HITRUST -- You've come a long way baby...

I first took the HITRUST Assessor course in 2009 and was disappointed. Roughly, the aim of HITRUST then, as it is now, is to allow all players in the health care ecosystem (providers, payors, suppliers and others) to adopt a single security framework, and then deliver attendant certifications to demonstrate that their security programs or selected IT systems are secure. In short, a hospital, for example, would conduct a HITRUST assessment to demonstrate to anyone (Govt. and private entities) that their overall security program has a requisite level of maturity. Only one report could be created and submitted to many who needed to verify the security maturity of an organization.  (Note: CPA firms offer similar attestations such as the SOC Type 1 and Type 2 assessments, under AICPA guidance for service providers.)  

In 2009, however, HITRUST’s approach was an ill -thought out mish-mash of NIST and ISO standards and some control requirements baked into an excel spreadsheet. This required contortions and manipulations too wieldy for most to adopt. Justifiably, this early HITRUST incarnation had limited traction in the health market that HITRUST targeted. The HITECH act of 2009 that required all covered entities to perform an annual security risk assessment should have been an immediate boon for HITRUST. But the immaturity of HITRUST was evident and visible. Few health care entities took the plunge. Moreover, the cost, in my estimation was too high for an entity to conform to a HITRUST assessment.  

Fast forward to today, when I just completed the HITRUST assessor course, I now find HITRUST to be a compelling way for entities to demonstrate the maturity of their security programs or even a single system if desired. Most importantly, the HITRUST approach of 2018 has morphed significantly to: 

  • Provide an inexpensive but sophisticated Governance, Risk and Compliance (GRC) tool for health care entities

  • Deliver a vastly improved SaaS interface to share security assessment data between clients and assessors 

  • Require a thorough QA process that allows users relying on reports or certifications and feel comfortable

  • Become an excellent way to manage a security program, especially for large entities (more than 1000 employees)

The only lamentation I have about conducting a HITRUST assessment is that it will be far more expensive than a traditional security assessment. The reason for this extra cost is simple. HITRUST is a thorough approach with little room for obfuscation of details or “cheating” by an assessor or an entity that is being assessed. The control and testing requirements are explicitly laid out and the HITRUST QA process is not to be monkeyed with, else decertification will occur. 

In short, I give HITRUST a thumbs up. As the 1970’s ad for Virginia Slims cigarettes once touted to women, “You’ve come a long way baby”  

Feisal Nanji

A seasoned C-Level Technology Risk expert with over 25 years of experience in developing and executing large information security and product development programs. Feisal brings deep knowledge of regulatory frameworks, technology capabilities and process constraints to consistently deliver quality information risk management programs for large health care institutions. He has served as Interim Chief Security Officer for a 14 Hospital system with over $5 Billion in revenue and conducted multiple security risk assessments for providers of all sizes. At EY he lead a team to review and improve the security of an integrated managed care organization’s electronic medical records (EMR) system with over 8 million members and 3 million health records.