The demand for HITRUST certifications is at an all-time high. According to Health IT Security, since the founding of HITRUST in 2007, more than 80% of hospitals and health systems leverage HITRUST within their security practice. Recently, HITRUST announced the addition of a new assessment, the i1 Assessment, which adds another level of compliance solutions for healthcare organizations.
BARR Advisory currently offers the i1 Assessment through our HITRUST services. Senior Consultant Steve Ryan said, “The i1 Assessment is a new one-year assessment that is designed to address the continuously relevant cybersecurity threat landscape. The i1 Assessment is great for organizations that are looking to provide a moderate level of assurance on transparency, accuracy, consistency, and integrity.”
Ryan is here to answer your questions about the new assessment and how BARR can help you through the certification process.
Q: There’s been a lot of recent attention for the i1 Assessment. Why is this, and are organizations starting to require vendors to obtain the HITRUST i1?
A: Yes, they are. The Provider Third Party Risk Management Council, which is comprised of prominent chief information security officers from leading health systems and provider organizations, recently released a press release announcing that any vendors wanting to work with them and who are considered moderate-risk must obtain the HITRUST i1 Certification.
The Council’s governing organizations include Cleveland Clinic, Mayo Clinic, and Tufts Medicine, so as you can imagine, this requirement will impact a lot of vendors.
Q: HITRUST has said the i1 Assessment is “threat-adaptive.” Can you explain what that means?
A: Threat-adaptive simply means that as the threat landscape evolves, the i1 requirements will also update to address future risks. This ensures security controls are proactively adjusted on a quarterly basis to meet the latest cyberthreat activity, such as ransomware and phishing. This is a really unique innovation, considering most common frameworks remain unchanged for years.
Q: Can you explain the difference between the i1 and r2 Assessments? In what situations should organizations choose an i1 Assessment over the r2 Assessment?
A: The i1 Assessment allows smaller organizations with less support staff to become HITRUST certified. The reason for this is the i1 only addresses the implementation of each control as opposed to the r2 which requires a policy, procedure, and the actual implementation of the control.
Organizations should choose an i1 over and r2 when they need to become HITRUST certified but don’t yet have a team dedicated to the implementation of a big project such as the r2. The i1 serves as a perfect stepping stone for organizations who want to implement a set of foundational controls, become HITRUST certified, and look into the future for tackling an r2 Assessment.
Q: How long is the HITRUST i1 Assessment valid?
A: The HITRUST i1 Assessment is valid for one year. This is because the control set evolves over time in order to adapt to the ever-changing cybersecurity threat landscape. Because it’s a one year certification, there’s no interim assessment needed.
Q: What standards does HITRUST i1 provide coverage?
A: The i1 provides coverage for a number of industry standards, including:
- NIST 800-171
- GLBA Safeguards Rule
- HIPAA Security Rule
- Health Industry Cybersecurity Practices (HICP)
Q: Can you walk us through BARR’s process for the HITRUST i1 Assessment? How time intensive is it?
A: Here at BARR we take our core value of simplicity to the HITRUST world. We have a three step process to achieving HITRUST Certification:
- Readiness Phase: BARR tests your environment against the i1 controls and establishes a baseline.
- Remediation Phase: BARR provides simple and actionable steps for your organization to close identified gaps.
- Validation/Certification Phase: Once your organization is ready, BARR tests your environment against the HITRUST controls and submits the assessment to HITRUST for certification.
The entire process for an i1 can take anywhere from 6 months to a year, which is about half the time compared to the r2 Assessment.
BARR’s HITRUST Engagement Process
Q: Can users add Privacy into the i1 Assessments?
A: Currently, there’s no option to add Privacy into the i1 Assessment, although it’s available for an r2. HITRUST is actively developing a Privacy Certification offering, so we can all stay tuned to see when that becomes available.