HITRUST: Helping High-growth Tech Companies Demonstrate Information Security

HITRUST High Growth Tech Blog

How HITRUST Helps High-Growth Tech Companies Show Their Commitment to Information Security

High-growth tech companies face many challenges getting their products and services to market and reaching their revenue goals. Today, one of the biggest challenges for tech companies is that their potential customers want validation that their organization is committed to information security.

We want to answer the biggest question related to this challenge, “What’s the best way to show your commitment to information security?”

The answer is HITRUST.


Through my years in the healthcare IT industry, I learned that when industry experts talked about confidentiality in information security, they were talking about patient privacy. In the past, healthcare IT security meant “privacy” for the organization and the patient.

More recently, protection of personal information is considered “privacy,” and protection of sensitive corporate information is described as security. Security and privacy in my mind have long been a focus due to higher risk than integrity and availability.

HITRUST is now a cross-industry standard and certification. It was first created to address punitive federal standards. It is now available to any organization that needs to show information security rigor. HITRUST recently changed its structure to become industry-agnostic by making comprehensive privacy and HIPAA compliance optional.

Traditional information security audits rely on a two-party system, involving an assessor and the organization seeking certification. HITRUST adds an additional layer of oversight with its internal QA:

  • An external readiness assessment consultant
  • An external auditor (including independent review for quality assurance)
  • A review by HITRUST staff

The HITRUST Assurance Program produces a detailed description of your risk management process. This demonstrates how you set, document, and execute in-scope information security standards. Different people then review these before certification.

Since HITRUST defines controls to meet stringent information security standards, it is difficult to achieve. However, it’s considered the gold standard certification.

What’s included with the HITRUST certification?

Your HITRUST assessment process is guided by how your organization completes the scoping document. HITRUST Certifications can now include:

  • HITRUST CSF Security Report
  • Privacy Controls Assessment can now be added
  • NIST CSF Report
  • HIPAA compliance and reporting pack (v9.5 or later)

How can we get started?

There are now three assessment levels, two of which lead to a certification.

  • Basic, Current-state Assessment (bC) – If this is your organization’s first evaluation of your risk management program, you should start with an internal Basic, Current-state Assessment (bC).
  • Implemented, 1-year Assessment (i1) – An organization could use the new Implemented, 1-year Assessment (i1) with fewer controls than the Risk-based, 2-year Assessment (the legacy Validated Assessment) and measuring only implemented controls only. A successful i1 leads to a one-year HITRUST certification.
  • Risk-based, 2-year Assessment (r2) – To reduce risk further and prove greater rigor, the organization could take on a full Risk-based, 2-year Assessment (r2) as the gold standard. A successful r2 leads to a two-year HITRUST certification.


In the unfortunate event of a breach or suspected incident, the detailed description of your risk management process included in the MyCSF report will show that your organization performed due diligence to reduce its severity and impact and often greatly reduce an associated fine or sanction.

A HITRUST Implemented, 1-year Assessment or Risk-based, 2-year Assessment could pave the way to a contract with a firm that requires HITRUST certification, HIPAA compliance, or privacy compliance such as California Consumer Privacy Act (CCPA) or the European Union’s General Data Protection Regulation (GDPR).

Finally, to paraphrase a former President, I would choose to do HITRUST Certification, not because it is easy, but because it is hard. This challenging exercise demonstrates your strong commitment to risk reduction and protection of your client’s systems and sensitive data.

If you would like to learn more about the HITRUST CSF Certification Process, please download our whitepaper on the topic.

Share to


Share to

Like our content? Subscribe and stay informed.