HITRUST
Protection of patient and other sensitive healthcare information is a top priority for all healthcare organizations, which entails compliance with a growing range of regulations. Staying on top of all the relevant standards can be daunting for stakeholders across a broad array of healthcare service organizations, associates, and vendors.
HITRUST recently released the e1 and i1 versions, to enhance mitigation against evolving cyber threats and to speed up the transition to higher levels of assurance.
The Health Information Trust Alliance (HITRUST) strives to address such problems by:
- Offering an integrated security strategy
- Introducing a mechanism to certify compliance with HIPAA security criteria to a third-party assessor
HITRUST provides a comprehensive, risk-based certifiable framework that helps healthcare service providers of all types, sizes, and complexity integrate compliance with a wide range of regulations, standards, and best practices.
Why Choose Accorian?
- We specialize in aiding organizations of various sizes in the healthcare industry
- We are a full-service cybersecurity and compliance service providers
- We have years of experience providing security compliance, information security implementation, and testing services.
- As an authorized HITRUST CSF Assessor, our qualified security professionals can get you started with successfully scoping for your assessment and facilitating the process to reduce the cost, time, and resources.
HITRUST’s CSF
HITRUST developed and maintains the Common Security Framework (CSF), which provides a mechanism for standardizing Health Insurance Portability and Accountability(HIPAA) compliance and coordinating it with other national and international data security standards in addition to numerous state laws.
The HITRUST CSF certification allows healthcare organizations to perform a single assessment, by integrating more than 20 distinct standards and processes, to certify compliance with multiple initiatives, including a HIPAA compliance audit.
How Important Is HITRUST?
The healthcare sector generally drives and controls HITRUST enforcement, while HIPAA establishes specific consequences for data security violations.
The industry, including hospitals and payer requiring certification, has seen swift adoption of HITRUST and it is gaining ground as an expectation for service providers and vendors.
It’s not always necessary to get HITRUST certification when implementing new technology, but it provides opportunities to streamline security and compliance as part of the implementation process.
When And Why Should You Adopt HITRUST?
You can benefit from HITRUST in a multitude of ways.
Types of HITRUST Assessments
It may be a daunting task to choose the correct HITRUST assessment when you want to analyze and express assurances about the security of protected health information (PHI).
Consider assessments to guarantee that passing an audit by the Office of Civil Rights, the agency within the Department of Health and Human Services that implements the penalties related with the HIPAA Privacy and Security Rules.
The HITRUST CSF certification offers healthcare businesses a variety of examinations. Each of them serves a distinct goal and employs a different methodology. Let’s take a closer look at each one to see which one is right for your organization.
01
HITRUST e1 Assessment
The e1 version offers ‘Good hygiene’ 44 control assurance for organizations with low-level info security risk. It is ideal for small organizations or start-ups with limited resources to differentiate themselves in the marketplace. It’s a faster option to establish a benchmark security posture and identify coverage gaps.
02
HITRUST Implemented, 1-Year (i1) Validated Assessment
This one-year certification is for healthcare organizations and business partners that need moderate assurance. It focuses on a list of controls that HITRUST chooses and updates every year. These controls are tested for how well they are being used. Our assessors will look over the assessment, make sure it is correct, and send it to HITRUST for approval.
03
HITRUST Risk-Based, 2-Year (r2) Validated Assessment
HITRUST CSF assessments look at the different controls that are in scope and how mature they are in the Policy, Procedure, Implemented, Measured, and Managed categories. HITRUST certifications can be earned through validated assessments if you receive a satisfactory assessment score.
It is suggested that new clients do a self-assessment first to get a sense of where they are standing in terms of their score. Our assessors take the time to help clients understand all parts of the assessment and give helpful suggestions for improving scores in areas where they are low.
04
HITRUST Interim Assessment
As required by HITRUST, all validated assessments must be followed by an interim assessment within the first year after certification. The interim assessment checks to see if the controls still work and looks at how well any Corrective Action Plans that were made during the initial validation process are being followed.
05
Bridge Assessment
What happens when an organization that is already HITRUST CSF certified can’t finish its next HITRUST CSF Validated Assessment before its current certificate expires? In such a case, the Bridge Assessment fills the gap.
