HITRUST High Growth Tech Blog

In this case study, we follow the journey of a company seeking a HITRUST i1 certification to close a lucrative healthcare-related client. They faced numerous remediation tasks to satisfy the HITRUST i1 requirements. We assisted them in prioritizing the remediation tasks and suggested that they obtain a HITRUST e1 certification first, which they could do within the period promised to their client. The lead time to complete all the required statements for the HITRUST i1 validated assessment placed the certification at risk within the allotted time.

The company was already PCI-DSS compliant but needed to know what else was necessary for a HITRUST certification. HITRUST concentrates on the protection of one or more systems and measures additional security controls, such as risk analysis, incident response, data backup and recovery, and a more in-depth examination of policies and processes.

The company had implemented many of the required HITRUST i1 controls but needed the policy to enforce the reason or efficacy of the control. In addition, there were no documented processes delineating the responsibilities, frequency, and documentation for managing the controls. Other controls were not implemented and would require assistance from a third party for configuration and operation.

Proposed Solutions:

We conducted a gap analysis in Phalanx, our GRC (governance, risk, and compliance) platform, measuring both the current level of compliance and the amount of work required to close the current gap. This provided the client with a list of items, to begin with first due to the greater effort required for remediation.

Since the requirement statements for the new e1 validated assessment are also included in the i1, we also tracked gaps for it. While some domains began with a lower score in the e1, we observed that fewer requirement statements needed improvement to pass an e1-validated assessment.

The company chose to move forward with the e1 certification that fit their client’s requirements, timeframe, and cost as well as provided the client with their roadmap to obtain HITRUST i1 certification.

Implementation:

We collaborated with the client to implement the proposed solutions, which included prioritizing remediation items, documentation of policies and processes, and support from a third party for control implementation. The e1 certification demonstrated the organization’s dedication to HITRUST and indicated substantial progress toward a validated i1 assessment.

The contract was no longer in jeopardy by focusing on the first and second priority requirement statements for completing an e1 in the time required.