HITRUST
Protection of patient and other sensitive healthcare information is a top priority for all healthcare organizations, which entails compliance with a growing range of regulations. Staying on top of all the relevant standards can be daunting for stakeholders across a broad array of healthcare service organizations, associates, and vendors.
HITRUST recently released the e1 and i1 versions, to enhance mitigation against evolving cyber threats and to speed up the transition to higher levels of assurance.
The Health Information Trust Alliance (HITRUST) strives to address such problems by:
- Offering an integrated security strategy
- Introducing a mechanism to certify compliance with HIPAA security criteria to a third-party assessor
HITRUST provides a comprehensive, risk-based certifiable framework that helps healthcare service providers of all types, sizes, and complexity integrate compliance with a wide range of regulations, standards, and best practices.
Why Choose Accorian?
- We specialize in aiding organizations of various sizes in the healthcare industry
- We are a full-service cybersecurity and compliance service providers
- We have years of experience providing security compliance, information security implementation, and testing services.
- As an authorized HITRUST CSF Assessor, our qualified security professionals can get you started with successfully scoping for your assessment and facilitating the process to reduce the cost, time, and resources.
HITRUST’s CSF
HITRUST developed and maintains the Common Security Framework (CSF), which provides a mechanism for standardizing Health Insurance Portability and Accountability(HIPAA) compliance and coordinating it with other national and international data security standards in addition to numerous state laws.
The HITRUST CSF certification allows healthcare organizations to perform a single assessment, by integrating more than 20 distinct standards and processes, to certify compliance with multiple initiatives, including a HIPAA compliance audit.
How Important Is HITRUST?
The healthcare sector generally drives and controls HITRUST enforcement, while HIPAA establishes specific consequences for data security violations.
The industry, including hospitals and payer requiring certification, has seen swift adoption of HITRUST and it is gaining ground as an expectation for service providers and vendors.
It’s not always necessary to get HITRUST certification when implementing new technology, but it provides opportunities to streamline security and compliance as part of the implementation process.
When And Why Should You Adopt HITRUST?
You can benefit from HITRUST in a multitude of ways.
Types of HITRUST Assessments
It may be a daunting task to choose the correct HITRUST assessment when you want to analyze and express assurances about the security of protected health information (PHI).
Consider assessments to guarantee that passing an audit by the Office of Civil Rights, the agency within the Department of Health and Human Services that implements the penalties related with the HIPAA Privacy and Security Rules.
The HITRUST CSF certification offers healthcare businesses a variety of examinations. Each of them serves a distinct goal and employs a different methodology. Let’s take a closer look at each one to see which one is right for your organization.
01
HITRUST e1 Assessment
The e1 version offers ‘Good hygiene’ 44 control assurance for organizations with low-level info security risk. It is ideal for small organizations or start-ups with limited resources to differentiate themselves in the marketplace. It’s a faster option to establish a benchmark security posture and identify coverage gaps.
02
HITRUST Implemented, 1-Year (i1) Validated Assessment
This one-year certification is for healthcare organizations and business partners that need moderate assurance. It focuses on a list of controls that HITRUST chooses and updates every year. These controls are tested for how well they are being used. Our assessors will look over the assessment, make sure it is correct, and send it to HITRUST for approval.
03
HITRUST Risk-Based, 2-Year (r2) Validated Assessment
HITRUST CSF assessments look at the different controls that are in scope and how mature they are in the Policy, Procedure, Implemented, Measured, and Managed categories. HITRUST certifications can be earned through validated assessments if you receive a satisfactory assessment score.
It is suggested that new clients do a self-assessment first to get a sense of where they are standing in terms of their score. Our assessors take the time to help clients understand all parts of the assessment and give helpful suggestions for improving scores in areas where they are low.
04
HITRUST Interim Assessment
As required by HITRUST, all validated assessments must be followed by an interim assessment within the first year after certification. The interim assessment checks to see if the controls still work and looks at how well any Corrective Action Plans that were made during the initial validation process are being followed.
05
Bridge Assessment
What happens when an organization that is already HITRUST CSF certified can’t finish its next HITRUST CSF Validated Assessment before its current certificate expires? In such a case, the Bridge Assessment fills the gap.
