HITRUST: Helping High-growth Tech Companies Demonstrate Information Security

How HITRUST Helps High-Growth Tech Companies Show Their Commitment to Information Security

High-growth tech companies face many challenges getting their products and services to market and reaching their revenue goals. Today, one of the biggest challenges for tech companies is that their potential customers want validation that their organization is committed to information security.

We want to answer the biggest question related to this challenge, “What’s the best way to show your commitment to information security?”

The answer is HITRUST.

Why HITRUST?

Through my years in the healthcare IT industry, I learned that when industry experts talked about confidentiality in information security, they were talking about patient privacy. In the past, healthcare IT security meant “privacy” for the organization and the patient.

More recently, protection of personal information is considered “privacy,” and protection of sensitive corporate information is described as security. Security and privacy in my mind have long been a focus due to higher risk than integrity and availability.

HITRUST is now a cross-industry standard and certification. It was first created to address punitive federal standards. It is now available to any organization that needs to show information security rigor. HITRUST recently changed its structure to become industry-agnostic by making comprehensive privacy and HIPAA compliance optional.

Traditional information security audits rely on a two-party system, involving an assessor and the organization seeking certification. HITRUST adds an additional layer of oversight with its internal QA:

An external readiness assessment consultant
An external auditor (including independent review for quality assurance)
A review by HITRUST staff

The HITRUST Assurance Program produces a detailed description of your risk management process. This demonstrates how you set, document, and execute in-scope information security standards. Different people then review these before certification.

Since HITRUST defines controls to meet stringent information security standards, it is difficult to achieve. However, it’s considered the gold standard certification.

What’s included with the HITRUST certification?

Your HITRUST assessment process is guided by how your organization completes the scoping document. HITRUST Certifications can now include:

HITRUST CSF Security Report
Privacy Controls Assessment can now be added
NIST CSF Report
HIPAA compliance and reporting pack (v9.5 or later)

How can we get started?

There are now three assessment levels, two of which lead to a certification.

Basic, Current-state Assessment (bC) – If this is your organization’s first evaluation of your risk management program, you should start with an internal Basic, Current-state Assessment (bC).
Implemented, 1-year Assessment (i1) – An organization could use the new Implemented, 1-year Assessment (i1) with fewer controls than the Risk-based, 2-year Assessment (the legacy Validated Assessment) and measuring only implemented controls only. A successful i1 leads to a one-year HITRUST certification.
Risk-based, 2-year Assessment (r2) – To reduce risk further and prove greater rigor, the organization could take on a full Risk-based, 2-year Assessment (r2) as the gold standard. A successful r2 leads to a two-year HITRUST certification.

Conclusion

In the unfortunate event of a breach or suspected incident, the detailed description of your risk management process included in the MyCSF report will show that your organization performed due diligence to reduce its severity and impact and often greatly reduce an associated fine or sanction.

A HITRUST Implemented, 1-year Assessment or Risk-based, 2-year Assessment could pave the way to a contract with a firm that requires HITRUST certification, HIPAA compliance, or privacy compliance such as California Consumer Privacy Act (CCPA) or the European Union’s General Data Protection Regulation (GDPR).

Finally, to paraphrase a former President, I would choose to do HITRUST Certification, not because it is easy, but because it is hard. This challenging exercise demonstrates your strong commitment to risk reduction and protection of your client’s systems and sensitive data.

If you would like to learn more about the HITRUST CSF Certification Process, please download our whitepaper on the topic.

By Gary Holverson|2023-07-11T01:28:50+00:00January 28th, 2022|HITRUST|0 Comments

About the Author: Gary Holverson

Gary is a Cyber Risk Consultant for risk3sixty, an Atlanta-based Information Risk Management (IRM) firm helping clients implement business-first information security and compliance programs. Gary brings experience in healthcare IT operations and information security frameworks to help organizations build, manage, and assess data security and privacy programs with a risk-based approach. Gary’s primary responsibilities include: -HITRUST Practitioner: Leading HITRUST gap assessments, validated assessments, and program implementations. - Assisting with the creation and maintenance of security and compliance related initiatives such as ISO 27001, HIPAA, HITRUST, and NIST 800-53. - Enabling sound security strategy by delivering expert level guidance on cybersecurity best practices. - Helping companies communicate their security / compliance story to partners, customers, and regulators.

HITRUST: Helping High-growth Tech Companies Demonstrate Information Security

How HITRUST Helps High-Growth Tech Companies Show Their Commitment to Information Security

Why HITRUST?

What’s included with the HITRUST certification?

How can we get started?

Conclusion

Share This Story, Choose Your Platform!

About the Author: Gary Holverson

Related Posts

How to Provide HITRUST Evidence That Leaves No Doubt – Part Two

Collecting HITRUST Evidence: Leave No Room for Doubt Part 1

Is HITRUST i1 the right fit for my organization?

What Evidence Does Your HITRUST Assessor Expect When a Control Does Not Operate

Leave A Comment Cancel reply