’s look at how a company can become certified. For an organization to become HITRUST certified, it must undergo a validated assessment by a HITRUST assessor firm. The company must purchase a MyCSF subscription from HITRUST and a certification report credit. Upon completion of the validated...

View More

Article

HITRUST® introduces the leaner version of the Validated HITRUST Assessment – The Implemented, 1-Year (i1) Validated Assessment + Certification

HITRUST, recently, announced the implementation of a new annual HITRUST Assessment + Certification, the i1. The aim of this release is to provide a cybersecurity assessment that remains continuously relevant by utilizing the latest threat intelligence to address information security risks and emerging cyber threats like ransomware and phishing.  Experts highly tout the "Gold Standard" for information security assurances as the original HITRUST Validated Assessment, which is now dubbed the r2. The HITRUST Risk-based, 2-Year r2 Validated Assessment + Certification uses the HITRUST CSF® cybersecurity framework to unify and harmonize controls from many regulatory and industry frameworks, including HIPAA, GDPR, and PCI-DSS. It often considered as a sort of “one framework to rule them all”, and organizations that implement a properly scoped HITRUST r2 Assessment can include more than 40 authoritative sources to conform to a variety of cybersecurity regulations and standards. The HITRUST a 2-year risk-based and tailorable assessment, which continues to provide the highest level of assurance for situations with greater risk exposure due to data volumes, regulatory compliance, or other risk factors. The new HITRUST Implemented, 1-Year (i1) Validated Assessment + Certification is the first information security assessment of its kind and possesses attributes that other assurance programs do not have. The assessment's design and control selection place it in a new category of threat-adaptive information security assessments, which evolve with emerging risks and new threats while also retiring irrelevant controls. The HITRUST i1 Assessment is designed to: Designed to maintain control requirements that mitigate existing and emerging threats by providing updates as new threats are identified. The assessment is threat-adaptive, prescriptive, and concentrates on controls that are relevant to risk. Sunset controls that have lost relevance and have limited assurance value based on the effort required to comply or assess. Delivers greater reliability than other moderate assurance options due to its unique control selection and assurance program design. The HITRUSTi1 Validated Assessment + Certification is a “best practices” assessment that consists of 219 pre-selected controls. The design of the assessment was based on relevant information security risks and emerging cyber threats. It provides coverage for numerous standards, such as NIST 800-171, GLBA Safeguards Rule, HIPAA Security Rule, and Health Industry Cybersecurity Practices (HICP). Although the HITRUST i1 is a leaner version of the r2, the evaluation process is still incredibly rigorous and provides the same credibility associated with the original HITRUST Assessment. Examination of the Five Maturity Levels Tested in r2 and i1 Assessments Policy– Detail management’s requirements for the organization and in=scope systems Procedures– Document the organization’s methods for implementing policies Implemented– Demonstrate how the organization implemented policies and procedures Measured– Examine how the organization evaluates its program Managed– Show how the organization continuously manages risk Conclusion Although some organizations may consider the i1 assessment to be less assuring than the r2 assessment, the i1 provides several benefits due to its threat-adaptive approach paired with an annual assessment cycle. The HITRUST i1 concentrates solely on the implemented PRISMA maturity level, thus limiting the scope of assessment and helping reduce the preparation required. The i1 considers particular "Evaluative Elements" to confirm the complete implementation of each control, and an organization can be evaluated based solely on the level of implementation. An i1 assessment can serve as either a readiness assessment, (which includes an identification and remediation report), or a validated assessment, (which includes a requirements check and an official certification.) It’s recommended that every organization start with a readiness assessment to get a detailed report on your organization’s cybersecurity posture and remediation requirements before performing a Validated i1 Assessment. This is important in finding vulnerabilities within your organization...

