Home

Cloud

Compliance

HITRUST

What is HITRUST?
Illustration showing a person interacting with a computer interface, behind which are various documents and a miniature skyscraper
What is HITRUST?

HITRUST® is an organization that provides compliance, data security and information risk-management security standards, certifications, and a centralized framework—called the HITRUST CSF®—for assessing and managing cybersecurity threats and safeguarding sensitive data such as protected health information (PHI).

 

HITRUST assesses information security based on six core principles: transparency, scalability, consistency, accuracy, integrity and efficiency. It integrates state, federal and international legal and regulatory compliance requirements with a standardized methodology, quality and security controls, and a community of external HITRUST assessors.

HITRUST offers three levels of certification: one for organizations with limited risk; another for organizations with security programs already in place; and a third for organizations that need to demonstrate meeting the most rigorous risk management requirements and complying with the Health Insurance Portability and Accountability Act (HIPAA) or the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework).

Founded in 2007, HITRUST—known previously as the Health Information Trust Alliance—was originally established to help healthcare organizations with HIPAA compliance. According to HITRUST, 75% of Fortune 20 companies use HITRUST certifications.

Cost of a Data Breach Report 2024

Data breach costs have hit a new high. Get essential insights to help your security and IT teams better manage risk and limit potential losses.

IBM and HITRUST

IBM Cloud® services that renew and issue a letter of HITRUST r2 certification every two years include:

Reports and documentation

Contact an IBM representative to request HITRUST certification letters with more detailed scope descriptions for IBM Cloud infrastructure or IBM Cloud VPC and PaaS services.

Who must comply with HITRUST?

HITRUST compliance and certification is voluntary, but many organizations utilize the HITRUST framework to demonstrate and streamline security requirements compliance. The HITRUST framework (HITRUST CSF) maps controls to dozens of authoritative sources such as ISO 27001 and 27002, NIST 800-53, HIPAA, PCI DSS, GDPR, and others.

HITRUST certification

The HITRUST Assurance Program, which includes standards, assessments, certifications and a centralized framework, is designed to help data-intensive organizations and assurance providers manage growing cybersecurity threats such as data security breaches, phishing/spoofing and business email compromise (BEC). HITRUST’s information protection approach is based on six principles:

  • Transparency: Setting clear expectations of cybersecurity threat controls, providing the rationale for their selection and detailing the methodology for how they should be evaluated;

  • Scalability: Implementing a threat-adaptive assessment process with a steppingstone approach that meets the unique needs and risks of any organization;

  • Consistency: Developing an assessment process that yields standardized results—regardless of the evaluator;

  • Accuracy: Implementing mechanisms that reliably assess the effectiveness of controls;

  • Integrity: Implementing processes that produce verifiable, accurate and consistent results; and

  • Efficiency: Producing results that are usable by all relevant stakeholders.
     

Certification levels
 

To address organizations of all sizes, the HITRUST Assurance Program offers three types of certification.

e1: A one-year certification for lower-risk organizations and startups. Designed to help assurance providers develop a baseline system for preventing common cybersecurity threats such as phishing and ransomware, this validated evaluation assesses 44 core security requirements and is focused on critical security practices for Transparency, Consistency, Accuracy, and Integrity.

Less rigorous than the i1 or r2 evaluation process, e1 certification is a threat-adaptive assessment that includes a fixed number of requirement statements, readiness assessments and validated assessments but cannot be tailored to include privacy. This certification typically requires that an assurance provider satisfactorily implement privilege management, user password management, user access rights, secure log-on and other baseline cybersecurity controls.

i1: A one-year validated assessment that delivers a relatively moderate level of assurance for information-sharing situations with lower risk thresholds. This validated evaluation assesses 182 requirements and is often an incremental step between e1 and r2 certification.

As with e1 certification, i1 also is a threat-adaptive assessment that includes a fixed number of requirement statements, readiness assessments and validated assessments, and cannot be tailored to include privacy. Similarly, like an e1 assessment, an i1 evaluation typically mandates that an assurance provider implement privilege management, user password management, user access rights, secure log-on and other baseline cybersecurity controls but adds additional requirements such as implementing an information security management program and an access control policy.

r2: For organizations that must demonstrate the highest level of assurance. This two-year validated assessment is designed for organizations sharing sensitive information, handling high volumes of data, or facing challenging regulatory requirements. A properly scoped r2 assessment ensures that control requirements are effective and compliant, and offers flexible, tailorable, risk-based control selection to meet the most stringent needs. The HITRUST r2 assessment has over 2000 control requirement statements available that are tailored to the assessment based on control selections and scoping.

r2 certification requires that assurance providers implement privilege management, user password management, user access rights, secure log-on and other baseline cybersecurity controls—as well as an information security management program and an access control policy. It also requires that assurance providers assess information security business continuity, develop a related planning framework, and implement other advanced controls and processes.
 

Achieving certification
 

Organizations can achieve the appropriate level of certification through a vetted HITRUST External Assessor Organization. All three HITRUST assessments, as well as additional governance, risk and compliance tools, are accessible through the HITRUST MyCSF® centralized app-based platform.
 

Additional resources
 

The HITRUST Assurance Program™ is one aspect of the organization’s comprehensive Risk Management Framework (RMF), a suite of certifications, products, methodologies and tools created to address the need for a “common understanding around the security and privacy controls needed to safeguard sensitive information and individual privacy,” according to the HITRUST Risk Management Handbook.

Originally released in 2009, the RMF provides a consistent approach to cybersecurity, risk management and compliance. The RMF comprises the HITRUST CSF, the HITRUST Assurance Program™ and related products and certifications. It integrates U.S. state, U.S. federal, and international legal and regulatory requirements such as HIPAA and the European Union’s General Data Protection Regulation (GDPR) with a standardized methodology, quality controls and HITRUST-certified external assessors.

For more information on HITRUST compliance requirements or the certification process, please visit HITRUSTAlliance.net.

Related solutions
Data privacy solutions

Deliver trusted customer experiences and grow your business with a holistic, adaptive approach to data privacy based on zero trust principles and proven data privacy protection.

Explore data privacy solutions
Risk management and consulting services

Mitigate risk and boost efficiency with strategies for adapting to market changes, regulations and encumbered operations. Scalable, intelligent workflows enable risk assessments, regulatory compliance, and fraud prevention to help you achieve priorities and drive growth.

 

Explore risk management and consulting services
Cloud solutions for healthcare and life sciences

Make better point-of-care decisions, accelerate research, and inspire patient confidence with innovative customer experiences—all while improving system uptime and meeting security and compliance standards.

Explore healthcare and life sciences solutions
Resources Cybersecurity in the era of generative AI

Learn how to navigate the challenges and tap into the reslience of generative AI in cybersecurity

IBM X-Force Cloud Threat Landscape Report 2024

Understand the latest threats and strengthen your cloud defenses with the IBM X-Force Cloud Threat Landscape Report.

Trust at IBM

Find information on IBM's internal privacy framework and its IT security management program.

Take the next step

Questions about a compliance program? Need a protected compliance report? We can help.

See more compliance programs