BLOG

HITRUST is Shaking Things Up: Details for the New HITRUST i1 Certification and bC Assessment

Blog Post by Angela Fitzpatrick, Senior Manager & HITRUST Leader at Meditology Services

The demand for healthcare organizations to obtain some form of security certification is at an all-time high due to escalations in breaches across the healthcare industry and its supporting supply chain.  HITRUST provides the most widely adopted security certification for healthcare entities with its flagship HITRUST CSF Validated certification.

However, not all certifications are created equal, and the industry is outgrowing the one-size-fits-all certification model. HITRUST has announced that they are making several changes to their assessment portfolio and are shaking up the security certification options for healthcare entities.

HITRUST recently announced new security assessments, including the new HITRUST Basic, Current-state (“bC”) Assessment and the HITRUST Implemented, 1-year (“i1”) Validated Assessment with Certification. The new HITRUST options are designed to provide more flexibility and speed for HITRUST certification while reducing the cost and effort to achieve security certification.

HITRUST is also rebranding their flagship HITRUST CSF Validated certification, which will now be called the HITRUST Risk-based, 2-year (“r2”) Certification.

This blog post provides insights and analysis into HITRUST’s new security assessments.

You can also learn more about the new HITRUST security assessments in Meditology’s recent CyberPHIx podcast interview with Michael Parisi from HITRUST: HITRUST Announces New Certification Model: Insights from HITRUST Leadership.

Why has HITRUST decided to create new security certification options?

According to Mike Parisi, Vice President of Adoption for HITRUST, the objective of the new security certification options is to provide the industry with options to address a wide spectrum of assurance objectives for organizations. In our recent CyberPHIx podcast interview, Parisi says:

There's this whole bucket of assurance mechanisms that exist out there. And when you try and plot those along a continuum, if that continuum really involves things such as what's the level of effort in order to produce it, what's the level of transparency, what's the cost right? How much validation needs to go into that? But they're kind of all over the place.

 

We went through an exercise of saying if you put assurance as the goal in recognizing there's varying levels of assurance, probably the easiest example is to say a self-attestation versus something that's validated by an independent third party. They're going to be all along that continuum. And what we found is there was a market need for the middle.

 

What we're referring to as moderate assurance levels, there's a lot of big clubs out there and a lot of people are trying to kill mosquitoes with a cannon to say, you must do a full SOC 2 report or you must do a full blown HITRUST certification. And the reality is those assurance mechanisms, although certainly suitable for some organizations, driven off of risk, a lot of times they're too big of a lift or they're over clubbing how much assurance needs to be provided relative to the services in the relationship that third party has in the marketplace, right?

 

Well, then what do you have left? Well, the only thing you have left is the other end of the spectrum, which is a low level of assurance, which is usually self-attestations or an equivalent of maybe like a Type I SOC report, right? Where it's not giving you a level of transparency and comfort over whether controls are actually implemented or operating effectively.

 

So we saw this huge need for an assurance mechanism that fits in the middle provides a moderate level of assurance. … There was a huge need there and we sought out to fill that need with one of our new assurance mechanisms that we refer to as the HITRUST i1.

 

Additionally, on the lower end of the spectrum, as we think about what has existed traditionally for those very small businesses think like an insurance broker as an example or special interest organization, a lot of relying parties haven't done anything with that population of their third parties because they haven't been able to find something that fits relative to the risk associated with those organizations.

 

They know that they need to do something and a self-attestation or trying to maintain a proprietary questionnaire relative to that population is very burdensome. Not only is it burdensome on the small business, but it's burdensome on the relying party as well. So we said we need to come out with an assurance mechanism that we refer to as our basic assessment to address that segment of the marketplace as well.”

The full interview can be accessed here: HITRUST Announces New Certification Model: Insights from HITRUST Leadership.

What security assessments does HITRUST offer today?
  • HITRUST bC: Basic Current State Assessment*
  • HITRUST i1: Implemented 1-Year Validated Assessment and Certification*
  • HITRUST r2: Risk-based 2-Year Validated Assessment and certification (Formerly the HITRUST CSF Validated Assessment)

*New in 2021

What is the HITRUST Basic, Current State Assessment and how does it work?

Here are some key points about the new HITRUST Basic Current State (bC) assessment:

  • The HITRUST bC assessment is a self-assessment and does not require an external third-party assessor firm to complete (i.e. The HITRUST bC assessment is not a certifiable assessment)
  • The HITRUST bC assessment requires a review of only 71 controls based on the NISTIR 7621, Small Business Information Security: The Fundamentals [1]
  • The HITRUST bC assessment is designed for small businesses to quickly evaluate and report on security controls implementation
What is the HITRUST i1 security certification and how does it work?

Here are some key points about the new HITRUST i1 certification:

  • The HITRUST i1 certification is designed to deliver a “best practices” assessment and certification
  • The HITRUST i1 certification is a one-year (annual) certification that is designed to have a substantially lower level of effort and cost to achieve than a traditional HITRUST CSF (now called r2) certification
  • The HITRUST i1 certification incorporates the NIST SP 800-171 security controls framework and elements of the HIPAA Security Rule. The selection of controls for the i1 certification are the same for all organizations and are not tailored or adjusted based on the organization’s size or compliance obligations (as is the case with the HITRUST r2 certification)
  • Like the HITRUST CSF certification (HITRUST r2), the HITRUST i1 uses an external assessor’s annual evaluation of control implementation along with HITRUST review and QA. Note: Meditology is a HITRUST external assessor organization
  • HITRUST QA cycles for the HITRUST i1 assessment will be delivered in an expedited fashion in alignment with pre-defined SLAs
  • The HITRUST i1 evaluates the implementation of security controls only and does not require the evaluation of an organization’s policies and procedures
What are the differences between the HITRUST Basic Current State (bC), HITRUST r2 (formerly CSF), and HITRUST i1 security certifications?

