Skip to content

What are HITRUST levels?


What is HITRUST?

HITRUST, which stands for Health Information Trust Alliance, is an organization that helps healthcare organizations manage and protect their information. HITRUST offers a comprehensive framework called the HITRUST CSF (Common Security Framework) that incorporates all relevant regulations and standards to ensure the security, privacy, and compliance of healthcare data. The HITRUST CSF provides a certifiable framework that allows organizations to assess, implement, and measure their security controls and regulatory compliance efforts. The framework is based on a risk-based approach and includes control objectives, control specifications, and control references for various domains. HITRUST also offers a range of certification levels that represent the maturity of an organization's security controls, allowing healthcare providers to demonstrate their commitment to protecting sensitive information. Through their assessment process, organizations receive a detailed report that identifies areas of improvement and provides guidance on implementing corrective actions. With the HITRUST CSF and certification process, healthcare organizations can effectively manage their regulatory risk factors and enhance their overall security posture.

Levels of HITRUST certification

HITRUST certification is recognized as a benchmark for evaluating and managing information risk in healthcare organizations. It provides a comprehensive framework that helps organizations address the regulatory requirements and cybersecurity threats they face. HITRUST certification is achieved through a process that includes multiple levels, each with its own set of requirements.

The first level is the baseline requirements, which include the implementation of controls to address common regulatory risk factors and protect sensitive information. This level ensures that the organization has a strong foundation in place for managing risks and meeting compliance obligations.

The second level is the intermediate risk requirements. At this level, organizations are expected to go beyond the baseline and implement additional controls to address more complex risk factors. This includes assessing the effectiveness of security controls, conducting risk assessments, and implementing corrective actions.

The third level is the advanced risk requirements. This level focuses on organizations that have already achieved a high level of maturity in information risk management. It requires the implementation of advanced controls and practices that address emerging cyber threats and regulatory factors.

The different levels of HITRUST certification are important because they provide a roadmap for organizations to continuously improve their information risk management and compliance programs. Each level builds upon the previous one, ensuring that organizations are continuously addressing new challenges and evolving regulatory requirements.

By achieving higher levels of HITRUST certification, organizations demonstrate their commitment to safeguarding sensitive information and managing risks effectively. This not only protects the organization and its stakeholders from cyber threats but also enhances the organization's reputation and trustworthiness in the healthcare industry.

HITRUST CSF levels

HITRUST CSF (Common Security Framework) is a certifiable framework that helps healthcare organizations manage risks and comply with regulatory requirements. HITRUST CSF has several levels that organizations can achieve based on their maturity in information risk management. The different levels provide organizations with a roadmap to continuously improve their risk management practices and compliance programs. Each level builds upon the previous one, ensuring that organizations address new challenges and evolving regulatory requirements. The baseline requirements form the first level, which establishes a strong foundation for managing risks. The intermediate risk requirements comprise the second level, where organizations go beyond the baseline and implement additional controls. The third level, advanced risk requirements, focuses on organizations with a high level of maturity in risk management and requires the implementation of advanced controls to address emerging threats and regulatory factors. HITRUST CSF levels enable organizations to strengthen their information security posture and protect sensitive information. Overall, HITRUST CSF certification helps healthcare providers demonstrate their commitment to safeguarding data and meeting regulatory expectations.

Level 1: baseline requirements

Level 1 of HITRUST certification consists of the baseline requirements that organizations need to meet in order to demonstrate their commitment to protecting sensitive healthcare data. This level serves as the foundation upon which recommendations or upgrades to higher levels are built.

Level 1 takes into account various organization factors including type, size, and location. These factors are considered to ensure that certification requirements are aligned with the specific needs and resources of each organization.

To achieve Level 1 certification, organizations must comply with 135 different controls which are categorized into 19 distinct control categories. These categories include areas such as mobile devices, logging/monitoring, incident management, configuration, endpoint protection, and wireless protection. Each category addresses specific aspects of cybersecurity to provide comprehensive coverage.

The controls encompass a wide range of requirements to mitigate cyber threats and ensure regulatory compliance. They address areas such as access control, secure configuration, incident response, and risk management, among others.

By meeting the baseline requirements of Level 1, organizations establish a solid framework for safeguarding sensitive data and protecting against potential security breaches. This level sets the stage for further enhancements and certifications as organizations continue to prioritize the security and privacy of healthcare information.

