‍

The HITRUST Common Security Framework (CSF) is a comprehensive set of requirements that helps your organization implement industry-standard security measures. Primarily used to support the healthcare industry, a HITRUST certification enables organizations to comply with HIPAA and over 50 other standards and regulations. This makes it an ideal solution for organizations in security-conscious industries.

‍

Due to the framework’s extensive coverage and multi-step certification process, it’s best to have a good understanding of the main HITRUST requirements around implementing security controls, evidence collection, and other procedural aspects. This article will provide you with the directional guidance you need by covering the following:

‍

• A breakdown of HITRUST certification requirements
• Different scoring requirements for HITRUST assessment levels
• Actionable tips for meeting HITRUST requirements effortlessly

‍

HITRUST certification: At a glance 

HITRUST certification entails adhering to the HITRUST CSF requirements which demonstrates your organization's security and privacy posture. The certification process involves a comprehensive self-assessment, which is validated by an external assessor and then reviewed by a QA analyst from HITRUST.

‍

Prerequisites for HITRUST certification

Before pursuing your HITRUST certification, you must define your assessment scope, which depends on the certification or assessment level you want. Currently, you can choose one of the following levels:

‍

1. e1: The base-level assessment covers 44 critical controls that every organization should implement to ensure adequate security and privacy. This certification level is best suited for small organizations with simple IT infrastructures.
2. i1: A more robust assessment including 180+ controls. The i1 assessment provides greater assurance and is mainly aimed at mid-sized organizations and those that want to use it as an onramp for r2 certification.
3. r2: A risk-based assessment with custom controls (out of 2,000+ in total). The r2 certificate is best suited for large organizations with complex risk landscapes and IT infrastructures because it provides the highest level of assurance.

‍

For many organizations, choosing a HITRUST tier depends on their security and compliance landscape, as well as their growth goals, such as accessing new markets or building trust with high-value clients. Your chosen tier will determine the breadth of requirements you need to meet.

‍

Another prerequisite is obtaining access to the HITRUST MyCSF portal before you start the self-assessment. It’s a cloud-based platform that enables all procedural elements of the certification process, such as completing risk analysis and submitting assessments.

‍

Here’s an overview of the key procedural aspects of HITRUST certification:

‍

• Determining assessment scope
• Obtaining access to the MyCSF portal
• Implement HITRUST controls
• Performing a gap assessment and score your control implementation
• Validation of controls by  a HITRUST assessor

‍

{{cta_withimage19="/cta-modules"}} | HITRUST Compliance Checklist

‍

A breakdown of HITRUST certification requirements

We’ll present a general outline of the main HITRUST certification requirements covered across four sections:

‍

1. What HITRUST control domains should you cover?
2. What are HITRUST scoring thresholds?
3. How is HITRUST scoring performed?
4. How should you report on implemented controls?

‍

1. What HITRUST security domains should you cover?

One of the reasons why HITRUST certification is beneficial is the breadth of control coverage. The framework prescribes controls across 19 security domains, such as:

‍

• Information Protection Program
• Access Control
• Risk Management
• Transmission Protection
• Incident Management
• Business Continuity & Disaster Recovery

‍

While the required controls are already mapped out for e1 and i1, you must work with your security team to scope controls for r2.

‍

2. What are HITRUST scoring thresholds?

To obtain a certificate, each control domain must reach the prescribed score. The threshold depends on the certification level:

‍

• e1/i1: 83 or higher
• r2: 62 or higher

‍

Under each control domain, you’ll score specific requirement statements, so domain scores are expressed as the average score of all requirement statements under that domain.

‍

You might encounter different scoring scenarios, explained below:

‍

‍

3. How is HITRUST scoring performed?

HITRUST scoring involves the evaluation and scoring of in-scope requirement statements. Once you’ve scored each requirement statement, you add up the scores and divide them by the number of requirements within a domain to get the average domain score, which needs to meet the thresholds discussed above.

‍

To score each requirement statement, you’ll use HITRUST’s Control Maturity Scoring Rubric. It’s a visual tool in the form of a matrix that scores HITRUST requirements according to the PRISMA model. The rubric has five maturity levels:

‍

1. Policy
2. Procedure
3. Implemented
4. Measured
5. Managed

‍

Note: For e1 and i1 assessments, you only need to evaluate the Implemented level.

