Tuesday Morning Grind, Ep 11 HITRUST: Everything You Need to Get Certified

Podcast Summary

Many organizations in the healthcare sector are being asked to obtain a HITRUST certification. HITRUST is known to thorough, burdensome, and expensive - but it it table stakes to do business in the healthcare industry. So how do you get certified without over-burdening the business?

In this webcast we will cover the HITRUST certification process and provide the details you need to take the next step to achieve certification.

HITRUST: Everything You Need to Get Certified

What is HITRUST?

  • HITRUST CSF Certification represents one of the fastest growing and most popular forms of providing information assurance over a company’s implemented system to prospects, clients, partners, and other stakeholders in the healthcare industry.
    • While HITRUST is industry agnostic, large healthcare systems and health insurance providers are primarily driving the market and requesting certification.
  • HITRUST certifies organizations based on their proprietary CFS Framework. This framework borrows heavily from ISO 27001 and NIST 800-53.
    • HITRUST attempts to take a risk based and customized approach by requiring every organization to complete custom scoping. This scoping exercise may result in anywhere between 200 and 1000 tasks required to meet the control requirements.
    • HITRUST does a fantastic job of mapping its CSF framework to multiple other authoritative frameworks.
    • It is important to work with someone internally who has HITRUST expertise (i.e. not your external assessor). Having guidance early on can save your organization significant time and money.

The Upsides of HITRUST

  • HITRUST is great for sales enablement as certification takes considerable investment and the number of service providers achieving certification is much lower in comparison to SOC 2 or ISO 27001.
    • Sometimes HITRUST certification ends up being the one differentiator that allows one vendor to win over another when competing for business with large healthcare systems.
  • The HITRUST CSF is fairly comprehensive. Teams basing their program off ISO 27001 will not see much deviation from the international standard for security program management.
  • HITRUST allows you to implement an information security program that is certified by a third party. This is helpful in demonstrating HIPAA compliance, especially in light of the new HIPAA Safe Harbor Bill.

The Challenges of HITRUST

  • HITRUST is a three way relationship between the organization becoming certified, the assessor firm, and HITRUST (who issues certification). This results in a gap of communication between the organization being certified and HITRUST itself.
    • This makes selecting a competent HITRUST assessor critical. Firms that do not have positive standing with HITRUST will be audited harder, which may trickle down to a more stringent audit for the organization.
  • The HITRUST certification, audit, and scoring process is proprietary and relies on individuals who have completed HITRUSTs training. This makes it much more difficult for organizations to start their programs without considerable financial investment up front.
  • HITRUST requires organizations purchase a subscription to its proprietary solution to complete the assessment.
  • While HITRUST’s CSF framework does a good job of consolidating and mapping controls to a variety of other authoritative frameworks, migrating and tracking your program against this framework outside of HITRUST’s proprietary tool is cumbersome.
    • As of this writing, teams wishing to use other GRC platforms would have to export their HITRUST scope out of the MyCSF tool to a spreadsheet then manually import into other platforms. Transferring data back is even more cumbersome.

Further Reading on HITRUST