HITRUST: Did You Know?—Part 3, “Test Once, Report Many” Approach to HITRUST

As healthcare organizations currently face issues like a rise in ransomware and drop in employment rates, it’s no surprise that professionals within the industry are looking to achieve a level of compliance that covers all their bases. While HITRUST CSF provides a high-level, prescriptive framework to simplify security requirements, did you know about its ability to convey assurance across multiple authoritative sources? 

To better prepare organizations to begin or continue their healthcare compliance journey, the HITRUST Alliance recently released HITRUST: Did You Know?, a guide covering ten essential facts about HITRUST certification. We’re explaining these facts in a four-part blog series so your organization has all the information about HITRUST. Read our first and second blogs highlighting the e1, i1, and r2 HITRUST Assessments and HITRUST’s risk assessment program. 

Here’s a few more facts about HITRUST that help explain how to leverage certification with other frameworks and standards. 

BARR takes a “test once, report many” approach to auditing to achieve HITRUST certification. 

BARR is proud to say that we are one in nine firms in the U.S. eligible to perform audits against all three highest regarded frameworks: ISO 27001, SOC 2, and HITRUST. HITRUST CSF can serve as a risk assessment for the ISO 27001 audit, and if your organization has HITRUST in place, BARR can provide expert guidance and feedback on how to close any identified gaps ahead of time. This can help avoid potential nonconformities during your ISO 27001 audit. 

In addition to ISO 27001, a HITRUST certification can help satisfy the requirements of other assessments like SOC 2, PCI DSS, FedRAMP, and more. With SOC 2, for example, the AICPA’s trust services criteria align with the CSF criteria, which allows us to issue SOC 2 plus HITRUST in a collaborative reporting model. 

SOC 2 and HITRUST Certification aren’t the same regarding control suitability, consistency, integrity, and transparency. 

It’s a common misconception that SOC 2 is a certification. SOC 2 is an attestation resulting in a report, while HITRUST is a certification that provides reliability, quality, and transparency. 

• SOC 2—Following an audit over the AICPA’s trust services criteria, a third-party firm issues a SOC 2 report that contains its opinion. 
• HITRUST—A HITRUST certification is based on a framework of authoritative sources, offering reliable assurances. 

Every HITRUST assessment is based on the HITRUST CSF, an objective and quantitative cybersecurity framework. The HITRUST CSF maps each control to multiple authoritative sources, including HIPAA and GDPR. HITRUST can be mapped to SOC 2, too. With the addition of the e1 assessment to the HITRUST portfolio, the time, talent, and financial resources required to become HITRUST certified is comparable to getting a SOC2. 

The e1 is a one-year cybersecurity certification focusing on essential information security controls. Low-risk organizations can use it to demonstrate that foundational cybersecurity practices are in place. Organizations intending to pursue more robust assessments can use it as the first step in a HITRUST journey.

A HITRUST assessment and resulting certification can convey assurances over other authoritative sources like HIPAA and ISO.

The HITRUST CSF integrates and harmonizes information protection requirements from many authoritative sources, including ISO, PCI, and HIPAA. It can be tailored to an organization’s requirements based on specific organizational, technical, and compliance risk factors. One HITRUST assessment can be used to satisfy many reporting requirements, saving organizations time and money. 

HITRUST assessment results are not limited to but can include the following:

• HITRUST CSF Certification Report
• HITRUST Letter of Certification
• NIST Cybersecurity Framework Certification

The level of integration and prescriptiveness provided by the cybersecurity framework, along with the quality and rigor of the HITRUST Assurance Program and supporting products and services, make the HITRUST CSF the easy choice for organizations in any industry.

Contact us to learn more about BARR’s “test once, report many” approach and how you can leverage HITRUST to gain SOC 2 and ISO 27001 certification.