The Road to HITRUST Certification: Experts Discuss How HITRUST is Shaping Compliance and Advancing AI Security

Members of the BARR Advisory team were joined by Jeremy Huval, Chief Innovation Officer at HITRUST, for an expert discussion this week on how HITRUST streamlines risk management in today’s complex and ever-evolving cybersecurity landscape.

Speaking alongside Huval, BARR Attest Services Manager Steve Ryan and Senior Consultant Brianna Plush explained the ins and outs of the HITRUST CSF, which Ryan said is “considered the gold standard for healthcare organizations.” 

However, it isn’t just healthcare organizations that are choosing HITRUST to demonstrate the strength of their security postures—organizations across industries can benefit from HITRUST. “We have retail organizations that are getting HITRUST certified,” Ryan said. 

“HITRUST is one comprehensive and threat-adaptive framework,” he added. “The keyword there is threat-adaptive.”

According to Huval, other standard-setting bodies and sources of guidance for cybersecurity teams don’t issue updates frequently enough to effectively mitigate new and emerging threats. “They do not keep pace with the cybersecurity landscape and do not keep pace with the techniques being used by adversaries,” he said.

HITRUST is different, Ryan said. “HITRUST is continuously looking at the threat environment. They have real-time intelligence, and they’re constantly looking at the threats that are out there.” If the existing framework doesn’t address a newly identified risk, “they very quickly will enhance that framework or add additional controls where they need to,” he explained.

For organizations interested in pursuing HITRUST certification, there are three assessment options—the e1, i1, and r2 Assessments—that provide varying levels of assurance.

“The level of effort directly correlates to the level of assurance each provides,” Plush said. For instance, the e1 Assessment offers the lowest level of assurance and comprises only the essentials of information security. “It focuses on foundational controls that each organization should have in place,” she said. 

“Because all of the e1 requirements can be found in the i1 and r2 Assessments, the e1 often functions as an excellent starting point for organizations that want time to implement more robust control environments,” Plush said. “But for many organizations, the e1 Assessment is their destination. The e1 is often right for startups or organizations that have a lower level of risk that just need to demonstrate that they’ve got the essential cyber hygiene in place.”

For organizations “of moderate complexity with more robust, established information security programs in place,” Plush recommends the i1 Assessment “to demonstrate protection against current and also emerging threats.”

“The i1 delivers more reliability through review of 182 controls, while still maintaining a lower cost than the r2 and a quicker turnaround,” she said.

The most comprehensive assessment available from HITRUST is the r2 Assessment, which requires 200 or more controls and offers a higher level of assurance for organizations with larger, more complex environments.

“The r2 Assessment examines each requirement at the policy, procedural, and implementation level,” Plush explained. “Naturally, these r2 Assessments are a larger level of effort. They are valid for two years, and an interim assessment is completed in the off-year to demonstrate that a sample of those controls are still operating and to demonstrate any progress on corrective actions taken since the initial certification.”

The trio also discussed HITRUST’s new Artificial Intelligence (AI) Security Certification, designed to help organizations secure their AI systems and build trust with stakeholders.

“With any new technology, there is new associated risk,” Huval said. “We acknowledged very quickly that AI—and specifically generative AI, when it took off—also had very unique and novel risk aspects and security threats that accompanied it.”

Huval said that as AI took the world by storm, HITRUST realized that teams who “depend on the accuracy and completeness of [HITRUST] reports are going to need additional content.”

“Organizations that are looking to adopt HITRUST should really get that comfort and perspective that their cybersecurity posture is as it should be to address relevant threats,” Huval said. “We have to expand our framework and our capability to address the novelties of AI.”

Developed in collaboration with leaders in the AI space, the HITRUST AI Security Certification includes up to 44 highly prescriptive controls that address risks and threats related to AI systems. These controls can be added to the core set of requirements for the e1, i1, or r2 Assessment, depending on an organization’s level of risk and assurance needs.

“For organizations that are using those AI products and using AI solutions, this helps manage the complexity of the AI solution’s security, it helps clearly identify which AI security control responsibilities may be shared between the providers of different AI components, it enables more confidence in the AI solution’s use, and it helps better manage third-party AI security risks,” Huval said.

If the HITRUST AI Security Assessment is built on top of an e1 or i1—or a combined e1 and i1 Assessment—it is known as an ai1. If built on top of an r2, it is called an ai2. Both options provide a means for organizations to proactively address questions and concerns over security and receive reliable reporting that can be shared with internal and external stakeholders.

“You cannot have AI security without having a secure platform within which the AI operates,” Huval said. “In other words, AI is often an added capability to an IT system, so you’ve got to secure that IT system first.”

For organizations that have already completed a HITRUST e1, i1, or r2 Certification, the AI Security Assessment is a seamless addition to your compliance program; however, organizations do not need to wait until a new certification cycle to begin the AI Security Assessment process.

“If you are already certified, don’t think you have to wait until the start of your next certification cycle to even consider this,” Huval said. “You can leverage your own work [and] the content in your existing certification and just focus on that new stuff, and get an updated report from HITRUST very quickly. So don’t feel like you have to wait a year or two, potentially, to do this if this interests you.”

To hear the full discussion, watch the webinar now on-demand.

As a HITRUST Authorized External Assessor, BARR has extensive experience in the HITRUST process and can serve as your trusted partner at every step of the way. Contact us today for a free consultation.