A Bridge Assessment is similar to an Interim Assessment since it only looks at a limited number of controls and gives an organization a temporary certificate that is acceptable for 90 days. This lets the organization keep working with those who requested HITRUST certification and also finish the next Validated Assessment.
Comparing HITRUST Assessments
Who should get an e1 Certification
The e1 certification can be used for reliable, efficient cybersecurity reviews of:
- New business units
- Recently deployed technology platforms
- Prospective or newly onboarded third-party business partners such as vendors
- Existing, lower-risk vendors (e.g., those who handle little to no PII)
- Scope, systems, or vendors with minimum inherent risk but that are part of a system with greater aggregate risk
- An organization’s practices in support of M&A transactions (buy side or sell side)
- Near-term review and baseline scoring of a newly acquired organization’s initial cybersecurity maturity
- And use to show justification for more favorable cyber insurance premiums
Accorian’s HITRUST Services
Our team of experts have extensive experience helping clients comply with healthcare security standards and information security. Our HITRUST assessor’s recommendations are transparent and actionable.
We know the complexity of day-to-day IT and security operations, so we’ll never deliver a standard auditor guide or playbook response. We make sure you fully understand and can execute recommendations, personalized for you. From HIPAA to HITRUST and any needs in between, we can support your organization.
GAP Assessment
Facilitated Self – Assessment
Validation/Certification
Interim Assessment
Bridge Assessment
Continuous Monitoring of Framework Compliance
Third-Party Risk Management Program
Healthcare Risk Analysis & Advisory
HITRUST GUIDE
Resources
Article
The Role of HITRUST CSF in Achieving Cyber Resilience
Healthcare organizations depend heavily on connected systems to provide essential services in today’s digital world. But there’s a growing concern behind all this technological progress – their vulnerability to cyber threats. Imagine that regular hospital operations are disrupted not by a medical emergency but by a cyber-attack compromising vital patient data. This emphasizes the urgent need for solid strategies to ensure cyber resilience in the healthcare industry. This article based on HITRUST’s “TRUST REPORT: Navigating the Landscape of Trust in Information Assurance,” delves into how the HITRUST framework helps organizations increase their defenses against security attacks. HITRUST recognizes the necessity of being prepared in today’s digital landscape. Their report offers valuable insights on how organizations can improve cyber resilience and protect themselves from potential security attacks. How Does HITRUST CSF Strengthen Cyber Resilience? To decipher this, first grasp the concept of cyber resilience. Cyber resilience means keeping your business running smoothly by protecting and avoiding and avoiding cyber-attacks. The HITRUST framework is a critical tool that helps organizations achieve and demonstrate their ability to handle these challenges effectively. The HITRUST framework promotes cyber resilience, enabling organizations to detect, protect, respond, and recover from cyber incidents. A HITRUST certification indicates that the organization has a stronger capability to mitigate cybersecurity issues. HITRUST certification confirms that a company has satisfied strict cybersecurity standards, demonstrating its capacity to continue operations amid cyber threats. HITRUST Certification and Continuity Once certified, HITRUST certification remains valid for a specified duration, contingent upon meeting specific conditions: two years for r2 certification and one year for i1 or e1 certification, provided the organizations meet certain conditions, which include: 1. No data security breaches are reported to federal or state agencies within or affecting the assessed environment. 2. Annual progress on areas identified in the Corrective Action Plan(s) (CAPs) 3. There should be no significant changes in business or security policies, practices, controls, and processes that could affect its ability to meet certification criteria. HITRUST CSF Responding to Security Breaches While no organization is immune to cyber threats, HITRUST-certified entities are better prepared to manage incidents. As per the TRUST Report (2024), In 2022 and 2023, only 0.64% of organizations that received HITRUST certifications reported a security breach to HITRUST in their certified environment over that same period. HITRUST requires enterprises to make annual progress on CAPs so that they not only meet the evaluated level of cyber resilience but also continue to strengthen their cyber resilience capabilities. In the event of a security breach, HITRUST collaborates with the organization to assess the impact and enhance the HITRUST framework based on incident insights. This continuous improvement cycle strengthens overall resilience against evolving cyber threats. Annual Progress and Control Maturity Annual progress on Corrective Action Plans is integral to maintaining and enhancing cyber resilience capabilities. HITRUST requires organizations to show progress on Corrective Action Plans (CAPs) annually. In 2023, HITRUST found that 28% of assessments did not need a CAP. For assessments requiring CAPs (r2 assessments), 92% of these CAPs were resolved by the interim evaluation, typically held one year after certification. This ensures they maintain their cyber resilience and strengthen their security posture. If an organization’s HITRUST scores fall below a certain threshold during assessments, they must create a CAP to improve security. This requirement means that organizations with HITRUST certification consistently improve their security more than those without it. HITRUST Proactive Approach Recognizing the dynamic nature of organizational settings, HITRUST supports certified entities through periods of significant change. This proactive approach enables organizations to adapt while maintaining compliance with HITRUST standards, ensuring continuous certification validity. Recent data…