A Bridge Assessment is similar to an Interim Assessment since it only looks at a limited number of controls and gives an organization a temporary certificate that is acceptable for 90 days. This lets the organization keep working with those who requested HITRUST certification and also finish the next Validated Assessment.
Comparing HITRUST Assessments
Who should get an e1 Certification
The e1 certification can be used for reliable, efficient cybersecurity reviews of:
- New business units
- Recently deployed technology platforms
- Prospective or newly onboarded third-party business partners such as vendors
- Existing, lower-risk vendors (e.g., those who handle little to no PII)
- Scope, systems, or vendors with minimum inherent risk but that are part of a system with greater aggregate risk
- An organization’s practices in support of M&A transactions (buy side or sell side)
- Near-term review and baseline scoring of a newly acquired organization’s initial cybersecurity maturity
- And use to show justification for more favorable cyber insurance premiums
Accorian’s HITRUST Services
Our team of experts have extensive experience helping clients comply with healthcare security standards and information security. Our HITRUST assessor’s recommendations are transparent and actionable.
We know the complexity of day-to-day IT and security operations, so we’ll never deliver a standard auditor guide or playbook response. We make sure you fully understand and can execute recommendations, personalized for you. From HIPAA to HITRUST and any needs in between, we can support your organization.
GAP Assessment
Facilitated Self – Assessment
Validation/Certification
Interim Assessment
Bridge Assessment
Continuous Monitoring of Framework Compliance
Third-Party Risk Management Program
Healthcare Risk Analysis & Advisory
Resources
Article
What is HITRUST AI Risk Assessment: POV of Accorian’s VP of HITRUST
Written By: Sean Dowling || Have you ever considered what happens if your AI system makes an error or gets compromised? Especially if it’s Ai in healthcare? That’s a scary thought. That’s where the HITRUST AI RM Assessment comes in. It helps businesses identify and mitigate these risks early on, ensuring that AI solutions are both effective and secure.Let’s face it—AI is no longer just a buzzword. It’s becoming an integral part of many businesses, helping to streamline operations, improve decision-making, and enhance customer experiences. But with all these advancements come new risks, such as how we handle sensitive data, ensure AI systems are secure, and maintain ethical practices.Why Am I so stokedPersonally, this is something I’m deeply passionate about. Having been a part of the HITRUST Assessor Council along with my colleague, Stephanie Madhok, we had the privilege of directly contributing to the development of this groundbreaking AI RM Assessment. This isn’t just another framework or checklist; it’s a practical tool designed to help businesses of all sizes manage AI risk effectively, and it’s the first of its kind. That’s why we’re excited to share how the new HITRUST AI Risk Management (AI RM) Assessment can help you take control of AI governance and security within your organization.When it comes to Artificial Intelligence in healthcare (AI), the opportunities are endless, but so are the risks. As companies explore the power of AI to transform their operations, they need to be sure that they’re doing so safely and responsibly.Case Study – An Interesting StoryWe’re working with a healthcare company that is integrating AI to streamline their patient care processes. They are excited about the benefits, but also nervous about the security risks, particularly around patient data. With the HITRUST AI RM Assessment, we are now helping them build a comprehensive AI governance framework. Not only does this protect their data, but it also gives them the confidence to move forward with their AI initiatives. They will soon start reaping the rewards of AI innovation without losing sleep over security concerns.This is exactly what we do—assess risk, implement governance structures, and validate controls so you can focus on what matters: growing your business.Simplifying AI Governance in HealthcareAI governance might sound complicated, but it doesn’t have to be. The HITRUST AI RM Assessment covers 51 key control requirements, mapped to global standards like NIST and ISO/IEC. These controls help businesses create a strong governance model, ensuring AI is used responsibly and securely.At Accorian, we know this process inside and out. We take the time to understand your unique needs and tailor our approach accordingly. Think of us as your AI risk management partner—we simplify the technical stuff, so you don’t have to.Have you ever tried piecing together risk management requirements from multiple sources? It’s a headache. That’s why the HITRUST framework is so valuable. It brings everything together in one place, making it easier to manage AI risk, no matter how complex your environment may be.Building Trust Through AI ComplianceTrust is key. Whether it’s your customers, business partners, or even regulators, everyone needs to know that your AI solutions are secure. Achieving compliance through the HITRUST AI RM Assessment not only protects your business but also builds that much-needed trust.One of the best parts about the HITRUST AI RM Assessment is that it’s designed to be flexible. Whether you want to use it as a self-assessment or bring in an External Assessor like Accorian to validate your results, the framework supports both approaches. For us at Accorian, this is where our expertise shines. We help businesses benchmark their AI risk management efforts and…
