HITRUST CSF Compliance: Certification, Assessments

It is a fair and essential point of concern. In the debate of HITRUST certification vs. SOC 2, which is more important? There are crucial distinctions to be learned. As far compliance is concerned, it is vital to know the fine print and essential details of both these regulations to avoid any potential pitfalls relating to digital security.

Understanding SOC 2

The American Institute of Certified Public Accountants (AICPA) describes SOC 2 as an examination engagement that must report on the following essential aspects:

The compliance of a service organization with the description criteria
The controls that provide reasonable assurance for the commitment of the service organization in compliance
The controls that demonstrate adherence to the applicable trust service criteria (for type 2 reports)

In a nutshell, the Service Organization Control 2 report will oversee and assess if the controls are appropriately designed and working under the five Trust Services Criteria (TSC), which include the following:

security (always required)
availability
processing integrity
confidentiality
privacy

Only the security criteria is a required aspect that must be covered in the SOC 2 report. The other four are optional but are usually added depending on the type of service that an organization renders.

This versatility is essential because SOC 2 reports are meant for use for all industries. Whatever the type of service it may be used in, the focus is on securing digital information.

The Basis for HITRUST

The Health Information Trust Alliance, or HITRUST, as it is more popularly known, was created in 2007. It is a not-for-profit organization advocating programs that protect sensitive information and managing information risk for organizations across various industries. It also supports third-party supply chains.

While the HITRUST Common Security Framework (CSF) is designed for all industries, its origin story is closely associated with the healthcare industry’s challenges, such as the numerous applications of controls specific to healthcare such as HIPAA.

There are also concerns about the following:

Unproductive controls because of the uneven interpretation of the control objectives
Unreasonable focus on these issues from auditors and regulatory bodies
A spike in data breaches and exploitations of system vulnerabilities

Overall, the HITRUST framework is used as a guide by organizations that deal with electronic protected health information or ePHI. The HITRUST CSF was a response to the need to have more consistency in certifications. The target is to have a standard regulation and risk management framework.

The HITRUST CSF merged all these varying requirements from COBIT, PCI, NIST, ISO, and HIPAA. That’s a lot of abbreviations and it can get confusing. HITRUST CSF unifies all these regulations.

The HITRUST CSF checks for the following:

The presence of clearly defined procedures and policies
Capability testing to prove its implementation
Demonstration of a company’s ability to measure and manage these controls

Compliance with this framework ensures the protection of sensitive ePHI. This is why meeting the HITRUST CSF requirements is essential to stay on top of all relevant regulations and standards.

Download Our Free HITRUST Checklist

SOC 2 vs. HITRUST: The Essential Difference

Both reports revolve around the protection of sensitive personal data. But for organizations concerned with compliance, learning the difference between SOC 2 and HITRUST is essential.

The main difference is that SOC 2 is an attestation report, while HITRUST is a certification.

Attestation Report

An attestation report discusses the confirmation of management that the information in the report is accurate. An independent author will then confirm this report with the help of an opinion.

The opinion in the SOC 2 report can be clean, unqualified, qualified, or adverse. Qualified means that the testing cannot confirm that at least one objective has been identified by management. Adverse implies that the testing has failed to verify most of the purposes outlined by management.

Even though it may seem it has an asterisk beside it, a qualified report is still reliable. But the company must follow up on it to prove that remediation steps have been undertaken to address any issues brought up in the qualified report.

SOC 2 reports are completed yearly and may go on from one to three months from completion to report delivery. This depends on how promptly the SOC 2 client can provide documentation and the evidence needed for testing.

Certification Report

The HITRUST report differs from SOC 2 because it comes with a certification.

It has more details peppered in with the report with five times more controls as it incorporates requirements from numerous standards within the HITRUST CSF.

Within the HITRUST report, the organization’s management needs to submit a Letter of Representation instead of the management assertion inscribed within the SOC 2 report. This Letter of Representation is still collected within the SOC 2 report but is not included in the final report.

The opinion in the HITRUST Certification letter is presented as a Letter of Certification or Letter of Validation, all dependent on the final score of the conducted assessment.

The HITRUST certification has a duration of two years, with interim testing finished within a year. It takes longer to complete because of the increased number of controls, and it costs twice as much. All of these are dependent on the organization’s size and the number of systems dependent on it.

Mapping Options

Essential factors that determine what type of report an organization needs are time, budget, and purpose. Understanding the needs of the organization and even its stakeholders is the first step to take.

The Case for HITRUST Certification

The type of industry that the organization falls under must then be considered. If the company needs to store or process ePHI as part of its daily operations, a HITRUST certification makes more sense.

