The road to HITRUST can be confusing for many, but it’s a worthwhile journey. The HITRUST Alliance provides a wealth of materials outlining what certification means and how to achieve it. If you’re considering HITRUST certification, I’d highly recommend that you pursue those materials. Eventually, you’ll need to.
In this article, I’ll help you understand the differences between the various available HITRUST assessments. I’ll also cover how they can help your organization and what you need to do to demonstrate compliance with HITRUST.
Briefly, there are three HITRUST assessment types:
- HITRUST bC – a controls-based self-assessment of your organization’s security controls preparing you for future HITRUST certification. In January 2023, this will be replaced with the new HITRUST-validated e1 assessment.
- HITRUST i1 – the i1 assessment is a HITRUST CSF-validated assessment (meaning auditor-conducted) and constitutes what I’d consider a HITRUST interim assessment based on 219 controls from the HITRUST CSF.
- HITRUST r2 – the r2 assessment is a HITRUST CSF-validated assessment of the complete HITRUST cybersecurity framework applicable to your organization.
I’ll review these in reverse order through the HITRUST maturity model. In doing so, I’ll start with your likely target state. If I haven’t, then you should consider progressing through the logical stages of assessment options if that makes sense for your organizational needs and strategy.
(NOTE: If you’re looking for consulting around HITRUST certification, our free tool below matches you with leading HITRUST consultants that suit your needs and budget.)
What is HITRUST R2?
The HITRUST 2-year r2 validated assessment is the ultimate level of validated assessment contemplated by the HITRUST CSF. Achieving this level of HITRUST CSF certification is a feather in the cap of any organizational assessment portfolio. It signals to vendors, teaming partners, and clients or customers a high level of information security sophistication. It also highlights an adherence to information security industry standards.
As identified in the introduction, the HITRUST r2 assessment is the only one offered by HITRUST conducted against the comprehensive security framework offered by the complete HITRUST CSF. That means that the assessment can be conducted against between 198 and 2000 controls offered by the HITRUST cybersecurity framework.
However, HITRUST r2 rarely covers all 2000 controls and typically only covers a few hundred.
Typically, the r2 HITRUST assessment is only conducted against the HITRUST risk-based control implementation level applicable to your organization. That scale starts at Level 1, which represents a low-risk baseline, all the way up to Level 3 for organizations that may be at or present moderate risk (or significant risk). This risk-based approach ensures that organizations are measured fairly for their size, sophistication, and risk level.
Those risk levels are primarily targeted at the healthcare industry by highlighting the size of the target healthcare organizations’ billing volume or bed size. However, that reflects the historical provenance of the HITRUST controls as a way to verifiably secure Protected Health Information and measure HIPAA Security Rule conformance. The HITRUST Alliance emphasizes the value of certification to all organizations regardless of operating industry and size. Certainly, the HITRUST Alliance is trying to distance itself from its healthcare roots to branch into other heavily regulated industries.
(NOTE: More on the differences between HITRUST and HIPAA can be found in this article.)
The HITRUST r2 can be considered a threat adaptive assessment in that it accounts for different levels of risk and threat to an organization. Its reliance on intelligent and moderate assurance requirements provides a solid risk-based organizational readiness assessment for cyber threats.
HITRUST r2 validated assessments are conducted by an authorized HITRUST external assessor. If that review is successful, an organization is considered HITRUST-certified. This independent verification and validation of HITRUST r2 controls make the HITRUST r2 certification a great tool to demonstrate good security hygiene controls.
The rigorousness of the HITRUST r2 evaluation makes the HITRUST r2 certification valid for two years. That doesn’t mean an organization can be complacent: it must maintain its security posture throughout.
If there are delays in the organizational renewal of an r2 certification, HITRUST calls for an organization to seek a HITRUST Bridge Assessment or risk jeopardizing its HITRUST portfolio. The Bridge Assessment relies on the prior-year HITRUST r2 report and includes a representation that the future HITRUST assessment won’t materially differ from the prior HITRUST r2 report. It’s valid for up to 90 days: critical if there are any delays in completing a HITRUST r2 validated assessment.