‍

4. How should you report on implemented controls?

The framework requires you to report on the controls via MyCSF—HITRUST’s cloud-based SaaS solution to facilitate audits and assessments. The first step is to carry out a self-assessment of your implemented controls and domain scores. Once completed, it’s reviewed by a HITRUST-approved external assessor, who will look for evidence that each requirement statement’s score is valid. Such evidence can be:

‍

• Verbal
• Observed
• Written
• Digital

‍

If your scores are valid, a HITRUST QA analyst will perform a final review to ensure the overall guidelines were met. Once the process is successful, you’ll obtain a certificate corresponding to your selected assessment level.

‍

{{cta_webinar3="/cta-modules"}}  | Choosing the right HITRUST certification level and streamlining implementation

‍

3 expert tips for meeting HITRUST certification requirements

A HITRUST assessment can take a considerable amount of time if performed manually or without guidance. Follow these tips to avoid common pitfalls and expedite the process:

‍

1. Consider scoping the assessment thoroughly
2. Try to perform a readiness assessment beforehand
3. Automate the certification process

‍

1. Consider scoping the assessment thoroughly

If you have a maturing security program or are pursuing r2 certification, assessment scoping can be a considerable challenge. You need to outline all the business units, systems, and devices that will be scrutinized under the assessment.

‍

For precise scoping, consider the following factors:

‍

• Needs of your relying parties
• Maturity level of your existing security system
• Expected short-term changes to your IT infrastructure

‍

Another option is to take several approaches to scoping, such as:

‍

• Enterprise-level: All your platforms, networks, and supported infrastructure are considered for the assessment.
• IT service or platform-focused: A select few networks or components of your infrastructure are scoped. You can take this approach if you’re looking to meet specific regulatory or contractual obligations or want to use the assessment as a building block to facilitate organization-wide HITRUST compliance down the line.
• Follow-the-data: The assessment will encompass platforms and infrastructure impacted by the flow of specific data you wish to safeguard. This approach can be used if you handle sensitive data that requires a higher level of protection.

‍

2. Try to perform a readiness assessment beforehand

A readiness assessment is used to identify and bridge any gaps in your in-scope controls. Unlike a validated HITRUST assessment that is mandatory for certification purposes, a readiness assessment is optional and used purely for internal reference.

‍

By performing a readiness assessment, you can simulate the validated assessment process to understand all your HITRUST requirements and scoring workflows. This can bring benefits such as:

‍

• A streamlined and faster certification process
• Increased confidence among stakeholders
• Proactive addressing of gaps in security posture and program maturity

‍

A readiness assessment is also an excellent way to save resources on reassessments and last-minute security reviews down the line, which can be costly and prolong the certification process.

‍

{{cta_withimage19="/cta-modules"}} | HITRUST Compliance Checklist

‍

3. Automate the certification process

The validation process before certification requires you to present extensive evidence to the external assessor to prove your controls meet HITRUST’s certification requirements. Collecting such evidence can demand considerable time and resources, especially if you have a broad audit scope.

‍

Ideally, you can remove most of the manual work from your security review and evidence collection processes through automation. You can do this in several ways, such as:

‍

• Assessing your CSP’s controls: HITRUST uses the shared responsibility model, so you can inherit the controls established by your cloud service provider (CSP) and improve efficiency.
• Centralizing your security and compliance data: Disparate systems and data sources can slow down evidence collection. Use integrations to keep all relevant data in one accessible hub and provide the necessary proof without painstaking busy work.
• Leveraging an automation solution: HITRUST framework mapped into software helps you meet all the necessary requirements with minimal work. For instance, Vanta is one compliance automation tool that comes with HITRUST-adjusted automation features.

‍

Get HITRUST-certified faster with Vanta

If you want to obtain a HITRUST certificate quickly and seamlessly, Vanta can be the perfect solution. It’s a trust management platform that automates up to 80% of the HITRUST certification requirements.

‍

Vanta is the first and currently the only automaton platform with ready-made e1/i1 and r2 frameworks vetted by HITRUST. With Vanta, you get all the guidance you need to prevent unpleasant surprises during the certification process. You can use the platform to perform a readiness assessment quickly so that all your controls are ready for the validated assessment.

‍

Watch this free webinar to explore Vanta’s HITRUST CSF product and its automation features. Some efficiency-boosting functionalities of the solution include:

‍

• Automated evidence collection powered by 350+ integrations
• Centralized tracking of HITRUST requirements
• Automated gap assessments
• Cross-mapping controls with other supported frameworks (like HIPAA and SOC 2) to avoid duplicative work
• Built-in resources like policy templates and tests
• Integration with HITRUST MyCSF

‍

You can request a demo to get a hands-on overview of these features.

‍

Vanta also offers a vetted service partner network where you can find expert HITRUST assessors to see you through the certification process.

‍

{{cta_simple16="/cta-modules"}} | HITRUST product page

‍