HITRUST offering more choice, cost flexibility


The HITRUST Assurance Program has been a preferred method of providing information security assurance for healthcare payors, providers, and business associates since 2007. With many healthcare entities now examining how and when to continue their HITRUST certification, or just starting on their first HTRUST certification, HITRUST now offers a new version of its framework, along with new assessment types, to help make decisions easier and more tailored to individual entities’ situations.


The company’s latest version of HITRUST CSF Version 11, not only is updated to address and mitigate information security risks, but offers new levels of assurance to meet individual healthcare entity needs. Released in December 2022, Version 11 updates many of the information security examinations of the previous Version 9 revisions, which alone is a reason for a reassessment. 




Framework of frameworks


Essentially, the HITRUST framework is a combination of other testing frameworks — for instance, National Institute of Standards and Technology (NIST), ISO 27001, and Payment Card Industry (PCI). HITRUST has incorporated all of the relevant parts of those frameworks into theirs, which they continually update, at minimum annually. HITRUST’s all-inclusive cybersecurity certification is a product of some of the larger healthcare providers seeking a way to ensure information security standards in the multitude of third-party businesses with which they contracted. By insisting on HITRUST certification as a requirement to do business with them, these entities have been able to alleviate many of their own concerns that data they shared with their own service providers was not compromised by threats which their own safeguards otherwise prevented.


Critically, the HITRUST framework can be used to address HIPAA compliance requirements as well as other types of information security and privacy risks. There are many ways healthcare providers can comply with HIPAA mandates. But the importance of HITRUST’s CSF certification is that it is a tested, established standard by which HIPAA compliance can be demonstrated.


What distinguishes Version 11 from previous versions is it offers three assessments with varying levels of difficulty and assurance: an “e1” one-year “essentials” assessment, an “i1” one-year “leading practices” assessment and an “r2” two-year “expanded practices” assessment. The levels create essentially a low-medium-high level of cybersecurity assurance and the rigor is scaled accordingly.


“What HITRUST is trying to do is to have an assessment portfolio that incorporates threat vectors from work in the field and input from cybersecurity vendors to update new and existing threats and vulnerabilities into the security framework that they are tasking companies with implementing,” said Sean Brennan, Advisory manager at Grant Thornton. “Each assessment they offer will build on and encapsulate the other.”




Three levels of assurance


HITRUST’s website describes the e1 assessment as an “entry-level assurance focused on the most critical cybersecurity controls.” This is a new evaluation for HITRUST and it is geared toward organizations that need only a minimal amount of protection or are smaller organizations. The level aligns with CISA Cyber Essentials, the HICP for small healthcare organizations, and NIST’s Basic Requirements.


The i1 assessment existed prior as a part of Version 9, but it was seen as performing a different assessment than the full r2. Now, all requirement statements that are included in the i1 assessment will also be contained in the r2. The i1 assessment now offers a mid-level level of security, and aligns with the HICP for medium-sized organizations, the NIST SP 800-171 Basic and Derived Requirements, and the HIPAA Security Rule.   


The r2 remains the assessment that offers the highest level of assurance and aligns with dozens of other frameworks and assessments, including the NIST CSF, the PCI DSS and full HIPAA compliance. Critically, many of the control requirements found in the r2 assessment are included in both the i1 and e1 assessments.


Brennan said healthcare entities that have experience with the r2 assessment and feel it is too expensive or too thorough may discover that at i1 or e1 assessment is more appropriate for the size of organization they are or the level of assurance they actually need.


“If you have a complex organization with internet access and processing many transactions, you will have a higher burden to certify against the framework versus a company that is relatively simple and are closed off from the internet,” said Brad Barrett, an Advisory partner at Grant Thornton. “So HITRUST’s assessments are adaptive in the way they apply the certification, as well.”


Critical to the process is that HITRUST requires third-party validation in order to mitigate the risk that healthcare providers could sidestep many procedures. Katherine Anderson, an Advisory director at Grant Thornton, said the external assessor acts as an independent auditor that evaluates an assessment to verify the “maturity” scores in MyCSF, HITRUST’s proprietary SaaS system.


Since a HITRUST certification lasts for a maximum of two years, most healthcare entities are continually in the process of re-evaluating their needs. Third-party evaluators – External Assessor Organizations (EAOs) that have been authorized by HITRUST (Grant Thornton is one) to perform HITRUST Validated assessments -- are an essential part of the HITRUST Assurance Program. These EAOs can often be excellent sources of information to review, explain and help organizations decide which evaluation level makes sense in terms of both security and cost.





Our healthcare featured industry insights