HITRUST Certification

In the healthcare industry, secure electronic data storage and transmission is essential. That’s why regulations like HIPAA and the HITECH Act exist.
HITRUST (Health Information Trust Alliance) offers another essential set of guidelines that can help with data security and HIPAA compliance in the healthcare sector and beyond.
Learn more about what HITRUST compliance is, how you can obtain this certification, and how it can benefit your organization below.

HITRUST Certification

How Can BlueSteel Cybersecurity Assist Your Organization with HITRUST?

We manage all areas of HITRUST compliance Level 1, 2, & 3 as your outsourced cybersecurity department so you don’t have to.

What’s Included in our HITRUST Security Program

Our HITRUST Security Program includes everything you need to meet all levels of HITRUST criteria items, but also HIPAA HITECH controls. This includes the following:

What’s Our Track Record

How Much Does Our HITRUST Security Program Cost


The Health Information Trust Alliance (HITRUST) is a non-profit organization responsible for delivering standards for data protection and certification programs that help businesses protect sensitive information, manage information risk, and reach specific compliance goals.
HITRUST is different from other compliance frameworks because it brings together information from dozens of authoritative sources, including HIPAA, SOC 2, NIST, and ISO 27001. It is also the only standards development organization that includes a framework, assessment platform, and independent assurance program, all of which have helped to drive widespread adoption.

What Is the HITRUST CSF?

Any business, agency, or organization that creates, stores, accesses, or exchanges regulated or sensitive data can use the HITRUST CSF (short for Common Security Framework).
The security framework includes prescriptive requirements that harmonize the requirements of other regulations and standards. It aims to standardize requirements across multiple security frameworks and provide clarity and consistency to make compliance easier.


HITRUST has its roots in HIPAA compliance. However, it extends beyond this particular set of standards and is relevant to other fields besides the healthcare industry. The following are some of the most relevant differences between HIPAA and HITRUST:



Features legal requirements and guidelines on how organizations should handle Protected Health Information (or PHI). HIPAA deals exclusively with protected health information and only applies to covered entities (such as healthcare providers and insurance companies), their business partners, and business partners’ subcontractors.



Is industry-agnostic and is based on best practices for a variety of sectors. It includes more flexibility and allows professionals to choose their assessment, selection of controls, etc.

Why HITRUST Matters?

HITRUST is designed to solve an industry-wide challenge: The need for certifiable assurance that organizations’ information security programs are both effective and mature.
Many information security frameworks and assessment methodologies exist. However, most of them do not issue any kind of formal certification. Most of them also do not use a maturity assessment model, which helps consumers evaluate the long-term effectiveness of the organization’s security practices.
HITRUST also offers programs for small organizations, startups, and venture-backed organizations to reduce costs and increase accessibility.
When organizations obtain the HITRUST certification, they can provide greater assurance to customers, partners, and stakeholders that they have taken the time to meet specific, rigorous standards. This assurance, in turn, can lead to increased trust and a significant competitive advantage.
The HITRUST certification process also helps organizations understand the effectiveness of their risk-mitigation controls and leads to greater security improvements over time.

What Types of Organizations Require HITRUST?

HITRUST’s measurements state that 81 percent of US hospitals and health systems, 83 percent of US health plans, and 75 percent of Fortune 20 Companies have adopted HITRUST assessments and certifications, either internally or as part of a third-party risk management procedure.
Other organizations outside of the healthcare sector can also benefit from obtaining the HITRUST certification. For example, service organizations can use the HITRUST framework to complement or replace SOC 2 compliance.

What Does It Mean to Be HITRUST CSF Certified?

To be “HITRUST CSF Certified,” an organization must meet all CSF certification requirements. The “CSF Certification” involves the performance of a validated assessment utilizing the following:

Embedded  control requirement statements

Embedded  control requirement statements



The PRISMA maturity model

The PRISMA maturity model

There are three levels of assessment and potential HITRUST certifications:

The HITRUST Essentials, 1-Year (e1) Assessment

The HITRUST Essentials, 1-Year (e1) Assessment

This assessment addresses standard cybersecurity practices, supplies entry-level assurance that focuses on critical cybersecurity controls, and verifies essential cybersecurity hygiene.