View MoreArticle
The Role of HITRUST CSF in Achieving Cyber Resilience
Today, healthcare organizations' essential function depends heavily on connected systems to provide essential services. However, this technological progress presents some serious threats, especially in the cyber sector. Imagine the consequences of a cyberattack compromising patient data due to malware. Hospital operations could be severely disrupted, not by a medical emergency but by a security breach.This article references HITRUST’s “TRUST REPORT: Navigating the Landscape of Trust in Information Assurance.” It talks about how the HITRUST framework allows organizations to strengthen their protection against security threats. HITRUST recognizes the necessity of being prepared in today’s digital landscape.How Does HITRUST CSF Strengthen Cyber Resilience?To fully understand this, it’s essential to grasp the concept of cyber resilience. This refers to an organization’s ability to maintain operations and minimize disruptions even during cyber-attacks. The HITRUST framework is a pivotal tool that aids organizations in achieving and demonstrating this resilience, helping provide a structured approach to planning and maintaining security for operational continuity. By adopting the HITRUST framework, organizations can effectively detect, protect against, respond to, and recover from cyber incidents.Achieving HITRUST certification signifies that an organization has met rigorous cybersecurity standards, showcasing its capacity to sustain operations despite cyber threats. This certification is a clear indicator of one of the higher levels of cybersecurity resilience.Types of HITRUST CertificationsHITRUST offers three main certifications:HITRUST e1 (Essential): This is a certification for small to medium-sized organizations that provides a foundational level of cybersecurity and data protection aligned with core standards and regulations. It contains core security practices and controls and is valid for one year.HITRUST i1 (Implementable): This certification evaluates and verifies the implementation of comprehensive cybersecurity practices and controls aligned with recognized standards and regulations. It is ideal for smaller organizations or those early in their cybersecurity journey and is valid for one year.HITRUST r2 (Risk-based): This is a comprehensive, risk-based certification for organizations requiring higher assurance and compliance with multiple regulatory frameworks. Valid for two years with an interim assessment for organizations of various sizes.These certifications cater to different levels of cybersecurity maturity and assurance needs.HITRUST Certification and ContinuityOnce certified, HITRUST certification is valid for a specified period, contingent upon the certification type and adherence to certain conditions. Specifically, the r2 certification remains valid for two years, while the i1 or e1 certifications are valid for one year. To maintain the certification, organizations must meet the following criteria:No Data Security Breaches: There must be no reported data security breaches to federal or state agencies within or impacting the assessed environment.Annual Progress on CAPs: Organizations are required to demonstrate annual progress on areas identified in the Corrective Action Plan(s) (CAPs)Consistency in Policies and Practices: There should be no significant changes in business or security policies, practices, controls, and processes that could compromise the organization’s ability to meet certification criteria.Meeting these conditions ensures the ongoing validity of the HITRUST certification and demonstrates the organization’s continued commitment to cybersecurity resilience.HITRUST CSF Responding to Security BreachesWhile no organization is entirely immune to cyber threats, HITRUST-certified entities are better prepared to manage incidents. Only 0.64% of firms with HITRUST certificates reported a security breach within their certified environment between 2022 and 2023, according to the TRUST Report (2024). This figure demonstrates how well the HITRUST framework maintains cyber resilience and constantly improves the level of cyber resilience. HITRUST mandates that they make annual progress on their CAPs.When a security breach occurs, HITRUST collaborates closely with the impacted organization to evaluate the consequences and make necessary improvements to the HITRUST framework based on insights from the event. This continuous process of development strengthens overall defenses against new cyber threats.Annual Progress on Corrective...
