1. What is HITRUST?
HITRUST is a privately held company that, in collaboration with leading healthcare, technology and information security organizations, developed the HITRUST CSF. The HITRUST CSF is a risk-management framework. Through the HITRUST Certification program, HITRUST has evolved into the gold-standard for healthcare information security assurance, giving providers and business associates an efficient and standardized way to demonstrate and communicate the effectiveness of their IT security and privacy programs.
2. What is the difference between HIPAA and HITRUST?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that includes security and privacy regulations for covered entities (care providers) and business associates (service providers) using or disclosing protected health information (PHI).
As mentioned above, HITRUST is a privately held organization that has created a risk management framework (CSF) intended to serve as a gold-standard for reporting the effectiveness of a company’s IT security and privacy programs.
3. Is HITRUST a requirement?
HITRUST is not a regulatory requirement. However, many covered entities and business associates have adopted the CSF framework and/or certification program. Similarly, many of them have also mandated that their business partners become HITRUST certified as a means of managing and standardizing their third-party risk management programs.
4. What is the HITRUST CSF?
The HITRUST CSF is a comprehensive set of IT controls based on ISO/IEC 27001:2005 and 27002:2005 and incorporates or maps to more than 40 other security, privacy, and regulatory frameworks, laws and standards.
5. How do I get HITRUST certified?
The HISTRUST CSF Assurance program outlines the three step process to become HITRUST CSF Certified, which includes 1) Self-Assessment, 2) CSF Validated Assessment, performed by a HITRUST Authorized External Assessor, such as risk3sixty, and 3) HITRUST review, report issuance, and certification.
6. How many control requirements are there in HITRUST?
It depends. HITRUST offers certifications under three tiers of assurance based on the needs and business requirements of the entities seeking certification. The following is a summary of the three HITRUST product offerings:
- r2: the risk-based 2-year assessment is customized for each organization based on the output of a scoping exercise that assigns the number of requirement statements based upon the risk profile of the business. Most organizations can expect to have 300+ requirement statements. This assessment provides ‘higher’ assurance and may be a requirement for certain organizations based on customer demands and how their customers assess their risk profile.
- i1: the implemented 1-year assessment provides a moderate degree of assurance and currently has a standard set of 182 requirement statements (v11) that do not vary from organization to organization. This is often the best option for more mature organizations that are not required to undergo a r2 assessment.
- e1: the essentials 1-year assessment provides an entry-level degree of assurance and currently has 44 requirement statements (v11) that do not vary from organization to organization. This is a great starting place for organizations beginning their HITRUST journey – some may be asked by customers to upgrade to i1 over time; for others, e1 will be sufficient. if you already have a SOC 2, you are likely e1 compliant.
7. Who performs HITRUST assessments?
In order to be HITRUST CSF Certified, an organization must engage with a HITRUST Authorized External Assessor, such as risk3sixty.
8. How long does it take to become HITRUST CSF Certified?
This depends on several factors, such as: which level of assurance an organization is seeking (r2, i1, e1), maturity of the organization, security program readiness, internal resource availability, remediation requirements, and the scope and complexity of the environment. Estimating timeline by level of assurance:
- r2 – On average, accounting for the time it takes to become ready for the HITRUST CSF Validated Assessment, we generally see the process take nine (9) to twelve (12) months. There are some process dependencies which the organization and the Authorized External Assessor cannot influence, such as the (current) minimum of ten (10) weeks it takes for HITRUST to review and process the validated assessment and to issue certification.
- i1 – For all HITRUST assessments, controls must be in place for 90-days before being assessed. Assuming some remediation will be required after an initial HITRUST gap assessment, a safe and realistic estimate would be a six (6) to nine (9) months process.
- e1 – using the same assumptions above, four (4) to six (6) months is a safe estimate. Should there not be a need for gap remediation and an organization is ready for their certification audit beginning on day-1, three (3) months may be a feasible timeline.
9. How much does it cost?
Depending on the level of assurance desired (r2, i1, e1), the scope and complexity of the environment and assistance needed (e.g. self-assessment/remediation), in general, we suggest an organization budget between $50,00 and $100,000.
For r2, the organization’s risk profile, which results in the required number of in-scope requirement statements (aka controls) will play a large part in this – obviously a scope of 300 requirement statements vs. 500 requirement statements will result in a very large difference in required effort (both internally and from the external assessor).
Additionally, it is important to note that there are certain fees that must be paid to HITRUST directly (for access to the MyCSF platform and HITRUST’s review of the validated assessment and certification process) vs. those fees paid to the external assessor. For budgeting purposes, the typical high-growth technology company may estimate fees paid to HITRUST to be in excess of $20,000 while fees paid to the external assessor may be estimated between $30,000-80,000 for most assessments, depending on the scope.