Skip to navigation Skip to main content Skip to footer

A Guide to HITRUST Certification

Streamlining compliance in healthcare and beyond

03 February 2025

By Kurt Osburn

Introduction

Healthcare is a top industry targeted by cyber thieves due to its wealth of patient data and exorbitant number of integrated technologies. One wouldn't have to look far to read about ransomware attacks on hospital systems—in 2018 alone, there was at least one healthcare breach per day, and 15 million patient records were lost.  

More recently, high-profile breaches have continued to highlight the industry's vulnerability. In February 2024, a healthcare ransomware attack disrupted services for over 100 million individuals, impacting hospitals, patients, medical claims processing, and pharmacy operations.

As the healthcare sector continues to transform to provide more efficient patient care, the need to mitigate digital risk and protect sensitive data has never been more critical.

One initiative striving to do so is the Health Information Trust Alliance, usually referenced by its acronym, HITRUST. This globally recognized standards body has focused on providing and assessing a robust, comprehensive set of security and privacy practices for organizations' risk management and compliance programs.

What is HITRUST?

HIPAA, or the Health Insurance Portability and Accountability Act, was enacted to establish guidelines for managing protected health information. However, lacking a framework and certifying body, compliance quickly became an obstacle for healthcare companies. In 2007, a committee of security professionals from various healthcare organizations came together to form the HITRUST. The organization had a single goal in mind: to standardize security controls around electronic protected health information (ePHI) to create a verifiable path to HIPAA compliance.

Since 2007, HITRUST has carefully selected and assessed controls from federal and industry best practices that support HIPAA's information protection requirements, funneling them into a certifiable control framework now known as the HITRUST Common Security Framework (CSF).

 

Why is HITRUST certification so important?

It's been widely adopted on a global level — nearly 30,000 users have downloaded the HITRUST CSF within the past five years.

Furthermore, the HITRUST CSF is now the most widely adopted framework in the US healthcare industry—more than 80% of hospitals and health plans have adopted it as a resource or as the basis for their overall security program. The HITRUST Alliance has also stated that more than 2,500 CSF assessments were conducted in 2024. Those figures demonstrates a continued increase in the adoption and use of the CSF framework across industries.

In their first official Trust Report, HITRUST highlights that organizations able to achieve certification are much less likely to experience data breaches. In fact, between 2022 and 2023, 99.4% of HITRUST-certified environments reported no security breaches, which speaks to the effectiveness of the framework.

HITRUST also updates its standards to stay ahead of evolving cyber threats like ransomware and AI-related risks, ensuring that certified organizations remain resilient and prepared for the next challenge.

If you want to have something that people can trust, it needs to address new threats and risks when they come up and adapt to the regulations that come from the oversight bodies.

Michael Frederick Senior Director of Professional Services, HITRUST

What is the HITRUST CSF?

HITRUST sought to provide healthcare organizations guidance on how to apply security controls regarding HIPAA. But going further, the organization recognized a need for one unified and consistent approach for applying security in a global marketplace with varying data protection standards.

HITRUST turned to ISO/IEC 27001 as the foundation for the HITRUST CSF, as its high-level controls are designed to suit almost any organization, industry, and country. The CSF builds on this foundation with each new release, moving towards its promise of "One Framework, One Assessment" by encompassing requirements from multiple standards and regulations (e.g., HIPAA, HITECH, PCI, ISO/IEC, COBIT, SOC, NIST, and GDPR).

The scalability and tailoring of the HITRUST framework

HITRUST's certification process is scalable to meet the needs of organizations of all sizes and industries. Three types of assessments are offered: 

  1. HITRUST Essentials (e1)
  2. HITRUST Implemented (i1)
  3. HITRUST Risk-based (r2). 

The scalability of these assessments ensures that organizations can choose a certification path that aligns with their specific risk profile, making it accessible to a broader range of industries, from small businesses to large enterprises.

 

The HITRUST Assurance Program today

HITRUST is no longer just for healthcare organizations; it's also quickly becoming a go-to data protection and compliance standard for other industries. 

Sectors like finance, cloud services, and technology are recognizing the value of HITRUST in improving their information security and managing risks. As data protection becomes a top priority for businesses across the board, HITRUST offers a proven framework that helps organizations meet evolving security and regulatory demands. 

By adopting HITRUST, companies in these industries can show they are serious about safeguarding sensitive information and building trust with customers and partners.

 

HITRUST AI program

In 2024, HITRUST introduced a new AI-driven compliance support program designed to help organizations streamline their assessment processes further. This program leverages advanced machine learning algorithms to:

  • Automate document review and control mapping
  • Provide tailored recommendations for gap remediation
  • Improve accuracy and reduce time spent on manual tasks

Organizations can now integrate this AI program via the HITRUST MyCSF tool, enhancing the certification process.

How to navigate HITRUST CSF certification

With the HITRUST CSF, organizations of all industries gain an integrated, all-encompassing set of comprehensive security safeguards. The HITRUST CSF Assessment breaks down into nineteen (19) different domains across 159 control specifications. 

Five (5) distinct implementation categories exist for each control: policy, process, implemented, measured, and managed. Each category builds on the one before it and is based on your organization's risk profile, size and amount of sensitive data stored. 