View MoreArticle
Leveraging HITRUST MyCSF Portal
In today's dynamic cyber landscape, the HITRUST MyCSF portal empowers organizations to navigate complex information security requirements and ensure robust protection against threats. This is not just a tool but a vital resource for extensive risk management, streamlining the HITRUST assessment, and ensuring HITRUST certification compliance. It also enhances an organization’s security posture. The HITRUST MyCSF portal is designed to quickly and efficiently assimilate all stakeholders into a cohesive trust system. It enables organizations to efficiently manage their HITRUST assessments and certifications by blending efforts with assessors, service providers, relying parties, and HITRUST. This centralized approach allows for better documentation, communication, and performance improvement in information security, providing a sense of reassurance and confidence in the process. About HITRUST MyCSF Portal The portal features robust internal reporting capabilities that provide substantial benefits. Despite being underutilized, these capabilities hold immense potential. Organizations can leverage MyCSF creatively and effectively to produce executive-level reports that boost confidence, enrich data-driven decision-making, prioritize resources, and drive strategic outcomes. MyCSF offers versatile on-demand internal reporting options, enabling organizations to efficiently gather, analyze, and configure cybersecurity data from their repository. With intuitive navigation and precise filtering, teams can generate impactful heat maps, dashboards, and visual reports. These tools communicate cybersecurity status, highlight improvement opportunities, set performance benchmarks, demonstrate compliance levels, and meet essential GRC (Governance, Risk, and Compliance) needs. Features of HITRUST MyCSF Portal The portal helps organizations enhance efficiency in evaluating, managing, and reporting information risk and compliance through the following features: Support for HITRUST Certification Phases</h2 > Leverage data based on the previous results and implement them on distinct assessments to meet changing business needs Customize and Configure</h2 > Optimizes the evaluation process by setting the most appropriate control requirement statements for flexibility during r2 tests. Create and save bespoke control libraries for targeted assessments Centralize Corrective Action Plans (CAPs)</h2 > Manage all CAPs in one place, including those from non-HITRUST evaluations Assessments Tracking for CSF Reports</h2 > Simplify monitoring of HITRUST-reviewed requirement statements and respond to HITRUST assurance comments Integrate and Exchange Data via Robust API</h2 > Streamline data sharing with various systems, including GRC tools Centralize Assessments</h2 > Maintain a library of past and current assessment results with supporting documentation, including links to control requirements and maturity domains. These links are crucial, as they provide a comprehensive understanding of the assessment results and their implications. They also help locate and view uploaded evidence using an in-browser document reader Model HITRUST Assessment Results</h2 > Preview the impact of changes in scope, authoritative sources, or framework version on an assessment before integration Create Advanced Analyses and Dashboards</h2 > Generate customized reporting, charts, and dashboards based on HITRUST assessment scoring Inherit Controls</h2 > Inherit results and scores from existing assessments and other HITRUST-certified service providers, including industry-leading cloud service providers. This feature simplifies the assessment process, reduces redundancy, and ensures all relevant controls are addressed without duplicating efforts Insight Reporting</h2 > Report insights to understand the HITRUST assessment scoring Results Distribution System (RDS)</h2 > Store and efficiently distribute assessment results to stakeholders. It ensures transparency and allows organizations to confidently share their security posture with customers, partners, and regulatory bodies Benefits of MyCSF Portal Here are some benefits of utilizing the MyCSF portal for assessments and risk management Automates the assessment workflow and submission process, distributing phases between HITRUST, the assessed organization, and external HITRUST assessors Enhances the reliability and accuracy of HITRUST assessment reports with intelligent analytics Delivers profound insights into an organization’s security maturity, facilitating precise reporting and informed decision-making Facilitates the inheritance of controls from external entities, streamlining the assessment process for organizations that utilize...