View More

Article

The Journey from HIPAA Compliance to HITRUST Certification

In today’s complex technological world, there is always the danger of a hostile threat environment lurking around the corner, waiting to manipulate the potholes in the processes and technology. People and organizations with malicious intent always try to act upon such opportunities and cause everlasting damage to the organization’s reputation and finances. In such a scenario, securing information and information assets of the organization are of paramount importance. There are several ways to secure information and information assets within an organization. Some organizations may deploy strict controls like access control, secure equipment sitting area, authorization, and authentication, etc. The healthcare industry is no different and is not safe from the malicious intent of hackers and trespassers. Sensitive healthcare information like patient data, patient recovery status, personal information, etc. always needs to be safeguarded. Hence, the Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996, which outlines protection and security standards for health care data. HIPAA is a public law that can be considered landmark legislation when it was enacted in the ‘90s.  Before its enactment, there were no security standards or requirements for protecting health care information.  While HIPAA is an act that details standards for compliance, HITRUST is an organization that helps you achieve those standards by the means of industry-acclaimed certification. Transitioning from HIPAA Compliance to HITRUST Certification When an organization transitions from being HIPAA Compliant to being getting HITRUST certified, is not a straightforward and simple journey altogether. This involves a lot of effort and adjustments along the way on the part of the organization. Often organizations who are HIPAA compliant, assume, that getting HITRUST certification is an easy walk. But in reality, the path to HITRUST certification is very robust and cumbersome. HITRUST certification is an exhaustive and comprehensive certification process and organizations often must scale up their efforts to get compliant. The common pitfalls or roadblock often faced by organizations in the journey from HIPAA to HITRUST are: HITRUST requires exhaustive policies and procedures to be in place spread across 19 domains of Information Security. Organizations often fall short of producing the exhaustiveness or robustness in their documentation that HITRUST mandates HITRUST certification process mandates the actual implementation of solutions and security controls. In many cases, organizations that are HIPAA compliant do not have enough security controls in place to be even eligible for HITRUST certification HIPAA compliance is a self-declaration made by the management of the organization keeping in view the security posture of the entity. In most cases when the organization goes for HITRUST certification, it comes as a revelation as they do not clear the HITRUST certification because of not having a good enough security posture. HITRUST certification is a very comprehensive and robust assessment of the security posture of an entity HITRUST mandates the storage and secure treatment sensitive and covered information should get. Covered information includes ePHI, PII, etc. In comparison to HIPAA, HITRUST is more particular and employs strict measures about the secure handling of ePHI As opposed to HIPAA, which has defined penalties for security breaches, the enforcement of HITRUST is dependent on the healthcare industry itself, typically covered entities like hospitals and payers, requiring HITRUST CSF Certification of vendors HITRUST also claims that with their framework, you can “assess once and report many” – which means that a HITRUST Certification can be used as the building block to attain other certifications and reports such as a SOC II or NIST 800-53.  Thus, HITRUST can be labeled as more versatile and comprehensive How to attain HITRUST Certification? Without a standardized framework, process, and certifying body, HIPAA...

