It’s Time to Get Started: HITRUST Certification


Across industries like healthcare, technology and insurance, HITRUST (Health Information Trust Alliance) certification has become the most widely adopted security framework to mitigate risk and protect sensitive data. While many players in the information lifecycle leverage the HITRUST approach to provide patients and partners with greater peace of mind, for some, the certification seems overly complicated and out of reach. However, recent changes are making the path towards HITRUST certification more attainable than ever before. If you’ve been putting the certification process off, BDO is here to help you get started.


An On-Ramp to HITRUST Certification

The road to HITRUST certification can be time-consuming and complex. Before completing a full assessment, a lot of questions need to be addressed. To begin, you need to assess your current security protocols to determine how far away they are from being in compliance with HITRUST requirements. Next you need to choose a trusted provider — one that is a certified HITRUST external assessor — to conduct the assessment. Finding the right provider can take time and you need to make sure you select one that fully understands your industry and has experience working with organizations like yours. Finally, you need to scope out the assessment based on an evaluation of your security systems and processes. 

From the initial conversations to completion, a full assessment can take up to two years to complete. Historically, that time commitment may have made pursuing an assessment too challenging for an organization. As a result, many enterprises may have fallen behind the curve when it comes to managing the risks involved with handling sensitive patient data. However, over the past two years, new certification options have been rolled out that can significantly cut down the time spent on the certification process. These include the i1 and the recently announced e1 assessment options.  Additionally, an update to the HITRUST framework itself was recently announced with the release of version 11.

The new e1 certification is accessible to any organization that wants to start the assessment process. Designed as a single framework within the HITRUST CSF, this new update can provide enhanced reliability while helping organizations achieve their assurance needs for varying risk levels and compliance requirements, including evolving cyber threats. 

New Assessment Option Added in Latest Release

Recently, HITRUST released a new assessment option, e1, which is a diagnostic tool for organizations to check themselves against the more robust HITRUST i1 and R2 certification options. Previously, most organizations chose the HITRUST Implemented 1-year (i1) assessment as their first step toward a certification. The new e1 assessment is even simpler for organizations than i1 — unlike i1, which has 182 controls, e1 has just 44 and was essentially designed to allow organizations with a lower risk profile to achieve a basic best practices report via a lower-effort cyber security assessment. For many organizations, however, that may not provide the level of assurance required to build trust and confidence with customers. That may explain the industry chatter around HITRUST i1 and R2, and why many risk and compliance officers who may have initially felt apprehensive by the rigor of the R2 attestation are now asking if this new framework may be the right first step for them.  

HITRUST v11 framework outlines the certification requirements a company will need to follow to attain full certification and the e1 includes what HITRUST considers to be the key best practice controls within the new framework. Organizations should approach e1 as a steppingstone that will make it easier for compliance officers and risk managers to prepare for a full attestation down the road. 

While HITRUST certification was designed to help safeguard sensitive patient data held by healthcare providers, the new version can be a compelling proposition for other industries that steward sensitive customer data, too. 

Helping You Get Started

BDO has been engaged with HITRUST since 2015, serving at times as members of both the HITRUST Assessor Council and HITRUST Marketing Council. We work closely with the HITRUST Alliance to help organizations mitigate risk while protecting sensitive data.

As one of the largest HITRUST Authorized CSF Assessor Organizations, BDO helps clients build and sustain trust with key stakeholders, using HITRUST certification to demonstrate their approach to safeguarding patient data. Our team has more than 50 years of provider experience across the entire C-suite, combined with industry-leading knowledge in cybersecurity, compliance, information and records management, e-discovery, auditing and technology solution development.

Safeguarding customer data — especially in highly regulated industries like healthcare — is not only an essential part of risk management, it’s critical to meeting regulatory compliance standards and strengthening trust and confidence with your customers. The path to achieving the gold standard of HITRUST certification is closer than ever before. Our team is here to help you get started and determine whether the e1, i1, or R2 is the right first step.

Want to learn more about how BDO can help? Check out our Third Party Attestation services for more information.