Level 2: intermediate risk requirements

Level 2 of HITRUST certification focuses on intermediate risk requirements that healthcare organizations must meet in order to enhance their cybersecurity measures. These requirements build upon the baseline requirements of Level 1 and address specific regulatory and system risk factors.

Different from the baseline requirements of Level 1, Level 2 places additional emphasis on regulatory risk factors. It requires organizations to demonstrate an understanding of regulatory compliance and incorporate it into their risk management framework. This includes implementing control objectives and control specifications that align with relevant regulatory requirements in order to mitigate potential risks.

In addition to regulatory risk factors, Level 2 also considers system risk factors. Organizations must conduct a thorough risk assessment to identify potential vulnerabilities, threats, and impacts to their systems. They are then required to develop and implement appropriate security controls to address these risks effectively.

When addressing intermediate risk requirements for Level 2, organizations should consider several key factors. These include assessing the adequacy of their current control implementations, aligning control requirements with industry best practices, addressing any gaps identified in the baseline assessment, and implementing corrective actions to enhance their risk management capabilities.

To ensure readiness for Level 2 certification, organizations can undergo a HITRUST readiness assessment. This assessment serves as a comprehensive evaluation of an organization's compliance with the intermediate risk requirements. It provides valuable insights into areas that need improvement, allows organizations to remediate any deficiencies before the actual certification assessment, and helps optimize their control environment.

Level 3: advanced risk requirements

Level 3 in the HITRUST certification process introduces advanced risk requirements that build upon the baseline and intermediate levels. This level focuses on addressing more advanced security risks faced by healthcare organizations.

At Level 3, organizations are required to demonstrate a higher level of maturity in their risk management framework. This includes implementing comprehensive control objectives and control specifications that align with industry best practices and regulatory requirements. These controls aim to mitigate potential risks and protect sensitive data effectively.

The specific control objectives in Level 3 cover various aspects of cybersecurity, such as access control, endpoint protection, and security incident response. Organizations must implement robust access control measures to prevent unauthorized access to systems and data. They also need to deploy effective endpoint protection solutions to safeguard against malware and other cyber threats. In addition, organizations must establish and maintain a timely and well-documented security incident response process to address potential security incidents effectively.

Furthermore, Level 3 requires organizations to regularly assess and evaluate their control environment compliance. They must ensure that control implementations are effective and aligned with the control references provided by the HITRUST CSF. This includes conducting periodic risk assessments, gap assessments, and security assessments to identify vulnerabilities and address them promptly.

HITRUST assessments

HITRUST assessments are an essential part of the HITRUST CSF certification process. These assessments evaluate the security control implementations and overall compliance of healthcare organizations with the HITRUST CSF framework. They help organizations identify and address any vulnerabilities or gaps in their control environment, ensuring that they meet the necessary regulatory requirements and industry best practices. HITRUST assessments involve various assessment types, including interim assessments, E1 assessments, I1 assessments, and R2 assessments. These assessments utilize a risk-based approach, considering regulatory risk factors and the specific control categories and domains relevant to healthcare providers. By undergoing HITRUST assessments, organizations can gain a level of assurance in their security posture and demonstrate their commitment to protecting sensitive data and mitigating cyber threats. Additionally, the HITRUST MyCSF tool provides a structured and streamlined process for organizations to manage their HITRUST assessments and track their progress towards certification. Overall, HITRUST assessments play a crucial role in helping healthcare organizations achieve and maintain regulatory compliance and enhance their cybersecurity posture.

E1 assessment

The E1 assessment is an essential component of the HITRUST CSF Assurance Program. It is designed to evaluate the current security posture of healthcare organizations and measure their compliance with the HITRUST Common Security Framework (CSF).

The primary purpose of the E1 assessment is to provide organizations with a certifiable assessment that offers insight into their control implementations, control environment compliance, and control requirements. It is a crucial step towards achieving HITRUST CSF certification, demonstrating a commitment to regulatory compliance and the protection of sensitive patient information.

Compared to the I1 and R2 assessments, the E1 assessment offers a lower level of assurance. This is reflected in its certifiable assessment duration of one year. While the I1 and R2 assessments provide a higher level of assurance and cover a broader range of control objectives and regulatory requirements, the E1 assessment focuses on a subset of these control categories.

