HITRUST: Did You Know?—Part 1, HITRUST Assessments

If you’re a healthcare organization, you might be familiar with the common benefits of HITRUST certification. HITRUST—the most widely adopted security framework in the U.S. healthcare industry—can ensure your organization is up-to-date on the latest security risks and provide peace of mind knowing patient data is protected. But did you know about HITRUST’s traversable assessment portfolio or its continuous approach to risk management? 

To better prepare organizations to begin or continue their healthcare compliance journey, the HITRUST Alliance recently released HITRUST: Did You Know?, a guide covering ten essential facts about HITRUST certification. Through a four-part blog series, BARR is breaking down these facts so your organization has all the information about HITRUST. 

In this iteration of HITRUST: Did You Know?, we’ll explore the e1, i1, and r2 Validated Assessments, their difference, how to achieve certification, and what organizations are best fit for each level. 

Let’s take a look at these HITRUST Assessment facts, including helpful resources to guide you toward your healthcare compliance goals. 

HITRUST offers three levels of assurance.

The HITRUST portfolio includes three cybersecurity certification options based on an organization’s complexity, risk profile, and needs. 

• The HITRUST Essentials (e1) Validated Assessment addresses foundational cybersecurity hygiene. Startups and organizations with limited risk profiles may find this sufficient, while other organizations may start their HITRUST journey with the e1 before progressing onto a more comprehensive assessment. 
• The HITRUST Implemented (i1) Validated Assessment can be a good fit for mid-level organizations demonstrating leading security practices. It offers a more comprehensive level of assurance than the e1, with more controls in scope. 
• The HITRUST Risk-Based (r2) Validated Assessment is the most comprehensive assessment in the HITRUST portfolio. It is best suited for organizations that need expanded tailoring of controls or regulatory compliance with authoritative sources.

For more information, watch the HITRUST Getting Started video.

You can reuse controls to reduce the effort and cost when upgrading from one level to another.

The three levels of assurance offered by the HITRUST assessment portfolio build on a common framework, so you can begin with a less comprehensive assessment and move up to a more comprehensive one without starting over. 

For example, you can begin with the HITRUST Essentials (e1) Validated Assessment that covers foundational cybersecurity hygiene practices and move to the more comprehensive HITRUST Implemented (i1) Validated Assessment or HITRUST Risk-Based (r2) Validated Assessment without losing the time and effort invested in obtaining the e1.

Learn more about the HITRUST Portfolio.

It can take less than a month to complete a HITRUST e1 assessment.

The HITRUST Essentials (e1) Validated Assessment is designed to cover basic foundational cybersecurity practices based on 44 controls. It incorporates HITRUST cyber threat adaptive methodology to ensure relevancy and acts as an entry-level assessment created to address the needs of startups and low-risk organizations. 

The e1 Assessment can be used as a first step in a more comprehensive HITRUST journey. It is designed for faster cybersecurity certification, enabling some organizations to complete the Assessment in less than a month.  

Learn more about the HITRUST e1 Validated Assessment.

The HITRUST assessment portfolio makes Third-Party Risk Management (TPRM) more practical and effective with its different assurance levels.

The three certification options included in the HITRUST portfolio are based on an organization’s complexity, risk profile, and needs. Different vendors can opt for different types of assessments. 

• The HITRUST Essentials (e1) Validated Assessment addresses foundational cybersecurity hygiene and is ideal for vendors with limited risk profiles. 
• The HITRUST Implemented (i1) Validated Assessment can be a good fit for mid-level vendors demonstrating leading security practices. 
• The HITRUST Risk-Based (r2) Validated Assessment is the most comprehensive. It is best suited for vendors that need expanded tailoring of controls or regulatory compliance with authoritative sources.

Check out the HITRUST blog for the Key Steps for Effective TPRM.  

Interested in learning more about HITRUST Assessments? Contact us for a free consultation with a BARR HITRUST expert.