In January of 2023, HITRUST released the following certifications and changes:

  • e1, Essential One-Year Validated Assessment and Certification (cybersecurity essentials).
  • i1, Implemented One-Year Validated Assessment, realigned to be fully included in an r2 assessment.
  • r2, Risk-Based Two-Year Validated Assessment, realigned with updated risks and threats.
  • HITRUST CSF (formerly known as the Common Security Framework) version 11 (April 2023).

This diagram depicts how the e1, i1, and r2 HITRUST Certifications are now nested within one another.  This is new with the HITRUST CSF v11 update.  The intent is to enable organizations to mature their program over time, building upon the work that has been done.

 

 

HITRUST Validated Assessments Comparison for version 11.

e1 – Essentialsi1 – Implementedr2 – Risk-Based
Year 144 Pre-Set Requirement Statements182 Pre-Set Requirement StatementsAverage Assessment ~375 (up to 1,000 +) Requirement Statements based on Organizational Factors
Year 244 Pre-Set Requirement Statements~60 Requirement Statements with Rapid Recertification~40 Requirement Statements based on a sample of 19 plus Corrective Action Plans (CAPs)
Certification PeriodSuccessful Assessment Results in One-Year CertificationSuccessful Assessment Results in One Year Certification (rapid recert available in even years)Successful Assessment Results in Two-Year Certification (interim assessment during even years)
Assessment MeasuresMeasures Implementation of Controls w/ Light Reliance on Policies & ProcessesMeasures Implementation of Controls w/ Light Reliance on Policies & ProcessesMeasures Policies, Processes, & Implementation (Measured and Managed are optional)
Authoritative Sources for Requirement Statements  CISA Cyber Essentials, Health Industry Cybersecurity Practices (HICP) for Small Healthcare Organizations, NIST 171’s Basic Requirements, NIST IR 7621NIST SP 800-171 (Basic and Derived Requirements), HIPAA Security Rule, and HICP for Medium-Sized OrganizationsNIST SP 800-53, ISO 27001, HIPAA, FedRAMP, NIST CSF, PCI DSS, GDPR, and Other Frameworks
Level of Assurance (also the level of effort)Low Assurance Level – Essential Security HygieneModerate Assurance Level – Information Security Leading PracticesHigh Assurance Level – Risk-Based Practices

 

Requirement Statement Distribution Across Domains for the Version 11 Validated Assessments

Requirement Statement Distribution Across Domains for the version 11 Validated Assessments

Certifications Summary:

e1

The e1 is the newest offering from HITRUST, featuring basic standards for handling and safeguarding private and sensitive data.

It has detailed and prescriptive requirements that address numerous laws, frameworks, and norms, including CISA Cyber Essentials, Health Industry Cybersecurity Practices (HICP) for Small Healthcare Organizations, NIST 171’s Basic Requirements, and NIST IR 7621.

  1. The HITRUST e1 certification can both demonstrate the firm’s dedication to compliance and information security and enhance customer and partner trust.
  2. The e1 certification level of HITRUST is intended for smaller institutions or business partners who do not retain or handle electronic protected health information (ePHI) but who still need a certain level of security and compliance. At just 44 requirement statements, the e1 certification is more affordable and attainable for smaller businesses that do not already have a HITRUST certification.
  3. The e1 certification can assist organizations in identifying and minimizing potential risks and weaknesses in their information systems and business procedures. The implementation of the organization’s security controls is evaluated as part of the certification process, which can help to find vulnerabilities to be addressed.

 

Achieving an e1 HITRUST certification can assist organizations in showing their dedication to data security fundamentals and HITRUST compliance, which helps to cultivate trust with clients and business partners.  It is an achievable starting point for any organization navigating their first information assurance engagement and a simple add-on for companies already engaged in information assurance activities, such as SOC 2 and ISO 27001.

i1

There are several reasons why an organization might opt for an i1 HITRUST Certification over an e1:

  1. i1 certification has additional requirement statements and evaluative elements because it is a higher-level certification than e1. Organizations that have direct access to systems or apps that include electronic protected health information (ePHI), or personally identifiable information (PII) and store, process, or transmit such sensitive data should pursue at least an i1 certification. As a moderate assurance certification, the HITRUST i1 certification can demonstrate a greater level of security and compliance posture than the e1.
  2. Obtaining i1 certification may be required of some organizations by their customers or partners. For instance, the HIPAA Security Rule mandates that business partners and covered entities put administrative, physical, and technical protections in place to protect ePHI. i1 certification is one of the HITRUST certifications that provide a thorough framework for demonstrating compliance.
  3. By identifying and addressing potential risks and vulnerabilities, the i1 assessment can help organizations strengthen their information security and compliance posture. An organization’s security controls are evaluated and scored as part of the certification process, which can help identify gaps and weaknesses that need to be remediated.

Obtaining an i1 HITRUST certification can assist organizations in meeting regulatory obligations, demonstrating a better degree of security and compliance, and strengthening their information security and compliance posture.  For an organization with experience in other information security assurance models (e1, SOC 2, PCI-DSS, ISO 27001, etc.), the i1 is a great next step.  It offers moderate assurance over an organization’s information security practices and encourages basic documentation.

r2

An organization would select an r2 HITRUST Certification over an i1 for different reasons:

  1. The r2 certification has more controls and standards than the i1 because it is at the highest HITRUST certification level. The r2 certification is intended for organizations with a higher risk profile due to the type and volume of ePHI or PII they manage the complexity of their information systems, or other elements that raise the probability and impact of security events. A higher level of security and compliance can be demonstrated with the r2 certification.
  2. Some organizations might be required to obtain an r2 certification by clients or partners. For instance, a health insurance provider can demand that all business associates obtain r2 certification to better protect the security and privacy of the ePHI or PII they manage. Organizations can address these needs and show their dedication to information security and compliance with r2 certification.
  3. By identifying and addressing potential risks and vulnerabilities, the r2 certification can assist organizations in strengthening their information security and compliance posture. An organization’s security controls, policies, and practices are evaluated across 19 domains as part of the certification process, which can point out holes and weaknesses that need to be fixed, whereas the e1 and i1 focus on the implementation of the control and only light reference to policies and process documentation.

The r2 HITRUST certification can assist organizations in demonstrating a high degree of security and compliance, fulfilling the needs of customers and partners, and enhancing their information security and compliance posture.

Conclusion

If business drivers are compelling the firm to attain HITRUST, until recently, the only option was the r2 validated assessment.  HITRUST has reduced the barriers to certification, enabling more companies to pursue HITRUST certification based on what makes the most sense for the organization.  Since the e1 and i1 are relatively new, many organizations are not yet aware of these viable and right-sized options for HITRUST Certification.

Bonus:  Did you know?

HITRUST is not just for healthcare anymore.  Since HITRUST CSF version 9.3, organizations outside the healthcare sector could assess and certify without HIPAA requirements.  For the protection of information, including electronic protected health information (ePHI), personally identifiable information (PII), credit card data, proprietary information, and other sensitive information throughout the third-party supply chain, the HITRUST CSF offers a high standard of due care and due diligence.

Need help deciding what the best approach is for your organization’s information security program?  Reach out to our team of experts, and we will be happy to help!