What Is a HITRUST Engagement?

Data breaches have grown at a startling pace, from barely 150 in 2005 to over 1,000 in 2020 and three times as many just a few years later (3,200+). Both corporate clients and everyday Americans expect businesses to have a trustworthy cybersecurity framework — especially in sensitive areas like financial services and healthcare. One of the most well-known certifications is the Health Information Trust Alliance framework, also called HITRUST CSF. For healthcare providers interested in certification, the first thing to know is what a HITRUST engagement is.

What Is a HITRUST Engagement and What Does It Involve?

A HITRUST engagement is an assessment of your organization’s compliance with the HITRUST cybersecurity framework. This audit reviews how well your policies, systems, and personnel align with data security and privacy best practices, from access control measures to risk management. HITRUST engagements fall into two main categories: readiness assessments and validation assessments.

HITRUST Readiness Assessments

A readiness assessment doesn’t provide certification. Instead, the goal of this type of review is to help your organization know where it’s at in terms of HITRUST CSF compliance. Think of it like a practice SAT before taking the actual exam.

Professional firms generally use a CPA, licensed inspector, or experienced HITRUST/HIPAA specialist to provide consulting services. During this assessment, you can ask questions, see areas where you need to improve, set reachable objectives, and get trustworthy recommendations for implementation.

HITRUST CSF Validation Assessments

Validation assessments are the real deal, the official audit to verify HITRUST compliance. After successfully meeting the required control scores, your organization can be HITRUST CSF certified for up to two years. Validation assessments must be performed by a HITRUST-accredited external auditor or assessor.

What Do HITRUST Engagement Levels Mean?

One of the best things about the HITRUST framework — besides the fact that it combines controls from HIPAA, PCI DSS, and other essential standards for healthcare providers — is the way it adapts to your organization’s needs. There are three different levels of HITRUST engagement.

HITRUST e1 Assessment: Foundational

The first level of HITRUST engagement covers essential cybersecurity practices and controls for businesses. This foundational program looks at 44 controls in 14 categories. Many organizations can obtain this level of certification in 90 days.

This type of HITRUST engagement provides entry-level cybersecurity. It can suit the needs of smaller practices or organizations with a minimal level of risk.

The great thing about HITRUST controls is that they’re the same across different levels of engagement. The only thing that increases is the number of controls, not what they involve. That means that achieving e1 certification is valuable even if your ultimate goal is to work toward i1 or r2 validation.

HITRUST i1 Assessment: Moderate

The i1 assessment is designed for organizations that have moderate risk or cybersecurity complexity. It requires more effort to obtain but also offers greater confidence and threat protection.

This level of HITRUST engagement means successfully implementing over 180 controls. Businesses that already have a foundational level of cybersecurity take at least six to 12 months to achieve certification.

For some healthcare organizations, robust i1 validation covers their risk profile and cybersecurity needs perfectly. Larger hospitals and insurers can use an i1 engagement as an intermediary step on the way to r2 certification.

HITRUST r2 Assessment: Advanced

The advanced level of HITRUST engagement is r2, a detailed risk-oriented framework with over 200 controls and rigorous cybersecurity expectations. The full list of controls includes:

• Access control for software, hardware, networks, and mobile devices
• Secure HR processes
• Risk management and mitigation
• Regulatory compliance
• Physical security measures
• Encryption at rest and in transit

Even for the largest organizations, obtaining r2 certification can take two years or more. This level of engagement is necessary for healthcare providers that process a large volume of protected health information, medical records, patient data, or financial information.

HITRUST r2 engagement is an ideal complement to HIPAA compliance. It covers the pillars of the Security Rule, Privacy Rule, and Breach Notification Rule. 

HITRUST CSF also shares many controls with other cybersecurity and privacy frameworks, such as SOC 2, ISO 27001, NIST CSF, CCPA, and GDPR. In other words, once you’re HITRUST compliant, obtaining other certifications or attestations is much faster and easier. 

How Do You Choose the Right HITRUST Engagement Level?

Many companies fall under the healthcare industry label, including organizations with minimal contact with patient data, such as medical device manufacturers and pharmaceutical companies. When deciding what level of HITRUST engagement — which means cybersecurity maturity — your organization should pursue, consider at least six factors:

• 1. Risk: The higher your company’s risks of ransomware attacks — potentially leading to fatal patient outcomes — and data breaches, the more robust your cybersecurity controls must be.
• 2. Operations complexity and vulnerabilities: If your organization operates multiple locations, provides telehealth services, and utilizes a proprietary platform for accessing and organizing patient data, then HITRUST r2 engagement should be a priority.
• 3. PHI and PII processing: Healthcare organizations that store medical records and other sensitive data on thousands or millions of patients must prioritize the highest level of cybersecurity preparedness.
• 4. Staff size: Considering that nearly 90% of successful cyberattacks involve human error, enterprises with a large number of employees are inherently more vulnerable than small teams.
• 5. Technology and software: Mobile devices, Electronic Health Record software, online databases, and telemedicine apps all require advanced cybersecurity controls to keep PHI and PII secure.
• 6. Certification and compliance budget: Each level of HITRUST engagement costs more and takes longer to achieve and certify, with some organizations spending over $150,000 for their first r2 validation assessment. 

Keep in mind that medical records aren’t the only valuable data cybercriminals target. Protecting classified documents or confidential R&D files can be just as vital for your company. A high level of HITRUST engagement tells customers that your business can be trusted with their sensitive information.

What Is HITRUST Engagement Preparation?

Preparing for your HITRUST validation assessment is key to a successful audit. Automated compliance platforms can help with countless steps in the process, from risk assessments and real-time analysis to documentation workflows and objective tracking. No matter what your HITRUST engagement involves, Compyl makes the journey easier. Learn how to streamline the road to HITRUST certification today.