What is HITRUST i1?
The HITRUST-implemented 1-year i1-validated assessment can be an interim step in an organization’s journey to conducting a HITRUST r2-validated assessment and achieving r2 certification. It can also be a destination unto itself, depending on an organization’s goals. This highlights the flexibility of the HITRUST assessment options and the potential value that HITRUST can provide to an organization.
Unlike the HITRUST r2 validated assessment, the HITRUST i1 validated assessment is not a measure of the entire HITRUST CSF as applied to an organization. As explained by the HITRUST Alliance, the HITRUST i1 evaluation tests 219 control requirements which, “leverage security best practices, ongoing threat intelligence data, and the MITRE ATT&CK Framework.”
Like the HITRUST r2 assessment, the HITRUST i1 assessment is a validated assessment, meaning that it’s conducted by an authorized HITRUST external assessor. Unlike the HITRUST r2 assessment, however, the HITRUST implemented 1 year i1 validated assessment only valid for a one-year period.
Given the purported source of this control set, that makes sense. Security best practices, threat intelligence data, and the MITRE ATT&CK Framework are relatively volatile sources of information. They change on a regular and periodic (if not quicker) basis. As such, a security framework accounting for those sources that relied on a longer validation cycle would be irrelevant due to outdated information sources.
What is HITRUST bC?
The HITRUST basic current state bC assessment is a verified self-attested assessment based on a select group of 71 security controls. This assessment provides a baseline risk assessment and can be helpful with regulatory compliance efforts, like compliance with the HIPAA Security Rule. It can also serve organizations well if they want to test their HITRUST compliance or identify the level of effort to accomplish other HITRUST objectives.
Even though the HITRUST bC assessment isn’t validated, it is a verified self-assessment by the HITRUST Alliance. An organization must respond to the assessment questions in the provided HITRUST Assurance Intelligence Engine, a platform that helps identify errors via an automated quality assurance review.
While this doesn’t provide official certification like the HITRUST i1 validated assessment or r2 validated assessment, it does provide assessed entities with a degree of confidence in their security posture. Most organizations can benefit from that kind of verification highlighting a high degree of information security sophistication.
In January 2023, HITRUST will replace the HITRUST basic current state bC controls with a new HITRUST CSF-validated assessment, the HITRUST Essentials e1 assessment. Completing a HITRUST e1 will result in a HITRUST certification based on a narrower set of the HITRUST CSF controls and will more straightforwardly act as a foundational readiness assessment for the HITRUST i1 assessment, which will be cumulative with the HITRUST e1 controls.
Key Differences
The key differences between the assessment options are the complexity and the level of externally mandated HITRUST services needed to complete the security assessments.
The HITRUST bC assessment can be entirely internally completed by an organization because it’s the only of the HITRUST security assessments that are a self-assessment. It’s also the only of the HITRUST CSF assessments that don’t result in HITRUST certification.
When this is replaced by the new HITRUST e1, then all of the HITRUST CSF assessments will result in HITRUST certification.
If that matters and you don’t want a HITRUST certification, then you’ll want to complete your HITRUST bC assessment before that’s phased out.
The HITRUST i1 assessment and r2 assessment both result in formal HITRUST certification. The main difference between those assessments depends on where the risk to be mitigated exists. The HITRUST i1 uses a risk-based controls portfolio that is constant between all organizations and focused on specific environmental threats. The HITRUST r2 assessment uses differing HITRUST risk-based control sets which vary based on the organizational risk.
The quantitative assessment HITRUST implemented differs substantially for each type of assessment. The HITRUST bC assessment covers 71 controls, the HITRUST i1 assessment covers 219 controls, and the HITRUST r2 assessment can cover between 198 and 2000 controls (though typically it’s a few hundred).
