April 30, 2021

How to Get HITRUST Certified: Keys to Certification Success

Bringing your organization into compliance with the HITRUST™ Common Security Framework™ (CSF) is an excellent way to defend against cyberattacks than can compromise highly sensitive patient data. Certification can also open doors to many opportunities in the healthcare industry.

In this blog post, we’ll provide an overview of HITRUST™ certification as well as the keys to success that Tevora has developed based on our work helping many clients certify for HITRUST™.

HITRUST™ Organization Overview

The HITRUST™ organization provides a framework that safeguards sensitive information and can help manage information risk for organizations across all industries. Its programs have been widely adopted in the healthcare industry, and HITRUST™ currently offers the only recognized healthcare information security certification.

HITRUST develops, maintains, and provides broad access to its common risk and compliance management frameworks as well as related assessment and assurance methodologies. HITRUST™ is governed by a Board of Directors made up of leaders from across the healthcare industry.
A foundational element of all HITRUST™ programs is the HITRUST CSF™, a certifiable framework that provides organizations with a comprehensive, flexible, and efficient approach to regulatory compliance and risk management.

Why Seek HITRUST CSF™ Certification?

Organizations often seek HITRUST CSF™ certification because:

  • They are doing business with, or would like to do business with, an organization that is already compliant with HITRUST™. HITRUST™ certification may be required for organizations that handle Protected Health Information (PHI) on behalf of a HITRUST™-certified client or business associate.
  •  HITRUST™ offers a comprehensive control framework that helps better secure their environment. We believe HITRUST CSF™ is one of the most comprehensive frameworks available in any industry, and it does a great job addressing all types of information security risks. As opposed to some frameworks that remain relatively static, HITRUST™ has been tailored and customized over time to incorporate real-world learnings from healthcare data breaches.
  • Becoming HITRUST™ certified differentiates an organization in the healthcare marketplace. This can be especially helpful for smaller companies and startups looking to give potential clients confidence in the security of their products and services and set themselves apart from competitors that may not be HITRUST™ certified. These companies often find the HITRUST™ stamp of approval to be a powerful sales tool.

Tevora’s HITRUST™ Certification Methodology

As a certified HITRUST™ Assessor, Tevora works with clients to help them prepare for HITRUST CSF™ Certification and conduct a formal assessment to validate their compliance. We’ve honed our certification methodology as we’ve helped some of the world’s largest companies to reach this significant milestone. Here’s a summary of the methodology:

For most clients, it takes 10-12 months from the start of the process to certification. Our experienced team of security consultants can dive in and do most of the remediation work. Or, if the client prefers to do the remediation, we can serve as an advisor during this phase.

Keys to a Successful Certification

After guiding many clients through the HITRUST™ certification process, Tevora has developed a sound methodology to ensure certification success.

  1. Use an experienced HITRUST CSF™ Assessor. HITRUST™ is a comprehensive and detailed framework. In many ways, we’ve just scratched the surface in this blog post. Companies that have attempted to prepare for certification on their own often find the process to be too difficult and end up bringing in outside help and experiencing certification project delays. We strongly recommend that you partner with an experienced HITRUST CSF™ Assessor from the start, whether it be Tevora or another Assessor.
  2. Be aware of HITRUST™ version update timelines. Unlike other more static frameworks, HITRUST™ updates its requirements annually to stay current with evolving cybersecurity threats. Methodologies are also updated from time to time. It’s important to work with an experienced HITRUST CSF™ assessor to ensure that your plans are aligned with the HITRUST™ framework as it evolves.
  3. Get your requirements set established accurately and as soon as possible. The sooner you gain a detailed and accurate understanding of what your requirements will be, the sooner you can get working on the changes needed to meet these requirements. Tevora recommends engaging a skilled HITRUST CSF™ Assessor to help you with this critical step in your certification process.
  4. Assign requirement owners. With the median number of requirements for clients being roughly 300, project management becomes critical. We recommend that you designate a project manager for your certification project and have them assign owners for each requirement. As we’ve helped clients achieve HITRUST™ certification over the years, Tevora has developed and refined tools that help manage the process of assigning and tracking requirements through the life cycle of a certification project. We suggest that you partner with a HITRUST CSF™ Assessor that has equivalent tools and experience.
  5. Effectively document all procedures and policies. As we described earlier, the Policies and Procedures maturity levels together account for 35% of each requirement’s score. An experienced Assessor can help you effectively document your procedures and policies to ensure you achieve a score of 100 for these two maturity categories. Focusing on this “low hanging fruit” is a great way to help ensure you get at least the minimum score for each domain.
  6. Use Tevora to both help prepare your organization and to certify your organization. While there are other qualified HITRUST™ Assessors out there, we believe Tevora is uniquely qualified based on its focus on partnership and customer relationships, deep HITRUST™ and security expertise, excellent record of client retention, and industry-leading reputation.

How is HITRUST™ Different from Other Frameworks?

Here are some of the important ways that HITRUST™ sets itself apart from other frameworks such as PCI DSS, AICPA SOC 2, and ISO 27001:

  • HITRUST™ offers MyCSF™, an online web application that is used to facilitate HITRUST CSF™ self-assessments (gap assessment) and HITRUST CSF™-validated assessments (audit for certification).
  • Both the HITRUST™ Approved Assessor and the entity being assessed are required to interact with MyCSF™.
  • The HITRUST™ fee structure is separate from third party assessor fees.
  • HITRUST™ audits the auditor on 100% of assessments. There are no shortcuts.
  • HITRUST™ uses a distinct scoring mechanism for assessments.
  • The HITRUST™ control set is unique to each organization. The requirements for an organization are based on its answers to a series of questions asked at the beginning of the certification process.

HITRUST™ Framework Organization and Scoring

The HITRUST™ framework includes 19 domains (e.g., Endpoint Protect, Password Management, Access Control). Each domain has multiple requirements that are individually scored against five maturity categories. Organizations must receive a composite score of at least 62% for each domain to achieve certification.

Here are the five maturity categories and the respective weightings used for scoring each requirement:

  • Policy = 15%
  • Process = 20%
  • Implemented = 40%
  • Measured = 15%
  • Managed = 10%

In our experience working with clients, Tevora has found it helpful to have them focus efforts on the first three categories—especially “Implemented” with its 40% weight—to maximize their chances of meeting the 62% certification scoring bar for each domain.

The overall number of requirements can vary greatly depending on the unique attributes of each organization. While the median number of requirements for an organization is roughly 300, this number can be significantly higher in certain situations.

HITRUST™ Domains

The diagram below presents all 19 of the HITRUST™ domains.

None of these should be a big surprise for those that are familiar with information security and compliance.

Additional Resources

Here are some additional Tevora resources that can help you gain a deeper understanding of HITRUST™:

Tevora Can Help

If you have questions about HITRUST™ or would like help preparing for or getting certified, Tevora’s team of security specialists can help. Just give us a call at (833) 292-1609 or email us at sales@tevora.com.