View MoreArticle
Leveraging HITRUST MyCSF Portal
In today's dynamic cyber landscape, the HITRUST MyCSF portal empowers organizations to navigate complex information security requirements and ensure robust protection against threats. This is not just a tool but a vital resource for extensive risk management, streamlining the HITRUST assessment, and ensuring HITRUST certification compliance. It also enhances an organization’s security posture. The HITRUST MyCSF portal is designed to quickly and efficiently assimilate all stakeholders into a cohesive trust system. It enables organizations to efficiently manage their HITRUST assessments and certifications by blending efforts with assessors, service providers, relying parties, and HITRUST. This centralized approach allows for better documentation, communication, and performance improvement in information security, providing a sense of reassurance and confidence in the process. About HITRUST MyCSF Portal The portal features robust internal reporting capabilities that provide substantial benefits. Despite being underutilized, these capabilities hold immense potential. Organizations can leverage MyCSF creatively and effectively to produce executive-level reports that boost confidence, enrich data-driven decision-making, prioritize resources, and drive strategic outcomes. MyCSF offers versatile on-demand internal reporting options, enabling organizations to efficiently gather, analyze, and configure cybersecurity data from their repository. With intuitive navigation and precise filtering, teams can generate impactful heat maps, dashboards, and visual reports. These tools communicate cybersecurity status, highlight improvement opportunities, set performance benchmarks, demonstrate compliance levels, and meet essential GRC (Governance, Risk, and Compliance) needs. Features of HITRUST MyCSF Portal The portal helps organizations enhance efficiency in evaluating, managing, and reporting information risk and compliance through the following features: Support for HITRUST Certification Phases</h2 > Leverage data based on the previous results and implement them on distinct assessments to meet changing business needs Customize and Configure</h2 > Optimizes the evaluation process by setting the most appropriate control requirement statements for flexibility during r2 tests. Create and save bespoke control libraries for targeted assessments Centralize Corrective Action Plans (CAPs)</h2 > Manage all CAPs in one place, including those from non-HITRUST evaluations Assessments Tracking for CSF Reports</h2 > Simplify monitoring of HITRUST-reviewed requirement statements and respond to HITRUST assurance comments Integrate and Exchange Data via Robust API</h2 > Streamline data sharing with various systems, including GRC tools Centralize Assessments</h2 > Maintain a library of past and current assessment results with supporting documentation, including links to control requirements and maturity domains. These links are crucial, as they provide a comprehensive understanding of the assessment results and their implications. They also help locate and view uploaded evidence using an in-browser document reader Model HITRUST Assessment Results</h2 > Preview the impact of changes in scope, authoritative sources, or framework version on an assessment before integration Create Advanced Analyses and Dashboards</h2 > Generate customized reporting, charts, and dashboards based on HITRUST assessment scoring Inherit Controls</h2 > Inherit results and scores from existing assessments and other HITRUST-certified service providers, including industry-leading cloud service providers. This feature simplifies the assessment process, reduces redundancy, and ensures all relevant controls are addressed without duplicating efforts Insight Reporting</h2 > Report insights to understand the HITRUST assessment scoring Results Distribution System (RDS)</h2 > Store and efficiently distribute assessment results to stakeholders. It ensures transparency and allows organizations to confidently share their security posture with customers, partners, and regulatory bodies Benefits of MyCSF Portal Here are some benefits of utilizing the MyCSF portal for assessments and risk management Automates the assessment workflow and submission process, distributing phases between HITRUST, the assessed organization, and external HITRUST assessors Enhances the reliability and accuracy of HITRUST assessment reports with intelligent analytics Delivers profound insights into an organization’s security maturity, facilitating precise reporting and informed decision-making Facilitates the inheritance of controls from external entities, streamlining the assessment process for organizations that utilize...
View MoreArticle
What is HITRUST CSF in Healthcare?