View More

Article

Risk Management Framework – Managing & Measuring what matters

A risk management program allows you to manage overall information security risk.  It is an approach to identify, quantify, mitigate, and monitor risks.  The reason to look at risk in a comprehensive manner is to make sure no one area is getting too much attention or, too little. Frameworks also help you identify the bigger elements of risk that need review and mitigation. Additionally, it help you to prioritize the treatment of certain risks. The adherence to risk frameworks also helps give your customers comfort that a standard risk management is in place and hence, reduce your audit burden.  Typically, a Risk Management program comprises of the following phases: Risk identification Risk analysis Risk evaluation Risk treatment Risk Monitoring A good risk management framework will have the following characteristics: Comprehensive in types of risks it covers Practical for an organization to implement Updated with current real-world risks Based on controls that can be reviewed and audited Reliable so that your vendors and customers can accept it There are many risk management frameworks that one can choose from and it important to understand the advantages of each. Common risk management frameworks include: NIST CSF SOC 2 ISO 27001 HITRUST NIST (National Institute of Standards and Technology) framework is a comprehensive cybersecurity framework (CSF).  It is very widely accepted across different company sizes and business domains. Most cyber-security professionals are well aware of this framework as it is readily available.  Although widely available and very popular there is no certified third-party audit mechanism. Hence, it can only be self-assessed.   SOC 2 Type 2 is an internal controls report based on the scope you define.  It is widely used in the United States to show the maturity of your controls.  A CPA firm that is part of the American Institute of CPAs (AICPA) conducts the audit & issues an assessment report.  The AICPA does not audit/review the assessment for completeness or quality.  HITRUST CSF is a framework that came leverages NIST, SOC, and ISO along with others to create a more comprehensive standard.  It is widely implemented in the United States by organisations in the healthcare space.  Unlike others, although there are external assessors that are involved in the certification process, HITRUST reviews all assessments and issues the certificate. Additionally, among all the frameworks above it tends to be the most expensive to implement.  It is important to choose a framework that matches your long-term security goals & needs.  At Accorian, we work with all of the above frameworks. We help organizations choose the right framework and aid with the implementation. This is done by augmenting our team into your security team to help steer the rollout, aid with query resolution, choosing of the right controls & workaround during mitigation advisory, facilitating the selection of vendors & products and end to end program management. 

View More

Article

1 Minute Guide to the Updated HITRUST Scoring & Metrics for 2020

At the start of the year, HITRUST released an updated methodology for scoring requirements. This will ensure that organizations focus on maintaining a robust program with implemented controls for enhancing security posture and adherence to HITRUST. Hence, if you’re on the path to HITRUST or new to it, the following will be applicable to you: HITRUST will now place a greater influence on implementation of controls It can potentially increase the number of Corrective Action Plans (CAPs) due to gaps in implementation. The increase in CAP’s in implementation would correspond with a decrease in the number of CAPs attributed to gaps in policies and procedures as well as an increase in the scores for managed & measured if implemented well. A greater emphasis will be placed on procedure in comparison to policy. HITRUST wants to ensure that SOPs are well documented, but more importantly, followed with workflows and ownership. Assessors and enterprises will now be able to objectively score each control using the Control Maturity Rubric. Managed now holds greater importance in comparison to measured. The key takeaways are as follows: 1) Change in weightage Maturity LevelsOldNewPolicy25%15%Procedure25%20%Implemented25%40%Measured15%10%Managed10%15% 2) Updated HITRUST Control Maturity Rubric An objectively defined control maturity rubric is in place. It will aid in quantifying current state of controls during self-assessments for HITRUST prospective enterprises & for validated assessments. There are 5 tiers for assessing the strength of the control (policy, procedure, implementation, measurement and management) and 5 tiers for assessing coverage and adherence. 3) Applicability The new scoring rubric is applicable for all myCSF material created and all assessments (self and validated) submitted to HITRUST in the year 2020. 4) Will the new scoring metrics impact already certified organizations? Not yet, but it will play a role in re-certification. The metrics associated with the original assessment will be applicable for the interim assessment.  Due to the updated assessment guidelines, companies up for re-certification will be required to implement their CAPs associated with implementation. In turn, this will aid in increasing your implementation score, and, consequently, increase your scores for measured and managed.

View More

Article

We are proud of our client, Novus Health Systems, for achieving HITRUST r2 certification. Congratulations.

“We are proud of our client, Novus Health Systems, for achieving HITRUST r2 certification. Congratulations.” In today’s ever-changing threat landscape, HITRUST is continually innovating to find new and creative approaches to address challenges, said Jeremy Huval, Chief Innovation Officer, HITRUST. This achievement places Novus in an elite group of organizations worldwide that have earned this certification. Read More

View More

Article

KPI Ninja Earns HITRUST r2 Certification for Information Security

Congratulations to our client KPI Ninja by Health Catalyst on their HITRUST certification! The certification ensures KPI Ninja meets the key compliance requirements included across a wide rang of industry standards and frameworks, and federal and state regulations. Read More

View More

Article

“Congratulations Inovaare Corporation on their HITRUST certification! Glad we could play a part in it.”