View MoreArticle
What is HITRUST CSF in Healthcare?
With the advent of digitalization and AI, technology is becoming integral to how we handle sensitive patient data. But with this advancement comes a critical need to ensure strong cybersecurity and compliance with regulations like HIPAA. Here, you might wonder, why HITRUST? Well, it's a leading framework designed specifically to help healthcare organizations meet these exact crucial goals. Think of this: every day, your healthcare organization processes vast amounts of sensitive patient data. This data is invaluable, not just to you but to cybercriminals as well. Now, think about the potential consequences of a data breach—financial loss, legal repercussions, and most importantly, the loss of trust from your patients. The stakes are high, and this is where HITRUST comes into play. Developed in response to HIPAA, HITRUST provides a structured and reliable way to protect patient data, ensuring both security and compliance. Now, let’s dissect it further. Starting from the ABCs. Add Your Heading Text Here What is HITRUST? HITRUST stands for Health Information Trust Alliance. A comprehensive toolkit tailored to tackle the unique security challenges in the healthcare industry. It was created in response to HIPAA and developed by a coalition of healthcare and information security experts. The beauty of HITRUST is its flexibility; it allows organizations of all sizes to customize and implement controls that fit their specific needs. HITRUST allows organizations to tailor and modify their security controls to preserve system integrity and ensure uniformity across various applications. Designed to accommodate organizations of all sizes and regulatory requirements, the HITRUST framework offers a high level of assurance for assessing compliance status. Additionally, it equips assessors with the necessary tools and resources to evaluate how effectively an organization manages its risk mitigation efforts. Its Origin Story HITRUST came into existence in 2007, right when data breaches in healthcare were becoming alarmingly frequent and costly. Its main aim was to provide a standardized way to manage information security risks and protect sensitive health data. Over the years, it has become a trusted compliance standard that many healthcare organizations rely on. The Health Information Trust Alliance was founded by a collective of healthcare organizations, including service providers, insurers, technology suppliers, and security specialists. These stakeholders, recognizing the necessity for a cohesive strategy in healthcare data security, collaborated to create a comprehensive framework tailored to address the specific challenges faced by the industry. Why Should You Go for HITRUST? Here are some key reasons: Extensive Security Measures: </h2 > HITRUST delivers security measures specifically tailored for the healthcare sector, effectively addressing prevalent threats and vulnerabilities. Protection of Sensitive Data: </h2 > It ensures the protection of sensitive health information from unauthorized access and potential misuse. Compliance with Regulations: </h2 > HITRUST aligns with regulatory requirements such as HIPAA, providing a structured and systematic approach to compliance. Increased Trust and Credibility: </h2 > Obtaining HITRUST certification demonstrates a robust commitment to data security, fostering trust among patients, partners, and stakeholders. Market Differentiation: </h2 > HITRUST certification can distinguish your organization from others, attracting partners and patients who prioritize data security. HITRUST vs. HIPAA HIPAA is a federal law that lays down the rules for protecting health information. But here’s the catch—HIPAA doesn’t really tell you how to prove you’re following those rules. That’s where HITRUST comes in. Consider HITRUST as the roadmap you need. It offers a detailed set of controls and a certification process that helps healthcare organizations show they’re on the right track with HIPAA compliance. Plus, HITRUST isn’t just about HIPAA. It covers security, privacy, and risk management and aligns with over 40 other frameworks. It’s like getting an...