The HITRUST Implemented, 1-year (i1) Assessment

The HITRUST Implemented, 1-year (i1) Assessment

This assessment addresses leading practices and provides a moderate level of assurance addressing cybersecurity leading practices, as well as a broader range of active cyber threats compared to the e1 assessment.

The HITRUST Risk-Based, 2-year (r2) Assessment:

The HITRUST Risk-Based, 2-year (r2) Assessment:

This assessment addresses expanded practices and provides a high level of assurance, focusing on the comprehensive risk-based specification of controls and an expanded approach to risk management and compliance evaluation.

Organizations can also choose from a self-assessment or a validated assessment performed by a HITRUST assessor firm.

HITRUST Compliance Checklist

To be considered compliant with HITRUST guidelines and standards, your organization should be able to check all of the boxes on this list:

Download the HITRUST CSF pdf.

Start by downloading and reviewing the latest version of the HITRUST CSF framework.

Determine Scope

Next, you must carry out an internal gap analysis, examining existing controls and comparing them against the target controls laid out in the HITRUST CSF.
Outline your scope by defining the business units and subsidiaries that are affected, the type of assessment you need, and the controls you need to address. From here, you can develop and distribute a risk management strategy and implementation timeline.

Purchase the MyCSF Tool

The MyCSF tool provides organizations with a software-as-a-service (SaaS) solution to perform risk assessments and develop a corrective action plan management. Using this software — which is available at multiple price points — can reduce resource requirements, increase efficiency, and enhance the reporting process.

Perform a Self-Assessment

The MyCSF tool includes a self-assessment questionnaire that provides essential details on the size of your organization, your risk exposure, etc. Your answers to this questionnaire determine the controls, requirements, and requirement levels you need to implement.

Get an External Audit.

Obtain an external audit carried out by a third-party auditor that is licensed by the HITRUST Alliance. They will review the data generated by the self-assessment and then look into your security processes and controls.

Get Validated

When the external audit is complete, you must submit the assessor’s report to HITRUST so it can be evaluated.

Receive a score from HITRUST.

After the validation process is complete, you will receive a certification and score from HITRUST. If your score is not high enough, HITRUST will reach out and let you know why. They will also provide a corrective action plan that will help you achieve the certification the next time around.

After a CSO has been prioritized to work with the JAB and judged as FedRAMP Ready, the following steps will occur:

HITRUST Compliance Best Practices

HITRUST assessments are expensive — the fees for the e1, i1, and r2 validated assessments range from $20,000 to $250,000 per year. To avoid excessive costs, keep these best practices in mind, as they can help you increase your chances of getting certified on your first attempt:

Upgrade and Document Policies

Start by making sure all of your policies are formally documented, readily available to all employees, and up to date. Your policies should also be recorded based on other guidelines, such as NIST or ISO. Responsibilities and penalties should be clearly assigned and identified as well.

Formalize Procedures

Formalizing procedures involves outlining them in detail. You should identify the relevant “who, what, when, and how.” Clarify responsibilities and expected behaviors, too, and communicate the formal procedures with all employees who must follow them.

Create and Test Incident Response and Business Continuity Plans

You should have an action plan in place so that, if a security breach occurs, you know exactly how to respond. You should also have a business continuity plan that ensures you can continue to function if a disaster or another business interruption occurs.

Implement Technical Controls

Use vulnerability testing and penetration testing to ensure your system is secure. You should conduct these tests routinely, too, to ensure all security implementations are adequate and effective

Ensure and Verify Consistent Implementation

Make sure your information security procedures and controls are implemented consistently. Reinforce them through regular training, too, and discourage ad hoc approaches.

Manage and Minimize Risk

If you identify any weaknesses, correct them promptly. Strive to continuously improve policies, procedures, tests, and implementations, too, and include information security in all processes.

Get Organizational Buy-In

The HITRUST certification process requires a lot of work from the IT and security teams, as well as others in the organization who might need to change their current processes. Obtain executive support and ensure you have the resources required to become certified successfully.

Cybersecurity healthcare facilities

Get HITRUST Compliance Help with Bluesteel

It doesn’t matter if you work in the healthcare industry or another sector. You, your staff, and your customers/clients can benefit from HITRUST certification and compliance.
Follow the best practices and checklist shared above to increase your chances of getting certified.
If you need more assistance, contact us today at Bluesteel Cybersecurity to learn about our compliance preparation services.

Contact information

Send us a Message

Recent posts