Inovaare Corporation, a compliance, and operations management software provider leading digital transformation within the healthcare industry, today announced its platform, data center, and offices earned Certified status for information security by HITRUST.HITRUST CSF® Certification validates Inovaare is committed to meeting key regulations and protecting sensitive information. To know More Click Here

View More

Article

“Congratulations to our client FastTrack for getting HITRUST certified.”

A total team effort involving our assessor team, along with the FastTrack team. FastTrack today announced that it has attained HITRUST’s prestigious CSF® Certification for key implemented systems and infrastructures that support our suite of Life & Disability Transformation Solutions, exceeding strict regulatory and industry-defined requirements for comprehensive security and risk management compliance. To know More Click Here

View More

Article

Accorian Achieves HITRUST CSF Assessor Designation

Accorian a leading provider of cyber security services, today announced that it has been designated as a HITRUST CSF® Assessor by HITRUST. With this achievement, Accorian, is now approved to provide services using the HITRUST CSF, a comprehensive security framework that addresses the multitude of security, privacy and regulatory challenges facing organizations in order to comply with healthcare (HIPAA, HITECH), third-party (PCI, COBIT), government (NIST, FTC) and other industry specific regulations and standards. CSF Assessors are critical to helping uphold information security and privacy standards for various industries of varying size and complexity and are a core component of the HITRUST CSF program by providing trained resources to assess compliance with security control requirements and document corrective action plans that align with the HITRUST CSF. HITRUST CSF Assessors such as Accorian, serve as a key component of the program by providing assessment and remediation services to all industries that deal with PHI and/or PII. “We are very excited to become a HITRUST CSF Assessor firm as we continue to see a need for security framework for companies,” said Premal Parikh, Managing Director of Accorian. “With our focus on health care companies, this achievement is the perfect complement to it.” “HITRUST has been working with the industry to ensure the appropriate information protection requirements are met when sensitive information is accessed or stored in a cloud environment,” said Ken Vander Wal, Chief Compliance Officer of HITRUST. “We are pleased that Accorian has taken the steps necessary to become a designated HITRUST CSF Assessor, and we expect their customers to have confidence in this designation.” For more information please contact Shalin Kadakia", Marketing Manager, Accorian. info@accorian.com www.accorian.com

View More

What Our
customers are
saying about us

Read Testimonials

Team Certifications

The Accorian Advantage

Accorian’s cybersecurity and compliance teams bring a wealth of experience to help navigate organizations through their information security journey. Our hands-on, white-glove approach combined with a goal-oriented, proven methodology brings both fiscal value and expertise to each of our clients. The facts speak for themselves.

    Ready to Start?

    We are Qualified

    we are qualified
    we are qualified
    we are qualified

    SECURITY COMPLIANCE & ASSESSMENT SERVICES
    CONSULTING & ASSESSMENT SERVICES

    PENETRATION TESTING

    RED TEAM ASSESMENTS

    TECHNOLOGY STAFFING

    Contact Info

    E. info@accorian.com

    T. +1-732-443-3468

    Contact With Us

    Office Address

    Accorian Head Office

    6,Alvin Ct, East Brunswick, NJ 08816 USA

    Accorian Canada

    Toronto

    Accorian India

    401,402, Prestige Towers, Residency Rd., Shanthala Nagar, Ashok Nagar, Bengaluru, Karnataka 560025, India

    Shukla CPA, d.b.a Accorian Assurance is a licensed, certified public accounting firm registered with the American Institute of Pubic Accountants (AICPA) and the Public Company Accounting Oversight Board (PCAOB). Esha IT Corp d.b.a Accorian is a global leader in cybersecurity and compliance professional services.

    © 2023 Accorian. All Rights Reserved.

      Ready to Start?

      Download Case study

      Download SOC2 Guide

      Human Resources Director

      Posted On: 09 May, 2022

      Drop your CVs to joinourteam@accorian.com

        Interested Position
        First Name
        Last Name
        Email
        Total Experience
        Mobile Number
        Upload Resume
        Cancel