Selecting HITRUST e1 over i1: A Case Study

In this case study, we follow the journey of a company seeking a HITRUST i1 certification to close a lucrative healthcare-related client. They faced numerous remediation tasks to satisfy the HITRUST i1 requirements. We assisted them in prioritizing the remediation tasks. This suggested they obtain a HITRUST e1 certification first, which they could do within the period promised to their client. The lead time to complete all the required statements for the HITRUST i1 validated assessment placed the certification at risk within the allotted time.

The company was already PCI-DSS compliant but needed to know what else was necessary for a HITRUST certification. HITRUST protects one or more systems and measures additional security controls, such as risk analysis, incident response, data backup and recovery, and a more in-depth examination of policies and processes.

The company had implemented many of the required HITRUST i1 controls but needed the policy to enforce the reason or efficacy of the control. In addition, there were no documented processes delineating the responsibilities, frequency, and documentation for managing the controls. Other controls were not implemented and would require assistance from a third party for configuration and operation.

Proposed Solutions:

We conducted a gap analysis in Phalanx, our GRC (governance, risk, and compliance) platform, measuring both the current level of compliance and the amount of work required to close the current gap. This provided the client with a list of items to begin with due to the greater effort required for remediation.

Since the requirement statements for the new e1 validated assessment are also included in the i1, we also tracked gaps for it. While some domains began with a lower score in the e1, we observed that fewer requirement statements needed improvement to pass an e1-validated assessment.

The company chose to move forward with the e1 certification that fit their client’s requirements, timeframe, and cost and provided the client with their roadmap to obtain HITRUST i1 certification.

Implementation:

We collaborated with the client to implement the proposed solutions, which included prioritizing remediation items, documentation of policies and processes, and support from a third party for control implementation. The e1 certification demonstrated the organization’s dedication to HITRUST and indicated substantial progress toward a validated i1 assessment.

The contract was no longer in jeopardy by focusing on the first and second priority requirement statements for completing an e1 in the time required.

By Gary Holverson|2023-07-11T19:17:34+00:00April 28th, 2023|HITRUST|0 Comments

About the Author: Gary Holverson

Gary is a Cyber Risk Consultant for risk3sixty, an Atlanta-based Information Risk Management (IRM) firm helping clients implement business-first information security and compliance programs. Gary brings experience in healthcare IT operations and information security frameworks to help organizations build, manage, and assess data security and privacy programs with a risk-based approach. Gary’s primary responsibilities include: -HITRUST Practitioner: Leading HITRUST gap assessments, validated assessments, and program implementations. - Assisting with the creation and maintenance of security and compliance related initiatives such as ISO 27001, HIPAA, HITRUST, and NIST 800-53. - Enabling sound security strategy by delivering expert level guidance on cybersecurity best practices. - Helping companies communicate their security / compliance story to partners, customers, and regulators.

Selecting HITRUST e1 over i1: A Case Study

Share This Story, Choose Your Platform!

About the Author: Gary Holverson

Related Posts

How to Provide HITRUST Evidence That Leaves No Doubt – Part Two

Collecting HITRUST Evidence: Leave No Room for Doubt Part 1

Is HITRUST i1 the right fit for my organization?

What Evidence Does Your HITRUST Assessor Expect When a Control Does Not Operate

Leave A Comment Cancel reply