View MoreArticle
LEARNING FROM THE CHANGE HEALTHCARE RANSOMWARE ATTACK
Written By Premal Parikh || One of the most significant cybersecurity attacks ever was that of Change Healthcare in February, 2024. It impacted healthcare services across America. According to the company, the ransomware incident cost the company over $800 million in the first quarter of 2024, with the full-year impact estimated to be somewhere between $1.3 to $1.6 billion!Change Healthcare is part of UnitedHealth Group, one of the largest healthcare services companies in the world. This not only demonstrates that nobody is immune to cybersecurity attacks but also highlights the fact that the time to resolve was considered unacceptable. Public information shows that the attack originated via a remote access tool that wasn’t enabled with multi-factor authentication (MFA). There clearly is more to this that we might never be told – for example: Why was this tool not enabled with MFA. Is this an oversight or something they knew about? It seemed like the attackers must have gotten to the core systems – what internal network segmentation was in place and why didn’t it work? When did Change Healthcare know that a breach was occurring – what steps were taken? Why did it take so long to recover service? These are some learnings that companies should apply in their businesses, if they already haven’t:Cover the basicsThe basics were missing at Change Healthcare. MFA should be enabled on all external-facing systems (if not all). This includes encrypting the data as well.That way, even if the data is exfiltrated, the bad actors can’t leverage it. 2. Compliance is needed but that’s not enoughCompanies may have all compliance certifications in place and often test a firm's process maturity, but they never test a firm's real-time posture. This doesn’t mean compliance certifications/audits like HITRUST, SOC-2, and ISO aren’t important. However, these certifications only represent a snapshot of a firm's maturity and processes at a specific point in time. In the case of HITRUST, less than 1% of all certified firms have reported a breach, which is very good considering they are mostly health services-related firms that are the most attacked.But you can still be in the 1%. 3. External surface area managementAll mid-to-large firms should be aware of all their external-facing assets and those that have real-time information. Running a scan once a month (or less) isn’t useful. Attackers are constantly scanning organizations for new services, applications, or ports that may have come online and aren’t secure. Companies need to be doing the same.There are several ways to do this – whether it’s for a service or a product. 4. Segmentation of networkAssume you will be breached. Design and test your network to make sure there is strong segmentation of networks. This ensures that if one section of the network is compromised, the ransomware remains contained and is unable to spread to other sections.Clearly, in the case of Change Healthcare, that didn’t happen. It is unclear if that was due to a bad network design or other vulnerabilities that were leveraged. 5. Continuous red team testingA ‘one and done’ per year just doesn’t work. One must continuously test their framework like a hacker and conduct regular red team exercises against the key services where an ethical hacker might try to get to the flag.Leverage red team exercises to improve internal security and alerting. 6. Incident response company and trainingDo you know who your incident response company is? Know your incident response company and make sure there is a contract in place that would cause them to act in the organization's best interests in a timely manner. This is provided they don’t want to...
View MoreArticle
What is the Cost of HITRUST Certification?
Small and medium-sized organizations often ask about the cost of HITRUST Certification. Patient data security is critical, so we always recommend considering HITRUST as a long-term goal to foster compliance and cost-effectiveness.HITRUST certification goes beyond being a mere checkbox on a compliance list. It is pivotal in maintaining a robust security posture and fostering stakeholder trust. Recent data reveals that 79% of healthcare organizations have experienced data breaches. This emphasizes the critical need to safeguard sensitive healthcare data, a goal achievable by pursuing HITRUST CSF certification. What is HITRUST CSF Certification? HITRUST was established in 2007 to address security and privacy concerns related to sensitive information, including medical records. HITRUST created the Common Security Framework (CSF), which can be used by any organization that creates, accesses, stores, or exchanges sensitive data. It is a cybersecurity risk management framework that helps healthcare organizations assess the effectiveness of security data.Achieving HITRUST certification requires the implementation of necessary controls in the designated environment. Voluntary yet pivotal, HITRUST aids businesses in aligning with mandatory regulations such as HIPAA, PCI DSS, and ISO 27001, making it a proactive framework for organizations navigating the complex terrain of data security. Types of HITRUST Assessments HITRUST e1: 1-year Validated Assessment HITRUST i1: 1-Year Validated Assessment HITRUST r2:2 Years Validated Assessment (Risk-Based) Who Conducts HITRUST Certification? The HITRUST assessment is conducted by an independent third party, specifically a HITRUST-certified assessor, Accorian is an authorized HITRUST CSF assessor. These assessors are authorized to aid in