 

The 5 steps to HITRUST CSF

The process essentially has five steps. External Assessors like NCC Group work with organizations through each step, which can take, on average, between 6 months and a year to complete, depending on your organization's level of readiness and the measures needed to implement the applicable controls. Note that not all controls will be applicable to every organization. 

HITRUST continues to expand its adoption globally, with increasing emphasis on industries beyond healthcare. The certification process is evolving to address emerging threats such as AI and machine learning, incorporating new requirements as they arise.

1) Scope 

Download the HITRUST CSF to learn more about the framework and its controls. From there, you will want to decide on the type of HITRUST assessment best suited for your business. The benefit here is to avoid taking on too many or, conversely, not enough requirements needed for your organization.

Accurately defining scope is the single best way to reduce time and financial burden in your journey to HITRUST CSF Certification. 

 

2) Access HITRUST MyCSF

Contact HITRUST to gain access to the MyCSF tool. From there, you can create an assessment based on your previously defined scope and upload your existing policies and procedures to assess them against the assessment's HITRUST CSF control requirement statements.

Purchasing an annual subscription to the HITRUST MyCSF has numerous benefits, including reducing duplicative efforts between the self and validated assessments. 

 

3) Self-Assessment 

This step can be entirely internal, but selecting an assessor allows for a facilitated self-assessment to take place. This assessment provides reviews of documents, scoring, control descriptions, and of course, identifying gaps along with providing recommendations.
HITRUST also offers a Self-Assessment Report, which documents findings in an official report that can be used to assure customers. 

 

4) Validated Assessment

When you're ready to begin your HITRUST CSF Validated Assessment, your organization will either be able to utilize the previously scoped and generated assessment or will need to create a new assessment, depending upon your HITRUST MyCSF access level. Firms like NCC Group won't be able to validate until all safeguards are in place and effective for at least 90 days.

From there, it will take approximately 90 days to complete testing, sampling, and validation of the controls prior to submitting to HITRUST. In addition, HITRUST requires a thorough QA of all validated assessments prior to submission to be performed by a listed independent assessor.

We typically see clients' control sets start around 300 requirements on the low end and up to over 600 for more extensive projects. Please note that HITRUST CSF Validated Assessments that do not meet the scoring requirements for HITRUST Certification will be issued a HITRUST CSF Validated Report. 

 

5) Ongoing Testing

HITRUST CSF Certification is good for two years, after which a full re-validation will be needed. An interim review is required after year one of validation. 

Starting your HITRUST journey

HITRUST is one of the most highly regarded certifications in cyber security, but validation and certification bring about some challenges. Understanding and aligning with applicable HITRUST requirements, having a well-defined strategy, and gaining top-down support ahead of time will help ensure your success. 

1) Align with HITRUST's many requirements

HITRUST, on average, has between 320 to 380 controls, and a general set of policies won't cover them. You will need a working set of policies, procedures, and supporting documentation to prove that HITRUST's required controls get implemented. 

2) Assign a dedicated point person 

Assessments are often delayed for extensive periods while company stakeholders work on documents and processes or attempt to identify who is in charge of specific systems. 

Assign someone internally who understands what systems are in place, how policies and processes are supported, and what systems your organization is trying to certify. This person can pull knowledgeable people together to accomplish the required tasks. 

3) Secure and leverage top-down support 

More than any other security initiative, HITRUST needs support and alignment from executive management down to the individual security professional.

This will help you secure your budget and fast-track the tasks required for assessment, such as policy writing, defining technical requirements and system configurations, and getting staff to pull the required information.

The NCC Group SMARTS process

HITRUST has quickly become the gold standard for information security risk management and compliance in healthcare and other industries. 

If you're pursuing HITRUST CSF Validation with Certification or just want to implement a respected security control framework within your organization, our HITRST CSF assessment team navigates organizations of every industry, size, and complexity via a process we call S-M-A-R-T-S. 

Scope - Properly scope and identify all sensitive information.

Map - Ensure proper determination of organizational, system, and regulatory risk factors and obtain a set of controls for environment.

Analyze - Determine proper documentation/evidence. The client assigns ratings and develops control descriptions.

Review - NCC Group reviews all documentation, evidence, control descriptions, and ratings.

Test - NCC Group performs testing, sampling, and validation of controls following E-A-T (examine, analyze, test) process for validation.

Submit - Assessment undergoes internal QA and is then submitted to HITRUST. 

Kurt Osburn

Kurt Osburn

Director of Risk Management and Governance, NCC Group NA

With over 30 years of experience in healthcare, privacy, networking, security, governance, and compliance, Kurt blends a broad range of knowledge to lead multiple service disciplines and ensure the quality of consulting services. He specializes in privacy reviews, HITRUST certification, and auditing or assessing against various other cyber security compliance standards and frameworks.

His extensive industry experience covers medical, retail, finance, and government sectors. Kurt holds certifications including CCSFP, CISA, CRISC, and CDPSE. He is an active blogger and speaker, passionate about helping others build strong cyber security postures and information security programs.

Learn more about achieving HITRUST certification.

Get the conversation started with one of our compliance experts.