With the advent of digitalization and AI, technology is becoming integral to how we handle sensitive patient data. But with this advancement comes a critical need to ensure strong cybersecurity and compliance with regulations like HIPAA. Here, you might wonder, why HITRUST? Well, it's a leading framework designed specifically to help healthcare organizations meet these exact crucial goals. Think of this: every day, your healthcare organization processes vast amounts of sensitive patient data. This data is invaluable, not just to you but to cybercriminals as well. Now, think about the potential consequences of a data breach—financial loss, legal repercussions, and most importantly, the loss of trust from your patients. The stakes are high, and this is where HITRUST comes into play. Developed in response to HIPAA, HITRUST provides a structured and reliable way to protect patient data, ensuring both security and compliance.Now, let’s dissect it further. Starting from the ABCs.HITRUST stands for Health Information Trust Alliance. A comprehensive toolkit tailored to tackle the unique security challenges in the healthcare industry. It was created in response to HIPAA and developed by a coalition of healthcare and informationsecurity experts. The beauty of HITRUST is its flexibility; it allows organizations of all sizes to customize and implement controls that fit their specific needs.HITRUST allows organizations to tailor and modify their security controls to preserve system integrity and ensure uniformity across various applications. Designed to accommodate organizations of all sizes and regulatory requirements, the HITRUST framework offers a high level of assurance for assessing compliance status. Additionally, it equips assessors with the necessary tools and resources to evaluate how effectively an organization manages its risk mitigation efforts.HITRUST came into existence in 2007, right when data breaches in healthcare were becoming alarmingly frequent and costly. Its main aim was to provide a standardized way to manage information security risks and protect sensitive health data. Over the years, it has become a trusted compliance standard that many healthcare organizations rely on.The Health Information Trust Alliance was founded by a collective of healthcare organizations, including service providers, insurers, technology suppliers, and security specialists. These stakeholders, recognizing the necessity for a cohesive strategy in healthcare data security, collaborated to create a comprehensive framework tailored to address the specific challenges faced by the industry.Here are some key reasons:HIPAA is a federal law that lays down the rules for protecting health information. But here’s the catch—HIPAA doesn’t really tell you how to prove you’re following those rules. That’s where HITRUST comes in. Consider HITRUST as the roadmap you need. It offers a detailed set of controls and a certification process that helps healthcare organizations show they’re on the right track with HIPAA compliance. Plus, HITRUST isn’t just about HIPAA. It covers security, privacy, and risk management and aligns with over 40 other frameworks. It’s like getting an all-in-one compliance toolkit.If your organization handles personal health information (PHI)—whether you're a hospital, clinic, health plan, pharmacy, or a third-party service provider—you should consider HITRUST certification. It's often required contractually within the healthcare and insurance sectors.Getting HITRUST certified may seem like quite a journey, but let’s break it down into actionable steps:A. r2 Assessment: The most rigorous, involving extensive control requirements and a two-year certification with an interim assessment. For this, you must have policies and procedures that address all 19 control domains, which include: 1. Information Protection Program: This involves setting up processes to ensure the integrity, confidentiality, and privacy of sensitive data. 2. Endpoint Protection: Think of this as your first line of defense against viruses and malware. It includes intrusion detection systems, patches, firewalls, and software updates. 3. Portable Media Security:...
