Let Us Guide You Through Your InfoSec & Compliance Journey.
Learn how to use the Compyl Platform.
Watch all Security Session Episodes
Real-world stories on how we help our customers.
Your company would like to believe it is ready to tackle cyber threats, but is that the truth? (And how do you prove it?) With cloud environment instructions up 75% in 2023, many organizations are eager to demonstrate good security posture––not just to protect their systems, but to maintain stakeholder trust. The HITRUST scoring rubric helps them do just that.
HITRUST, or the Health Information Trust Alliance, developed a rubric to assess companies’ information security and privacy practices. It combines different standards and regulatory requirements into a single, harmonized system. The rubric evaluates an organization’s compliance with the HITRUST CSF (Common Security Framework).
The HITRUST rubric operates on a maturity model. This means it grades businesses on a scale that measures the effectiveness of their security controls. It looks at a variety of factors, including policy development, procedure implementation, and continuous improvement. The rubric assigns an overall rating, based on the total scores of all controls.
HITRUST scores companies on five key areas: policy, procedure, measure, managed, and implemented. Here’s a quick breakdown of what each area entails.
The policy section consists of Tiers 0 to 2. Tier 0 means there is no policy and Tier 2 means you have a documented policy in place. The percentage of evaluative elements addressed by the organization’s policy determines the policy’s strength. Policy strength may be very low (0-10%), low (11-32%), moderate (33-65%), high (66-89%), or very high (90-100%).
If you have a documented policy (Tier 2) and your policy strength is high, you would earn an “MC” rating. An MC rating means “mostly compliant.”
The procedure component of the HITRUST scoring rubric follows a template similar to the policy network. Tier 0is no procedure, Tier 1 is an undocumented procedure, and Tier 2 is a documented procedure. Procedure strength is defined as the percentage of evaluative elements addressed by the organization’s procedure. This uses the same scoring categories as policy.
For instance, if you are at Tier 0 and score a moderate level of compliance, you are still considered “non-compliant” (NC).
Measured includes four tiers. The lowest (Tier 0) is no measurements being used, and the highest (Tier 4) is measurements being used including an independent rubric. Let’s assume you are Tier 3 and score very high in measurement strength. You would be considered FC, or “fully compliant,” earning full points.
The managed section of the HITRUST scoring rubric looks at risk treatment process strength. It consists of Tiers 0 through 4, with 0 being no risk treatment process OR measured score and 4 being documented with all formal risk treatment process criteria addressed.
To give an example, a Tier 2 business whose risk treatment process strength was found to be low is considered somewhat compliant (SC).
There are four tiers to the implemented section. It ranges from Tier 0 (0-10% of scope) to Tier 4 (90-100% of scope). Like the other categories, the implemented rubric rates strength from very low to very high.
To receive a passing score on the HITRUST scoring rubric, businesses must achieve a score of 62 or greater across all domains. This score reflects the maturity and effectiveness of the implemented security controls. It also demonstrates a solid commitment to cybersecurity and data privacy.
HITRUST is often compared to other standards, most notably ISO 27001. But how do they differ? ISO 27001 encompasses several different standards designed to help organizations build and implement information security management systems. It applies to most industries and is a globally recognized framework.
HITRUST, by contrast, was originally developed to address the needs of the healthcare industry. It was meant to integrate regulatory requirements like HIPAA and HITECH. It’s tailored to help healthcare companies and related sectors achieve compliance and manage risks associated with sensitive healthcare information.
While both frameworks deal with data privacy and security, ISO 27001 is a more universal standard. HITRUST mainly applies to healthcare organizations and similar institutions.
Though the HITRUST scoring rubric may just seem like another one of the many regulatory frameworks, it has serious implications for businesses. By integrating multiple standards into a single, comprehensive framework, HITRUST provides a uniform approach to compliance.
HITRUST provides a detailed set of controls that help organizations implement robust security practices. For healthcare organizations, developing a strong security posture is key to remaining compliant in a space where data breaches cost an average of $10.93 million.
In healthcare particularly, trust is paramount, and achieving HITRUST certification validates your commitment to data protection. This certification can set your organization apart from the crowd and give you a noticeable competitive edge. It signals to patients, partners, and regulators that your business adheres to the highest standards and is dedicated to safeguarding their data.
Achieving HITRUST certification is easier said than done, but it is possible. Use these tips to help you hit that score of 62 or higher:
Like most aspects of compliance, getting on the right side of HITRUST takes time. You may need to overhaul certain processes and systems to achieve a high score. Not sure where to start? Ask the experts.
There are several components to the HITRUST scoring rubric, and getting on board with the framework can be tricky. You have to get your ducks in a row and ensure everyone in your company understands what it takes to score well. Compyl helps organizations streamline HITRUST compliance, utilizing features such as workflow automation and multiple framework mapping. To learn more about how we can help you pass the HITRUST assessment, contact us today.