The E1 assessment is targeted at healthcare organizations that have already established a decent security program and have implemented some security controls. It serves as an intermediate step for organizations aiming to further enhance their security posture and advance to higher levels of maturity and assurance with subsequent assessments. By participating in the E1 assessment, organizations gain valuable insights into their security readiness, identify gaps in their control implementations, and develop corrective actions to mitigate cyber threats and regulatory risks.

I1 assessment

The i1 assessment is an integral part of the HITRUST assessment framework, which is designed to help healthcare organizations assess their security controls and achieve regulatory compliance. It is considered a foundational level assessment and serves as a stepping stone towards HITRUST CSF certification.

The i1 assessment focuses on a subset of control categories within the HITRUST CSF framework, specifically on control objectives and control references related to the protection of sensitive patient information. It evaluates the organization's implementation of these controls, ensuring that the necessary security measures are in place to address regulatory risk factors.

In terms of certification requirements, the i1 assessment requires organizations to undergo an independent assessment conducted by a HITRUST-approved assessor. This assessment should cover various aspects such as control implementations, control environment compliance, and control requirements. The objective is to evaluate the organization's level of maturity in managing cybersecurity risks and protecting patient data.

Scoring for i1 assessments follows a simpler process compared to other assessments within the HITRUST framework. Evaluative elements are used to determine the organization's implementation score. These elements include the presence, consistency, and effectiveness of the implemented controls. Based on the evaluation, the organization will receive a score indicating their level of implementation maturity and regulatory compliance.

Interim assessments

Interim assessments play a vital role in the HITRUST certification process, ensuring that organizations maintain their HITRUST compliance and uphold a strong security posture. These assessments are conducted by a certified assessor to validate and assess the organization's ongoing adherence to the HITRUST Common Security Framework (CSF) and its control requirements.

The purpose of interim assessments is to provide a measure of assurance that organizations continue to meet the rigorous security standards set by HITRUST. They serve as a check-in point to evaluate the effectiveness of the implemented controls, identify any gaps or weaknesses, and recommend corrective actions to mitigate potential risks. By undergoing regular interim assessments, organizations can proactively address emerging cyber threats and maintain a high level of security maturity.

HITRUST requires organizations to undergo an interim assessment one year after achieving their certification. This ensures that organizations continue to meet the evolving regulatory requirements and stay up to date with the latest security measures. The assessment assists in validating the organization's commitment to maintaining a comprehensive risk management program and effectively managing security controls.

 

MyCSF tool

The HITRUST MyCSF tool is a comprehensive and user-friendly platform designed to assist organizations in successfully implementing and managing the HITRUST CSF (Common Security Framework) certification process. This innovative tool provides healthcare organizations with a step-by-step roadmap to help them navigate the complex requirements of regulatory compliance, risk management, and security controls. With MyCSF, organizations can easily assess their level of assurance, determine their levels of maturity, and track progress towards achieving HITRUST CSF certification. The tool also aids in identifying and prioritizing control objectives, generating requirement statements, and facilitating control implementations. By leveraging the MyCSF tool, healthcare providers can streamline the assessment process, enhance their control environment compliance, and ultimately gain the benefits of HITRUST CSF certification.

Overview of MyCSF tool

The MyCSF tool is a powerful and comprehensive Governance, Risk, and Compliance (GRC) tool that is specifically designed to address the complex compliance requirements of the healthcare industry. It offers organizations a robust and efficient platform to assess and tailor their compliance with multiple frameworks and standards.

One of the key features of the MyCSF tool is its ability to customize assessments based on system factors such as the number of users, accessibility, transactions, and legacy technologies. This allows healthcare organizations to obtain a more accurate and tailored assessment of their compliance efforts.

By leveraging the MyCSF tool, healthcare organizations can streamline their compliance management processes and easily identify areas of improvement. The tool offers a user-friendly interface that guides organizations through the entire compliance journey, from initial assessment to implementation and ongoing monitoring.

With its extensive functionality and flexibility, the MyCSF tool is a valuable asset for healthcare organizations looking to meet the compliance requirements of various frameworks and standards. By using this tool, organizations can ensure that they are meeting all regulatory requirements, mitigating risk factors, and effectively securing patient data.

Benefits of using the MyCSF tool

The MyCSF tool offers numerous benefits when it comes to HITRUST assessments for healthcare organizations. One of the key advantages of using this tool is its ability to customize assessments based on the unique systems and factors of each organization. This allows organizations to obtain a more accurate and tailored assessment of their compliance efforts, ensuring that all relevant controls and requirements are addressed.

