Understanding the HITRUST Certification Approach

The qualifications to keep an organization’s data secure are ever-changing, along with the different ways an organization can be assessed on their security posture. Organizations must prioritize robust information security measures in efforts to achieve and maintain compliance with their specific industry standards. Maintaining compliance also goes hand in hand with maintaining a cutting edge over competition when it comes to security, as this is a quality that many organizations are not willing to cut corners on when looking for new vendors and service providers in today’s business landscape. Understanding the nuances between different frameworks an organization can be assessed upon and the way these assessments operate can guide organizations toward the most effective strategies. One key distinction lies between the nature and period of a HITRUST certification and the nature and period of a SOC 2 report.

Understanding HITRUST Certification

The HITRUST Common Security Framework (CSF) offers a comprehensive, certifiable framework that has the ability to integrate various standards, including HIPAA, NIST, and ISO. HITRUST now offers three primary levels of validated assessments:​

• e1 Assessment: A one-year certification designed for organizations with entry-level information security programs. It focuses on essential and foundational cybersecurity controls.
• i1 Assessment: A one-year certification designed for organizations with established information security programs. It focuses on leading security practices and offers a streamlined assessment process.
• r2 Assessment: A two-year certification providing the highest level of assurance. It is tailored for organizations requiring comprehensive risk management and compliance with multiple authoritative sources.

All three of these assessments emphasize a proactive approach, focusing on the implementation and effectiveness of security controls. The HITRUST assessment and validation process ensures that the CSF framework has been met for at least 90 days prior to completing the assessment. Upon successful completion of the HITRUST assessment, the certification is effective for one or two years from the date of the certification, given that the organization continues to maintain compliance with the CSF framework. The r2 assessment includes an interim review at the one-year mark to ensure continued compliance and address any emerging risks.

Understanding the SOC 2 Report

In contrast, the SOC 2, governed by the American Institute of Certified Public Accountants (AICPA), provides an attestation report based on an evaluation of an organization’s controls to meet the AICPA Trust Services Criteria framework. There are two types:

• Type I: Assesses the design of controls at a specific point in time.
• Type II: Evaluates the operational effectiveness of controls over a defined period, typically six to twelve months.

SOC 2 reports focus on whether controls were suitably designed and operated effectively during the review period. While valuable, this retrospective approach offers assurance only over an organization’s security posture as of the end of the review period, and a user of the report must infer that the organization’s security posture has continued its steady trajectory throughout the point in time that the report is being read.

The HITRUST Certification Model

HITRUST’s certification model emphasizes continuous improvement and proactive risk management. By focusing on the implementation and maturity of security controls, organizations not only assess their compliance with the HITRUST CSF through assessment date, but upon completion of a successful assessment, HITRUST certifies the organization for the respective period of time to the type of assessment completed, (e1, i1, or r2). Additionally, HITRUST’s approach offers scalability as an organization develops, allowing progress from e1 to i1 to r2 as their security programs evolve.

Choosing the Right Framework

Selecting between HITRUST and SOC 2 depends on an organization’s specific needs and objectives:​

• HITRUST: Ideal for organizations seeking a comprehensive compliance certification that encompasses multiple standards and emphasizes continuous improvement.​
• SOC 2: Suitable for organizations requiring an attestation of their controls’ effectiveness over a period of time or specified date in time, often to meet specific client or regulatory demands.​

Some organizations may opt for a combined approach, not only just to meet specific client or regulatory demands with SOC 2, but to offer an added level of assurance to their stakeholders and users for the future ahead. Finding a firm that can provide both services would add efficiency for either the combined approach, or to help an organization to make the right decision between the two with their experience of both.

Conclusion

With data breaches and cyber threats becoming increasingly sophisticated, organizations must adopt security frameworks that not only assess past performance but focus on risk management and preparation for future challenges. If you are seeking more information on HITRUST, SOC 2, or any other Cybersecurity services, be sure to visit our SOC & Technology service pages; don’t hesitate to contact Dave Hammarberg, CPA, CFE, CISSP, GSEC, MCSE, CISA with further questions regarding our services.

About the Author

Related Services