Organizations with data centers, smartphone applications, and digital platforms that store ePHI are more likely to adopt a HITRUST certification.

If there is no specific need to prioritize ePHI within the company, the more general SOC 2 report may have more utility for the organization.

With this being said, it is essential to note that the HITRUST certification is available to other industries that wish to integrate the framework for their compliance needs.

Combining Both Reports

There are situations when organizations prefer not to choose between a SOC 2 attestation report or a HITRUST certification. The best course of action for them is to incorporate both.

The HITRUST certification provides a map to the controls essential to delivering a SOC 2 opinion for three Trust Service Principles: security, confidentiality, and availability.

For this purpose, the SOC 2 opinion still needs to be done yearly, which is not a need with the HITRUST certification, which has a longer shelf life.

To accomplish the SOC 2 + HITRUST CSF combination, there has to be an independent auditing firm that can offer an opinion. This will focus on whether a service organization has adequately designed and efficient controls to comply with the requisite Trust Services Principle and the HITRUST CSF requirements.

It needs to effectively hit two birds with one stone.

The main difference is that this will not include a Letter of Certification. The only exception is if the auditing firm is also a HITRUST CSF assessor, and the report has been certified beforehand by HITRUST.

This type of combination report can only be issued by an auditing firm and will not give you HITRUST certification, but this will be easier to obtain.

SOC 2 + HITRUST CSF Certification

Another alternative is the combination called SOC 2 + HITRUST CSF with certification. In this option, the auditing firm will perform procedures that will test the operation and design of the controls about both the requirements of the SOC 2 and HITRUST CSF.

This includes a crucial copy of the CSF certification report issued by the HITRUST Alliance. It can give more assurance and peace of mind to the service organization, stakeholders, and even clients.

This type of report can only be issued by an auditing firm that is also an approved CSF Assessor. The firm must also be registered with the HITRUST Alliance.

This report is more complicated and challenging to obtain because it must undergo the stringent HITRUST certification process.

But it is the best option in the larger picture. It is a more comprehensive report, and it will also provide a service organization with a precious HITRUST certification.

Factors to Consider when Integrating Both Reports

Combining both reports can reduce inefficiencies. But there has to be careful guidance in its implementation. There can be downsides when not handled with expertise.

Both the SOC 2 attestation report and the HITRUST certification reports will compel service organizations to adopt the security, availability, and confidentiality Trust Services Principles.

The challenge comes when the organization has only completed the SOC 2 report so far for the security criteria. They will need to undergo additional effort and resources to integrate the other required standards, such as availability and confidentiality.

Also, in combining both the SOC 2 and HITRUST reports, there is the risk of identifying issues in one criterion that may significantly hurt the entire report.

For example, if the service organization has all the sufficient controls required for the SOC 2 report but fails to comply with the 75 required HITRUST controls, this can result in an unqualified opinion in the overall SOC 2 + HITRUST report.

Although the integration of both reports can save time and resources, any problem that one set of controls may encounter will impact the overall picture. There is no shortcut to compliance, even when the reports are combined. There must be due diligence in meeting all the regulations to have a SOC 2 + HITRUST report that will reflect a clean bill of health for the service organization.

Expert Guidance and Assistance

RSI Security can help your organization as you choose between getting a SOC 2 attestation report or a HITRUST certification. In the debate of SOC 2 vs. HITRUST, It can get complicated with all the terminologies and technicalities, but we are here to make the process easier.

As your company embraces new technology moving forward, we can help streamline information security compliance aspects. We have specializations in both SOC 2 and HITRUST requirements. Here is a rundown of all our services for your reference:

Gap Assessment
Facilitated Self-Assessment
Validation/Certification
Interim Assessment
Continuous Monitoring
Bridge Assessments
HITRUST-SOC Coordinated Assessments
Third-Party Risk Management Program
HITRUST CSF Certification Marketing Support
Healthcare Risk Analysis and Advisory

RSI Security has years of expertise and experience as a full-service security provider. We can efficiently guide you towards information security program implementation, data security compliance, and testing services.

We are an authorized HITRUST CSF Assessor with a roster of HITRUST practitioners and advisors to help navigate your way towards a successful HITRUST CSF Validation or Certification.

With our HITRUST compliance services, RSI Security can help you succeed in scoping your assessment coverage and facilitating the self-assessment process. This allows you to reduce the resources, cost, and time you would typically devote to the compliance effort.

Trust RSI Security to deliver cost efficiency and peace of mind as you undergo this essential process. We are here to guide you through all the challenges and to emerge with high marks.

Speak with a HITRUST expert today!