The new HITRUST e1 will cover only 50 controls.
How Are They Assessed?
The HITRUST bC can be assessed entirely internally, leveraging the HITRUST Assurance Intelligence Engine. Alternatively, the HITRUST i1 and r2 are independently assessed by an external assessor.
Objective Benefits
Your organization will see numerous benefits from any HITRUST evaluation. Some of these are unique to HITRUST, because of its certifiable nature. Others are common to security programs generally. I’ll cover the latter first and then circle back to the HITRUST-specific benefits.
An information security program based on an industry-standard security framework provides numerous tangible benefits. Those security frameworks are designed with current and emergent threats in mind. Some of those frameworks, like the HITRUST CSF, are updated frequently to reflect the most current threats.
By selecting and using a security framework like the HITRUST CSF, your organization is implementing controls designed to keep your organization safe in the current threat environment. While that can be an arduous task, it’s a great measure to safeguard your business and your clients’ or customers’ data against cyberattacks.
HITRUST provides unique benefits in that space because it’s one of the few widely-respected certifiable security standards available in the market today. It doesn’t serve as a direct HIPAA, NIST CSF, NIST 800-53, NIST 800-171, ISO 27001, or MITRE ATT&CK Framework certification. However, it does serve as a direct HITRUST certification, which was designed with those control sets in mind and can be explicitly translated to those control sets.
In that way, HITRUST certification is a great tool to signal to vendors, clients, customers, and cyber insurance companies that you take cybersecurity seriously, that you care about their compliance needs, and that you’re doing what you can to protect your business. It’s also a good tool to signal the same to your executive leadership and Board of Directors.
Comparing the Benefits
I think the main benefits of HITRUST certification lay in the runway to r2 certification. The HITRUST framework is designed to provide that runway–which will be much more pronounced when the HITRUST e1 certification replaces the HITRUST bC self-assessment.
I, personally, think that there are diminishing returns for an organization stopping at the bC self-assessment or the r1 HITRUST certification. Especially compared to alternatives. I don’t want to dissuade you if you’re committed to stopping at one of those evaluations as a destination, but I will highlight why I think there are more effective ways to accomplish your goals.
HITRUST bC verification provides a great way to self-assess conformance to a security benchmark based in part on the ISO standards, NIST 800-53, and the NIST Cybersecurity Framework. By leveraging automated tooling, the HITRUST Alliance provides an independently verifiable set of standards that highlights security benchmarking sophistication.
Depending on the size of your organization, you’re likely paying tens of thousands of dollars per year in licensing fees to HITRUST for the privilege of self-evaluating with the bC. While you can provide evidence of compliance, you don’t need to.
At this stage of your HITRUST journey, there are free options in lieu of the self-evaluation: a NIST CSF or 800-53 self-evaluation, a HIPAA Security Risk Assessment, or other respected self-evaluation metrics from which the HITRUST CSF draws its inspiration.
Depending on the cost, you may even be able to afford a SOC 1 which is an external evaluation that is both evidence-supported and covers security controls to the extent they impact your organization’s bottom line. In my opinion, that’s one of the reasons HITRUST is replacing the bC with the e1, which is a validated (external) evaluation. Certainly, HITRUST makes clear that the e1 is a more direct ramp into the i1 than the bC.
HITRUST i1 certification builds on the bC with a larger control set, still based largely on the same standards, which accounts for moderate assurance requirements. It does so with independent verification and validation through licensed certification.
The independent evidence-based verification and validation make a HITRUST i1 certificate a potentially good substitute in situations where you’re being requested to provide a SOC II report, but don’t have one available.
That being said, it may cost about as much as a SOC II Type 1 and provide the same point-in-time evaluation. While the SOC II is widely recognized for its value as a representation of financial controls in addition to technology controls, the HITRUST i1 is not. I’d encourage thoughtfulness about whether or not to pursue a HITRUST i1 certification versus a SOC II report for that reason.
