EY helps clients create long-term value for all stakeholders. Enabled by data and technology, our services and solutions provide trust through assurance and help clients transform, grow and operate.
At EY, our purpose is building a better working world. The insights and services we provide help to create long-term value for clients, people and society, and to build trust in the capital markets.
HITRUST has developed an adaptable HITRUST CSF framework, allowing organizations to customize the controls and security measures based on their complexity, size, systems, and regulatory needs. This approach enables organizations of varying sizes and industries to implement a robust security posture that suits their unique needs and challenges.
EY has been an external assessor of HITRUST CSF in India since 2016 and helped multiple local and global clients achieve successful HITRUST certification.
The HITRUST CSF integrates a broad spectrum of globally recognized standards, regulations, and requirements, including prominent ones like HIPAA, NIST, GDPR, FedRAMP and many more. This integration helps ensure that organizations adhere to industry best practices and fulfill their legal and regulatory obligations, promoting a secure environment.
As of 2019, the HITRUST CSF became industry agnostic, meaning organizations from any industry can pursue HITRUST certification. The HITRUST CSF provides a comprehensive framework for protecting sensitive information, such as electronic protected health information (ePHI), personally identifiable information (PII), payment card data, proprietary information, or other sensitive data. While the healthcare industry remains a primary beneficiary of HITRUST, organizations from various sectors can benefit from this certification.
Organizations that typically consider opting for HITRUST certification include:
Healthcare providers (hospitals, clinics, etc.)
Healthcare payers (insurance companies)
Health Information Exchanges (HIEs) (organizations that facilitate the exchange of health information between healthcare providers, payers, and other authorized entities)
Healthcare Clearinghouses (organizations that process nonstandard health information into standard data formats, such as billing and claims transactions)
Health IT Vendors (healthcare-related IT products and services, such as electronic health record (EHR) systems, medical devices, and health applications)
Business Associates
Health tech start-ups (telemedicine platforms, health apps, and wearables)
HITRUST certification can boost an organization's reputation, competitiveness, and risk management practices while potentially resulting in cost savings on cybersecurity insurance. It can be proved as a valuable investment for any organization looking to demonstrate its commitment to cybersecurity, data protection, and risk mitigation. Some of the notable benefits are as follows:
Enables an organization to showcase trust and confidence in their information protection practices to clients and relevant stakeholders.
Delivers a competitive advantage over peers by differentiating the organization as a trusted partner during proposals and contracting reviews.
Streamlines the process of responding to third-party questionnaires, saving time and resources.
Enhances awareness of an organization's exposure, inherent risk, current security posture, and the maturity of an organization’s information risk management program, allowing you to proactively address potential vulnerabilities and build robust security & privacy framework.
Could lead to potential savings on cybersecurity insurance premiums, as insurers may recognize the higher level of security and risk management associated with HITRUST certification.
The HITRUST portfolio includes three types of Validated Assessment options based on an organization's complexity, risk profile, and needs.
Parameters:
HITRUST Essentials, 1-Year (e1) Assessment
HITRUST Implemented,
1-year (i1) Assessment
HITRUST Risk-based,
2-years (r2) Assessment
Assessment Purpose
Provides basic assurance focused on the most critical cybersecurity controls and demonstrates that essential cybersecurity hygiene is in place
Provides a moderate level of assurance that addresses cybersecurity leading practices and a broader range of active cyber threats than the e1 assessment
A high level of assurance that focuses on a comprehensive risk-based specification of controls with a risk management and compliance evaluation
Suitability
Start-ups
Organizations with limited risk profiles
Other organizations can use it as a stepping stone to i1 / r2 assessments
Mid-level organizations demonstrating leading security practices
Best suited for organizations that need expanded tailoring of controls or regulatory compliance with authoritative sources
Certifiable Assessment
Yes, 1 Year
Yes, 1 Year + Rapid Recertification in Year 2
Yes, 2 Years
Flexibility of Control Selection
No Tailoring, static list of 44 controls
No Tailoring,
Static 182 controls (Year 1)
~60 controls (Year 2 for Rapid Recertification)
Tailoring.
Controls between 190 to 2000+ (Year 1)
~20 (Year 2 for Interim Assessment)
Maturity Levels
One maturity Level (Implementation) to be assessed against in-scope controls
One maturity Level (Implementation) to be assessed against in-scope controls
Five maturity levels to be assessed against in-scope controls
Level of Efforts and Assurance
Low
Moderate
High
How can EY assist your organization?
The EY Differentiator!
HITRUST CSF External Assessor in India, since 2016.
Helped multiple local and global clients achieve successful HITRUST certification.
Highly trained and experienced professionals of 15 Certified HITRUST Assessors, 2 Certified HITRUST Quality Professionals, and 75+ supporting team members.
Discover how EY's analytics consulting services can help you apply analytics throughout your organization to help grow, protect and optimize your business.
Discover how EY's intelligent automation team can help your business implement a holistic view of automation, process & service improvement with our intelligent automation consulting services.