HITRUST just released its 11th version of HITRUST cybersecurity framework or HITRUST CSF. One of the major changes in version 11 is the removal of the HITRUST bC assessment and its replacement with the new HITRUST e1.
Let’s dive into some high-level information about what the HITRUST e1 assessment is, why an organization would pursue it, and how it improves on the HITRUST bC assessment.
- Quick Intro to HITRUST
- What is the HITRUST e1 Certification?
- Why Was HITRUST e1 Certification Introduced?
- HIPAA Security Rule vs HITRUST e1
- NIST CSF vs HITRUST e1
- NIST SP 800-53 vs HITRUST e1
- SOC 1 and SOC 2 vs HITRUST e1
- ISO 27001 vs HITRUST e1
(NOTE: If you’re considering HITRUST certification, our free tool below matches you with a top-rated HITRUST consultant that can meet your specific needs and budget)
Quick Intro to HITRUST
HITRUST is an organization devoted to providing a certifiable and translatable framework. Originally, the HITRUST CSF was targeted at the healthcare industry and focused on driving demonstrable HIPAA Security Rule compliance. It’s even in the HITRUST name, which stands for Health Information Trust Alliance.
Since then, HITRUST has grown beyond focusing on healthcare and into other heavily regulated industries. HITRUST assessment and certification is a benchmark for a high degree of security sophistication and verifiable mitigation strategies against cyber threats.
Prior to January 18, 2023, there were three HITRUST assessment options:
- HITRUST Basic, Current-state (bC) assessment – a self-assessment of an organization’s security controls. This was typically performed in preparation for future HITRUST certification or by low-risk organizations. There were no certification options for a HITRUST bC assessment.
- HITRUST implemented 1-year (i1) validated assessment – the HITRUST i1 assessment is a HITRUST CSF-validated assessment conducted by a certified and licensed auditor. It’s based on 219 controls from the HITRUST CSF that align with the MITRE ATT&CK framework. It’s designed for organizations that present a moderate level of risk.
- HITRUST 2-year (r2) validated assessment – the r2 assessment is a HITRUST CSF-validated assessment of the complete HITRUST cybersecurity framework applicable to an organization. The number of controls is risk-based and size-based.
On January 18, 2023, HITRUST replaced the current state assessment with the e1 certification.
What is the HITRUST e1 Certification?
The new HITRUST e1 assessment highlights, in my opinion, how receptive HITRUST is to feedback from its users and assessors. The HITRUST e1 provides a different value proposition than the bC and only for the better. I’m excited for the development and that HITRUST decided to provide basic certification options and HITRUST security assessments.
The HITRUST bC assessment helped small business information security, but not in a particularly unique way. Small or low-risk businesses could register with HITRUST, conduct a bC assessment, and catalog the results in the HITRUST Assurance Intelligence Engine.
That’s a great way to help small businesses and low-risk organizations. But it’s really no different than driving internal HITRUST CSF compliance and recording that with some audit tracking tool. There was no external-facing certification to signify the level of control implementation.
Why Was HITRUST e1 Certification Introduced?
The HITRUST e1 certification changes that and provides more certification options to small and low-risk businesses. Instead of an approximately 70 control bC assessment, an organization can now be certified against the 44 control e1 assessment. That’s a far cry from the 219-question HITRUST i1 validated assessment, reserved for organizations that present moderate risk, but provides a verifiable security baseline and solid control requirements.
Even though the e1 is lower effort than the HITRUST i1 or r2 from a control set standpoint, that doesn’t make it any less useful. The certification component highlighters that an organization has an independently verifiable high level of security program quality. That can be valuable to clients or customers who want verifiable controls but don’t require extensive control requirements.
How Does the e1 Certification Fit In?
The HITRUST e1 certification provides an entry-level HITRUST CSF certification. That certification can be an end in itself as a representation of a low-risk organization’s security program. It can also be the first stop on a multi-year multi-step HITRUST journey.
The HITRUST CSF was designed to support growth from the HITRUST e1 assessment to the HITRUST implemented 1-year (i1) validated assessment or the HITRUST 2-year (r2) assessment. This is designed to be a threat-adaptive assessment approach: as risk escalates from low to moderate level or even high level or highest level, organizations can escalate their assessments and certifications.
That’s a model that just makes sense. It provides easy certification growth that’s adaptive to growing risk management needs. It also builds organizational memory around the assessment process and cadence, which can be important when organizations begin their security compliance journey. Furthermore, it provides an easy introduction to the HITRUST risk-based approach.
What Else Does the HITRUST e1 Certification Provide?
The new HITRUST e1 certification provides a comprehensive evaluation of select HITRUST CSF controls. The relative ease of complying with those controls and the low volume of controls makes the e1 certification accessible to most organizations.
That’s also a risk-based determination: if an organization believes that it’s low-risk, then it can and should pursue the e1 assessment. If, however, an organization determines its moderate risk, it can pursue the HITRUST i1 assessment. By having multiple flexible assessment options, organizations aren’t shoehorned into deciding between a self-assessment or certification.
HITRUST assessments boast development based on threat intelligence data and other frameworks. the HITRUST e1 standards continue that approach by accounting for that threat intelligence data on a quarterly basis.
How Many Controls Are There?
The HITRUST e1 certification covers 44 HITRUST CSF controls, regardless of organization size. The HITRUST implemented 1-year (i1) validated assessment covers 219 HITRUST CSF controls, also regardless of organization size.
The HITRUST r2 validated assessment can cover between 198 and 2000 control requirements from the HITRUST CSF. It’s the most comprehensive of the three HITRUST assessments.