The difference between these HITRUST assessment and certification options is the variance in level of effort and level of assurance that each assessment provides.

The HITRUST Basic Current State (bC) assessment provides a low level of assurance and requires a review of only 71 security controls. The HITRUST bC assessment is not a certification; the bC is a self-assessment only and does not require an external assessor firm to complete. Instead, it leverages the HITRUST Assurance Intelligence Engine to identify errors, omissions, or deceit, which is why HITRUST calls this a “Verified” Self-Assessment.

The HITRUST i1 certification, by contrast, provides a moderate level of assurance based on the NIST SP 800-171 controls framework and a subset of the HIPAA Security Rule. [2] The HITRUST i1 is good for one year only and organizations are evaluated against the implementation of controls only. The HITRUST i1 is a certifiable assessment and requires an external assessor firm like Meditology Services to complete. The level of effort to achieve the HITRUST i1 certification is substantially less than the HITRUST r2 certification and is reportedly more on par with the level of effort for a SOC 2 Type II attestation.

The HITRUST r2 certification provides a high level of assurance and requires a minimum review of 198 controls (up to 2000+ controls) to obtain certification. The HITRUST r2 certification is valid for a two-year period with an interim review required at the one-year mark. Organizations are evaluated on security policies, procedures, implementation, measurement, and managed practices. The HITRUST r2 certification includes a more comprehensive alignment with industry standards and regulatory requirements including the NIST Cybersecurity Framework and HIPAA (including the HIPAA Security Rule.)

How can I learn more about the new certifications and determine which option is best for my organization?

Meditology is an authorized HITRUST external assessor organization and we have a dedicated team of HITRUST experts available to discuss your specific certification needs.

We will continue to publish additional guidance and analysis on HITRUST security certification details as these new models become deployed across the industry.

Contact us to learn more or if you have any questions about healthcare security certification options and approaches.

Meditology: Leaders in Healthcare Cybersecurity and HITRUST Services


What Our Clients Are Saying

"I rate the value of working with Meditology on our HITRUST Certification as “Exceptional” - 5 out of 5 rating. 2020 was a difficult year but we would not have gotten the results without working with Meditology as a partner because of the thoroughness, attention to quality, and stick-to-it-iveness. We have a legit HITRUST with no CAPs."

- AVP, Governance Risk & Compliance, National Direct Access Care Network and Wellness Organization
....................................................................

“Meditology saw us all the way through as they always have, we got our cert, they moved staff and timelines around, and they were very flexible in seeing us to the end. We were very happy with the deliverables. And A+ for getting us to the HITRUST Certification. We are satisfied, our Board and Execs are happy."

- Director of Security, Software Development Company
....................................................................

“I felt a strong sense of partnership right from the beginning. Meditology is competent and knowledgeable about who we are and how we are trying to achieve our HITRUST Certification goals, and that’s a big part of success."

- CISO, One of the Nation's Largest Healthcare Payors


Appendix: More Information from HITRUST on the HITRUST i1 Certification

The HITRUST i1 Assessment is a certifiable “best practices” information security assessment designed to deliver a strong moderate level of assurance and broad protection against all relevant and emerging threats.

  • Innovative Design and Best Practices Control Selection to Address all Relevant and Emerging Threats
    • The HITRUST CSF contains over 2,000 control requirements as it is designed to be a comprehensive, flexible, risk, and compliance-based. The control selection for the i1 focuses only on the best and most applicable security controls that most organizations face. (Venn Diagram)
    • The HITRUST research team in cooperation with industry partners has analyzed data related to indicators of compromise (IoC) and Indications of Threat (IoT) to ensure the control selection for the i1 assessment would include best practices against all relevant and emerging threats
  • Stay Ahead of Evolving Threats and Futureproof your Program
    • As the industry leader in framework development and information protection assurances, HITRUST is uniquely positioned to leverage its expertise in information risk management and threat Intelligence from the HITRUST Risk Catalogue, to make necessary changes to the control requirements in the future as cyber threats change
    • HITRUST will be continuously monitoring cyber threat intel and publish regular guidance as new threats are detected that may impact the effectiveness of incorporated controls. These guidance documents will also drive updates to the CSF and i1 controls set as needed
  • Provides the Highest Level of Assurance for a Moderate Assurance Level
    • The most Rely-able™ assurance report due to suitability of controls, the rigor of assurance program, and centralized oversight – HITRUST QAs 100% of the reports
    • Attributes not found in other assessments
      • Suitability of the controls ​
      • Transparency in how controls were evaluated and scored
      • Better accuracy based on a quasi-quantitative, rather than “qualitative” scoring.​
      • Consistency in how controls are evaluated​
      • Integrity in the report with over 50 automated checks and 6 levels of independent and objective quality assurance reviews by HITRUST

SOURCES

[1] https://csrc.nist.gov/publications/detail/nistir/7621/rev-1/final
[2] Refer to the appendix for more information from HITRUST on the HITUST i1 control levels.

Most Recent Posts
The Future of HIPAA Regulations Read More
Cloud Security Risk Assessments Instrumental in Transforming Healthcare Organizations’ Cloud Security Posture Read More
Strengthening Medical Device Resiliency and Supply Chain Risk Preparedness in Clinical Settings Read More