HITRUST offers three levels of assurance.
The HITRUST portfolio includes three cybersecurity certification options based on...
...an organization’s complexity, risk profile, and needs. The HITRUST Essentials (e1) Validated Assessment addresses foundational cybersecurity hygiene. Startups and organizations with limited risk profiles may find this sufficient, while other organizations may start their HITRUST journey with the e1 before progressing onto a more comprehensive assessment. The HITRUST Implemented (i1) Validated Assessment can be a good fit for mid-level organizations demonstrating leading security practices. It offers a more comprehensive level of assurance than the e1, with more controls in scope. The HITRUST Risk-Based (r2) Validated Assessment is the most comprehensive. It is best suited for organizations that need expanded tailoring of controls or regulatory compliance with authoritative sources.
Interested in learning how to get started on your HITRUST journey? Watch this Getting Started video.
With the HITRUST traversable assessment portfolio, you can reuse controls to reduce the effort and cost when upgrading from one level to another.
The HITRUST assessment portfolio offers three levels of assurance. Each level...
...builds on a common framework, so you can begin with a less comprehensive assessment and move up to a more comprehensive one without starting over. For example, you can begin with the HITRUST Essentials (e1) Validated Assessment that covers foundational cybersecurity hygiene practices and move to the more comprehensive HITRUST Implemented (i1) Validated Assessment or HITRUST Risk-Based (r2) Validated Assessment without losing the time and effort invested in obtaining the e1.
Learn more about the HITRUST Portfolio.
HITRUST has the only assessment program that regularly evaluates emerging cyber threats and risks ensuring relevant controls are in place.
To ensure HITRUST assessments remain relevant...
...as the cyber threat landscape evolves, HITRUST regularly evaluates cyber threat intelligence. It identifies potential gaps in control coverage in its assurance portfolio. HITRUST publishes regular updates to keep up with the changing needs of organizations. Unlike other standards and risk management frameworks, HITRUST assessments are cyber threat adaptive. They stay relevant and avoid the need for organizations to distribute cyber questionnaires.
Learn more about the Power of the HITRUST Portfolio.
It can take less than a month to complete a HITRUST e1 assessment.
The HITRUST Essentials (e1) Validated Assessment is designed to cover...
...basic foundational cybersecurity practices based on 44 controls. It incorporates HITRUST cyber threat adaptive methodology to ensure relevancy. It is an entry-level assessment created to address the needs of startups and low-risk organizations. It can be used as a first step in a more comprehensive HITRUST journey. It is designed for faster cybersecurity certification, enabling some organizations to complete the assessment in less than a month.
Learn more about the HITRUST e1 Validated Assessment.
HITRUST now enables Third-Party Risk Management (TPRM) solutions to manage information risk efficiently.
With the HITRUST Results Distribution System (RDS), organizations save...
...time and effort by eliminating mundane tasks like locating assessment results and manually entering a limited data set in their TPRM solution. RDS can post electronic assessment details into TPRM solutions promptly and efficiently, enabling better compliance and analytics.
Learn more about the HITRUST Results Distribution System.
Organizations have reduced the time and effort needed to obtain a HITRUST certification by up to 85% with the HITRUST Shared Responsibility and Inheritance Program.
The HITRUST Shared Responsibility and Inheritance Program can help your organization save...
...time and resources by identifying inheritable controls within the HITRUST CSF. It streamlines security certification journeys. It lets you use already certified controls from internal shared IT services and external third-party organizations such as service providers, vendors, and cloud service providers (CSPs) like Amazon, Google, and Microsoft. This makes it easier for organizations to achieve their information security certifications and helps boost their security scores.
Download the HITRUST Shared Responsibility and Inheritance eBook to learn more.
SOC 2 and HITRUST Certification aren't the same when it comes to control suitability, consistency, integrity, and transparency.
It is a common misconception that SOC 2...
...is a certification. SOC 2 is an attestation, while HITRUST is a certification that provides the needed reliability, quality, and transparency. A public accounting firm issues an attestation SOC 2 report that contains its opinion. A HITRUST certification, by contrast, is based on a framework of authoritative sources, offering reliable assurances. And because parts of SOC 2 reports are based on auditors’ opinions, they are inherently subjective. Every HITRUST assessment is based on the HITRUST CSF, an objective and quantitative cybersecurity framework. The HITRUST CSF maps each control to multiple authoritative sources, including HIPAA and GDPR. HITRUST can be mapped to SOC 2, too. With the addition of the e1 assessment to the HITRUST portfolio, the time, talent, and financial resources required to become HITRUST certified are comparable to getting a SOC2. The e1 is a one-year cybersecurity certification focusing on essential information security controls. Low-risk organizations can use it to demonstrate that foundational cybersecurity practices are in place. Organizations intending to pursue more robust assessments can use it as the first step in a HITRUST journey.
Learn more about the HITRUST e1 Validated Assessment.
HITRUST is applicable to organizations from all industries and of all sizes.
The HITRUST CSF is an information protection standard that...
...organizations can use effectively across any industry — not just healthcare. The HITRUST CSF provides a consensus-driven standard of due care and diligence for protecting information. This includes electronic protected health information (ePHI), personally identifiable information (PII), payment card data, proprietary information, or other sensitive information. Because HITRUST offers a portfolio of validated assessment options based on complexity and risk profile, it also can be used for organizations of any size.
Check out Why HITRUST Certifications are Broadly Considered the Gold Standard to learn more.
A HITRUST assessment and resulting certification can convey assurances over many other authoritative sources like HIPAA and ISO.
The HITRUST CSF integrates and harmonizes information protection requirements from...
...many authoritative sources, including ISO, PCI, and HIPAA. It tailors to an organization’s requirements based on specific organizational, technical, and compliance risk factors. One HITRUST assessment can be used to satisfy many reporting requirements, saving organizations time and money. HITRUST assessment results can include a HITRUST CSF Certification Report, a HITRUST Letter of Certification, a NIST Cybersecurity Framework Certification, and more. The level of integration and prescriptiveness provided by the cybersecurity framework, along with the quality and rigor of the HITRUST Assurance Program and supporting products and services, make the HITRUST CSF the easy choice for organizations in any industry.
Learn more about HITRUST Assessments.
The HITRUST assessment portfolio makes TPRM more practical and effective with its different assurance levels.
The HITRUST portfolio includes three certification options based on...
...an organization’s complexity, risk profile, and needs. Different vendors can opt for different types of assessments. The HITRUST Essentials (e1) Validated Assessment addresses foundational cybersecurity hygiene and is ideal for vendors with limited risk profiles. The HITRUST Implemented (i1) Validated Assessment can be a good fit for mid-level vendors demonstrating leading security practices. The HITRUST Risk-Based (r2) Validated Assessment is the most comprehensive. It is best suited for vendors that need expanded tailoring of controls or regulatory compliance with authoritative sources.
Check out our blog for the Key Steps for Effective TPRM.