Just how many control requirements are included depends on an organization’s size. The determination is also risk-based: does the infrastructure under evaluation pose a significant risk if compromised or lower risk? Ideally, an organization’s security practices would reflect that risk level. So too should their HITRUST assessment.
What’s The Benefit of HITRUST e1 Certification?
The HITRUST e1 certification provides numerous benefits compared to other HITRUST assessments, past and present.
The HITRUST e1 certification was designed with risk-based suitability of control requirements. Low-risk organizations may not want or need to expend effort to certify against 219+ controls. Instead, those organizations may want to leverage security assessments to demonstrate baseline regulatory compliance to customers and clients.
Assessing against a small portion of the HITRUST framework designed to provide baseline control assurance simplifies the assessment and makes it considerably more approachable. It allows organizations to identify errors in their security practices, mitigate emerging threats, and implement security controls with an appropriate level of effort to organizational size and risk.
Compared to the HITRUST i1 and HITRUST r2 validated assessment options, the HITRUST e1 assessment provides a validated assessment and controls assurance for significantly less effort. Assessed entities may not have the staff and resources for a more significant assessment. More HITRUST assessment options mean broader standards adoption and suitability.
While the HITRUST r2 and HITRUST i1 address high and moderate assurance requirements, the e1 provides baseline assurance. That doesn’t mean the e1 assessment is worse at depicting good security hygiene controls, just that there’s less that needs to be assessed because of risk, size, or security program sophistication. The HITRUST e1 assessment is still a solid HITRUST risk-based validated assessment.
Compared to the HITRUST Basic, Current state (bC) assessment, the HITRUST e1 validated assessment provides certification options instead of an assessment path terminating in the HITRUST Assurance Intelligence Engine. That engine can still be used for self-evaluation, but it’s not the only available option for organizations. As a result, HITRUST e1 assessments are more objective quality assurance reviews than the subjective self-assessments of the HITRUST bC.
How Long is it Valid For?
HITRUST e1 certification lasts for one year.
How Long Does HITRUST e1 Certification Take?
Assessors have 90 days to complete fieldwork from the commencement of the engagement. HITRUST also provides a 30-day SLA with respect to post-fieldwork administrative review. If that SLA is breached, then the next assessment is complimentary. So while the assessment length will vary based on organizational size and complexity, HITRUST calls for it to take no longer than 120 days.
How Much Could it Cost to Get e1 Essentials Certified?
The cost of a HITRUST i1 or r2 assessment can range between five and six figures. $50,000-$250,000 is a good rough benchmark for those certifications based on the size and complexity of an organization.
The HITRUST e1 assessment should cost significantly less than that. Given the novelty of the certification, it’s difficult to say what the price will be, but I’d expect low-five figures for an assessment.
Remember: the assessment is designed for smaller or less risk-complex organizations. As a result, the level of effort for the e1 will be lower than the i1 and r2 validated assessments, which should result in a lower overall cost.
How Does HITRUST e1 Compare to Other Security Compliance Certificates?
I’ll highlight how the HITRUST e1 compares to other certifiable and non-certifiable standards and frameworks:
HIPAA Security Rule vs HITRUST e1
HITRUST e1 provides a broader scope and assurance level from the HIPAA Security Rule. There is a comprehensive HITRUST CSF conversion table between the HITRUST standards and HIPAA. HIPAA also doesn’t provide an independent certification while HITRUST purports to provide certification demonstrating HIPAA implementation.
NIST CSF vs HITRUST e1
The NIST CSF provides broader assurance than the HITRUST e1. That being said, an organization can only perform an evaluation of the NIST CSF controls, not a certification based on those controls. As a result, there’s no centralized oversight for those assessments.
NIST SP 800-53 vs HITRUST e1
NIST SP 800-53 is substantially broader than the HITRUST e1 and is more akin to other forms of HITRUST certification, like the HITRUST i1 or r2. Like the NIST CSF, it also likely provides a higher level of assurance of an organization’s security practices. Also, like the NIST CSF, there’s no centralized oversight for assessments and certification is not available.
SOC 1 and SOC 2 vs HITRUST e1
HITRUST describes the HITRUST e1 certification as being akin to a SOC 1 review in terms of complexity and effect for relying parties. It provides a targeted review of infrastructure implementation for assurance of specific practices. Therefore, a SOC 2 review would provide a higher and broader level of assurance. More on how SOC 2 and HITRUST certifications compare here.
ISO 27001 vs HITRUST e1
An ISO 27001 certification is closest in scope and assurance level to a HITRUST i1 or r2 assessment. Consequently, it provides substantially greater security program assurance than a HITRUST e1 assessment. However, the HITRUST e1 assessment, at least on paper, appears as if it will be more threat-adaptive and address emerging threats to a greater degree.
Who is HITRUST E1 Certification Right For?
I think HITRUST e1 certification is right for organizations that want to provide verifiable assurance in their security programs which are new in their security journey or relatively low-risk. That can include startups, sole or small proprietors, small-scale retail, and other similar organizations.
I think HITRUST e1 certification is also appropriate as the beginning of an organization’s HITRUST certification journey. It’s a great way to get used to the frameworks and assessment process without a significant time and financial commitment.
The HITRUST e1 assessment is an interesting addition to the HITRUST certification family. It provides a good level of assurance in security controls and meets the needs of smaller or lower-risk organizations that may not have otherwise found HITRUST approachable.
HITRUST e1 also compares well to other standards and frameworks with respect to the security and compliance assurance it provides. While it may not have the robustness of some other frameworks, it’s billed to be constantly updated to reflect environmental changes due to new and emerging threats.