By leveraging the MyCSF tool, healthcare organizations can streamline their compliance management processes. The tool provides a user-friendly interface that guides organizations through the entire compliance journey, including initial assessment, implementation, and ongoing monitoring. This not only saves time and effort but also ensures a comprehensive and systematic approach to compliance.

Another significant benefit of using the MyCSF tool is cost savings. The tool allows organizations to meet multiple compliance frameworks, including regulatory requirements beyond HITRUST. By consolidating compliance efforts, organizations can avoid duplicative assessments and audits, ultimately reducing costs associated with achieving and maintaining compliance.

Implementing HITRUST in healthcare organizations

Implementing HITRUST in healthcare organizations is crucial for ensuring the security and privacy of patient information in today's digital age. HITRUST, which stands for Health Information Trust Alliance, offers a certifiable framework called the HITRUST CSF (Common Security Framework) that enables organizations to demonstrate compliance with various regulatory requirements and industry best practices. This framework provides a risk-based approach to security control implementation and includes control objectives, specifications, and references across various control domains. Implementing HITRUST involves a comprehensive assessment process that evaluates the organization's control maturity and compliance with regulatory risk factors. By achieving HITRUST certification, healthcare organizations not only enhance their security posture but also gain a competitive advantage by demonstrating their commitment to safeguarding patient data. Additionally, implementing HITRUST can result in cost savings by reducing duplicative assessments and audits, as well as streamlining compliance efforts through the use of tools like MyCSF. Overall, implementing HITRUST is a critical step towards ensuring the protection of sensitive patient information and maintaining regulatory compliance in the healthcare industry.

Regulatory factors to consider

Healthcare organizations face an array of regulatory factors when it comes to implementing the HITRUST framework. One crucial aspect is complying with information security regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) and other industry-specific requirements.

During the HITRUST R2 assessment process, regulatory risk factors play a significant role. The assessment evaluates an organization's compliance with various regulatory requirements. Non-compliance with these regulations can result in severe consequences, including fines, legal actions, reputational damage, and a loss of patient trust.

Organizations need to establish and maintain compliance with a range of specific regulatory requirements. These may include securing protected health information (PHI), ensuring proper access controls are in place, conducting regular risk assessments, and implementing appropriate technical safeguards.

In addition to regulatory risk factors, organizations must also consider organizational and system risk factors. These factors assess the overall risk posture of the organization, taking into account its infrastructure, technology, and potential vulnerabilities. These risk factors are an essential component of the HITRUST assessment process, as they provide a comprehensive understanding of the organization's security controls and their effectiveness in mitigating cyber threats.

Successfully implementing HITRUST requires not only achieving regulatory compliance but also addressing organizational and system risk factors. By doing so, healthcare organizations can bolster their security posture, protect patient data, and gain a competitive edge in the industry.

General thought leadership and news

Why 6clicks is outpacing legacy GRC platforms like Archer, ServiceNow and Diligent

Why 6clicks is outpacing legacy GRC platforms like Archer, ServiceNow and Diligent

For years, Archer, ServiceNow, and Diligent were the go-to names in GRC software. Archer’s rich functionality made it a leader, while ServiceNow’s IT...

ServiceNow GRC pricing: Is it worth it in 2025?

ServiceNow GRC pricing: Is it worth it in 2025?

Concerned about ServiceNow GRC’s pricing plans and total cost of ownership?

5 steps for effective risk management

5 steps for effective risk management

Whether you’re planning a new project or looking to enhance your organization’s security program, implementing risk management is crucial in ensuring...

How to become NIST certified in 6 steps

How to become NIST certified in 6 steps

Aligning your organization with in-demand cybersecurity frameworks safeguards your data, systems, and operations from diverse threats, helping you...

Hailey goes deeper: Automatic risk and issue generation for assessments

Hailey goes deeper: Automatic risk and issue generation for assessments

Hello everyone, we're excited to introduce a powerful new feature for Hailey AI: risk and issue generation from assessments. This update...

Soup to nuts: Aligning GRC technology with your end-to-end service delivery model

Soup to nuts: Aligning GRC technology with your end-to-end service delivery model

This case study highlights the challenges faced by a global advisory firm looking for a comprehensive technology platform to support their entire...