View MoreArticle
LEARNING FROM THE CHANGE HEALTHCARE RANSOMWARE ATTACK
Written By Premal Parikh || One of the most significant cybersecurity attacks ever was that of Change Healthcare in February, 2024. It impacted healthcare services across America. According to the company, the ransomware incident cost the company over $800 million in the first quarter of 2024, with the full-year impact estimated to be somewhere between $1.3 to $1.6 billion!Change Healthcare is part of UnitedHealth Group, one of the largest healthcare services companies in the world. This not only demonstrates that nobody is immune to cybersecurity attacks but also highlights the fact that the time to resolve was considered unacceptable. Public information shows that the attack originated via a remote access tool that wasn’t enabled with multi-factor authentication (MFA). There clearly is more to this that we might never be told – for example: Why was this tool not enabled with MFA. Is this an oversight or something they knew about? It seemed like the attackers must have gotten to the core systems – what internal network segmentation was in place and why didn’t it work? When did Change Healthcare know that a breach was occurring – what steps were taken? Why did it take so long to recover service? These are some learnings that companies should apply in their businesses, if they already haven’t:Cover the basicsThe basics were missing at Change Healthcare. MFA should be enabled on all external-facing systems (if not all). This includes encrypting the data as well.That way, even if the data is exfiltrated, the bad actors can’t leverage it. 2. Compliance is needed but that’s not enoughCompanies may have all compliance certifications in place and often test a firm's process maturity, but they never test a firm's real-time posture. This doesn’t mean compliance certifications/audits like HITRUST, SOC-2, and ISO aren’t important. However, these certifications only represent a snapshot of a firm's maturity and processes at a specific point in time. In the case of HITRUST, less than 1% of all certified firms have reported a breach, which is very good considering they are mostly health services-related firms that are the most attacked.But you can still be in the 1%. 3. External surface area managementAll mid-to-large firms should be aware of all their external-facing assets and those that have real-time information. Running a scan once a month (or less) isn’t useful. Attackers are constantly scanning organizations for new services, applications, or ports that may have come online and aren’t secure. Companies need to be doing the same.There are several ways to do this – whether it’s for a service or a product. 4. Segmentation of networkAssume you will be breached. Design and test your network to make sure there is strong segmentation of networks. This ensures that if one section of the network is compromised, the ransomware remains contained and is unable to spread to other sections.Clearly, in the case of Change Healthcare, that didn’t happen. It is unclear if that was due to a bad network design or other vulnerabilities that were leveraged. 5. Continuous red team testingA ‘one and done’ per year just doesn’t work. One must continuously test their framework like a hacker and conduct regular red team exercises against the key services where an ethical hacker might try to get to the flag.Leverage red team exercises to improve internal security and alerting. 6. Incident response company and trainingDo you know who your incident response company is? Know your incident response company and make sure there is a contract in place that would cause them to act in the organization's best interests in a timely manner. This is provided they don’t want to...
View MoreArticle
Accorian Team Members Appointed to HITRUST Authorized External Assessor Council
Accorian Team Members Appointed to HITRUST Authorized External Assessor Council We are thrilled to announce that Sean Dowling, Stephanie Madhok, and Andrea Britt are selected members of the HITRUST Authorized External Assessor Council, representing the highest number of individuals from any company on the council. The council fosters partnerships between HITRUST and leading Assessors who will contribute their extensive knowledge and experience to: Share insights and challenges related to HITRUST services Provide valuable input on the HITRUST CSF Assurance Program, ensuring its continued integrity, effectiveness, and efficiency Advocate for the industry's highest standards in information security and privacy Congratulations to the HITRUST team on this remarkable achievement. Article: https://hitrustalliance.net/councils-working-groups/
View MoreArticle
We are proud of our client, Novus Health Systems, for achieving HITRUST r2 certification. Congratulations.
“We are proud of our client, Novus Health Systems, for achieving HITRUST r2 certification. Congratulations.” In today’s ever-changing threat landscape, HITRUST is continually innovating to find new and creative approaches to address challenges, said Jeremy Huval, Chief Innovation Officer, HITRUST. This achievement places Novus in an elite group of organizations worldwide that have earned this certification. Read More
View MoreArticle
KPI Ninja Earns HITRUST r2 Certification for Information Security
Congratulations to our client KPI Ninja by Health Catalyst on their HITRUST certification! The certification ensures KPI Ninja meets the key compliance requirements included across a wide rang of industry standards and frameworks, and federal and state regulations. Read More
View MoreArticle
“Congratulations Inovaare Corporation on their HITRUST certification! Glad we could play a part in it.”
Inovaare Corporation, a compliance, and operations management software provider leading digital transformation within the healthcare industry, today announced its platform, data center, and offices earned Certified status for information security by HITRUST.HITRUST CSF® Certification validates Inovaare is committed to meeting key regulations and protecting sensitive information. To know More Click Here
View MoreArticle
“Congratulations to our client FastTrack for getting HITRUST certified.”
A total team effort involving our assessor team, along with the FastTrack team. FastTrack today announced that it has attained HITRUST’s prestigious CSF® Certification for key implemented systems and infrastructures that support our suite of Life & Disability Transformation Solutions, exceeding strict regulatory and industry-defined requirements for comprehensive security and risk management compliance. To know More Click Here
View More