Finally, the HITRUST r2 certification provides a HITRUST risk-based evaluation of an organization based on risks posed by and to an organization informed by industry, organization size, and other factors. The complexity and depth of the review reflect both organizational risk and attributed sophistication.
As the ultimate–and most in-depth–available certification, this will serve you and your organization well in all but the most highly regulated situations (e.g.: Department of Defense contracts mandate certification under the Cybersecurity Maturity Model Certification (CMMC) framework). Ultimately, the HITRUST CSF was designed with heavily regulated industry compliance in mind and r2 certification is an excellent independently evaluated metric for meeting those controls. This will also serve as an excellent benchmark where substantial volumes of sensitive or confidential data are being stored or processed.
In my mind, there is no current analog for the HITRUST r2 certification. The closest is the ISO 27001 certification or a CMMC certification. The former assessment is less definite than the HITRUST r2, while the latter covers a very esoteric set of needs.
I can’t imagine another certification that provides the same breadth and depth of controls management of HITRUST r2 and also provides a bona fide and recognized certification.
Costs of Obtaining HITRUST i1 vs r2 vs bC
Cost is commensurate with the complexity and depth of the review. None of the assessments are cheap, though the relative costs can vary significantly.
The HITRUST bC will be the least expensive because the only cost is the licensing fee for HITRUST materials and verification. Similarly, the HITRUST r2 certification will be the longest and most expensive assessment because of the volume of controls and focus on a risk-based assessment methodology.
What those costs are, exactly, will depend on the size, complexity, and risk profile of an organization. Those costs may be dictated by the time needed to complete the assessment informed by organizational size, complexity, and volume of supporting documentation.
Generally, at the low end, a small organization should expect to pay in the mid-five figures for a bC assessment, which covers HITRUST MyCSF license costs.
That doesn’t cover the cost of time and salaries for assessment staff or the supporting infrastructure for your business’ compliance program. Those additional costs can be an order of magnitude higher.
At the high end, a large organization may spend in the mid-six figures for an r2 assessment.
That includes HITRUST licensing costs and the costs of an assessor firm to conduct a thorough evaluation of organizational security controls against the HITRUST CSF.
More typically, expect the costs to be between the mid-five figures and the low-six figures, depending on the assessment type. For ease of evaluation, let’s use $50,000-$250,000 as a rough benchmark, understanding each of those numbers is an outlier and you’ll likely be somewhere in the middle.
Who is Each Certification Right For?
All organizations are well served by all levels of HITRUST assessment and certification. They’re great voluntary reviews of well-defined and industry-standard security controls compliance that translate well to other frameworks by design.
For more specific entities:
- Healthcare vendors will be well-served by a HITRUST r2 certification – this is a verifiable conformance metric to the HIPAA Security Rule and other more demanding security standards.
- A Cloud Service Provider may be well-served by a HITRUST i1 validated assessment or a HITRUST r2 validated assessment – it’s likely you’ll deal with numerous clients who have diverse needs, many of which can be translated (again, by design) back to the HITRUST CSF.
- CISA Critical Infrastructure entities – CIRCIA signals a fairly significant prominence given to the security of entities considered to be Critical Infrastructure. While that legislation specifically deals with reporting requirements, it presupposes the presence of numerous controls that HITRUST addresses.
Conclusion
HITRUST certification provides numerous benefits for organizations ranging from verifiable controls to solid information security safeguards. While this can be an expensive proposition, depending on the size and sophistication of the organization, it’s difficult to find another certifiable set of standards that’s as comprehensive, well-respected, and generally recognized.
Where an organization begins and ends its HITRUST journey is a deeply personal decision. The great thing about HITRUST is that it provides a runway for further compliance without pressuring organizations to advance. While it makes sense to continue advancement, no expectation or mandate happens.