remediation efforts, perform assessments, and/or provide certification services. This applies to all industries handling Protected Health Information (PHI) and/or Personally Identifiable Information (PII). How Can HITRUST Assist My Business? Table Stakes Companies must adhere to strong information security practices to become healthcare industry leaders. Among the various security credentials, HITRUST certification stands out as the preferred choice sought by clients who are looking for suitable vendors. Achieving the HITRUST framework increases the opportunities for organizations to expand their TAM (Total Addressable Market) and enhances their revenue potential. Recognized as the Gold Standard According to research conducted by HITRUST, organizations that pursue HITRUST CSF certification witness remarkable improvements in their information security posture, with an impressive 97% of organizations successfully achieving and sustaining a robust security posture. Reduces the Risk of Cyber Attacks and Data Protection HITRUST CSF Certification contributes to the robust security of health data, intellectual property, and other proprietary information, bolstering data security and mitigating data breaches. Shorter Future Audits HITRUST's robustness and comprehensive approach make achieving secondary security standards easier through established policies and controls. What is the Cost of HITRUST Certification? The HITRUST certification cost is contingent upon various factors: Your organization's risk profile The assessment's scope The assessment type Size of the organization Security maturity Compliance level The HITRUST CSF Assessor evaluates these elements. Additionally, HITRUST costs are associated with purchasing the validated HITRUST report and undergoing the assessment process. What is Included in the Cost of HITRUST? Acquiring HITRUST certification includes certain direct and indirect costs. Direct costs include: Granting access to MyCSF corporate portal Identifying gap analysis in the existing security measures Conducting a readiness assessment to evaluate preparedness Performing a Validated Assessment as part of the certification process Offering guidance and advice throughout the entire certification process Indirect costs include: Managing and overseeing the certification process Recording and regularly updating security data Setting up the initial configuration of systems and processes Developing corrective action plans and executing remediation efforts Assisting in identifying and submitting the required documentation Accessing other services offered by the HITRUST Authorized External Assessor How Long Does it Take to Get HITRUST Certified? Accorian’s Proven Approach 1....
View MoreArticle
Accorian Team Members Appointed to HITRUST Authorized External Assessor Council
Accorian Team Members Appointed to HITRUST Authorized External Assessor Council We are thrilled to announce that Sean Dowling, Stephanie Madhok, and Andrea Britt are selected members of the HITRUST Authorized External Assessor Council, representing the highest number of individuals from any company on the council. The council fosters partnerships between HITRUST and leading Assessors who will contribute their extensive knowledge and experience to: Share insights and challenges related to HITRUST services Provide valuable input on the HITRUST CSF Assurance Program, ensuring its continued integrity, effectiveness, and efficiency Advocate for the industry's highest standards in information security and privacy Congratulations to the HITRUST team on this remarkable achievement. Article: https://hitrustalliance.net/councils-working-groups/
View MoreArticle
We are proud of our client, Novus Health Systems, for achieving HITRUST r2 certification. Congratulations.
“We are proud of our client, Novus Health Systems, for achieving HITRUST r2 certification. Congratulations.” In today’s ever-changing threat landscape, HITRUST is continually innovating to find new and creative approaches to address challenges, said Jeremy Huval, Chief Innovation Officer, HITRUST. This achievement places Novus in an elite group of organizations worldwide that have earned this certification. Read More
View MoreArticle
KPI Ninja Earns HITRUST r2 Certification for Information Security
Congratulations to our client KPI Ninja by Health Catalyst on their HITRUST certification! The certification ensures KPI Ninja meets the key compliance requirements included across a wide rang of industry standards and frameworks, and federal and state regulations. Read More
View MoreArticle
“Congratulations Inovaare Corporation on their HITRUST certification! Glad we could play a part in it.”
Inovaare Corporation, a compliance, and operations management software provider leading digital transformation within the healthcare industry, today announced its platform, data center, and offices earned Certified status for information security by HITRUST.HITRUST CSF® Certification validates Inovaare is committed to meeting key regulations and protecting sensitive information. To know More Click Here
View MoreArticle
“Congratulations to our client FastTrack for getting HITRUST certified.”
A total team effort involving our assessor team, along with the FastTrack team. FastTrack today announced that it has attained HITRUST’s prestigious CSF® Certification for key implemented systems and infrastructures that support our suite of Life & Disability Transformation Solutions, exceeding strict regulatory and industry-defined requirements for comprehensive security and risk management compliance. To know More Click Here
View More