HITRUST Certification Essentials Webinar: What You Missed


Navigating the pathway to HITRUST certification is complex and can be daunting to even the most security savvy among us.  BluePrint recently held a HITRUST Certification Essentials webinar, which focused on the four topics essential to understanding the pathway to HITRUST certification for healthcare systems and business associates. We received great questions from our attendees that I will elaborate below.

Our Chief Information Security Officer, Mark Ferrari, MS, PMP, CISSP, HCISPP, and I presented this webinar from the perspective of our work as HITRUST Certified Practitioners and CSF Assessors.

Together, we focused on building knowledge of four topics essential to understanding the pathway to HITRUST certification, including:

  1. The Value of HITRUST
  2. Background on the HITRUST Common Security Framework (CSF)
  3. Our Methodology for Preparing Clients
  4. Evaluation Criteria and Scoring

The graphic below was presented and highlights the three phases of achieving HITRUST certification. Basically, when we work with a client on an assessment, we are helping them identify areas in their program that need improvement, and, after resolution, would achieve scoring at levels that merit certification.



Also, we covered how the HITRUST requirements are derived from the CSF controls and how each organization is uniquely assessed against them. Essentially, the exhaustive CSF framework is organized into 14 control areas.  Those controls are then represented by a superset of over 1,000 requirement statements - organized into three levels across 19 domains.


Questions asked…and answered.

Here are some of the questions we received about HITRUST Certification and the CSF.

  1. How many requirements will my organization be assigned?
    The total number of requirements your organization will be responsible for demonstrating compliance to is dependent on how the assessment is scoped.  A domain could contain anywhere from 2 requirements to over 40 requirements.

  2. What is the minimum score we need to make to achieve certification?
    Although creating a robust security program is the focused of the Common Security Framework, when achieving HITRUST CSF certification, keep in mind that there is no total or overall score. You will receive a score for each of the 19 domains mentioned earlier. Based on the maturity of your program in each domain area, you should score a 71 or higher. The minimum score to achieve certification is 62, however, you must submit a corrective action plan (CAP) with milestones, estimated completion dates and owners. The good news is that you can become certified while advancing your program.

  3. How many staff members do I need to be assigned to this project to get through the certification process? 
    We know that this is a challenge for most organizations. We have seen that it’s best to have a single FTE, such as a project manager, who owns it. That person will need to rely on staff from functional areas, like compliance, system administration, and human resources.

  4. How do we know that we’re ready to submit for HITRUST CSF certification?
    Your third-party assessor, like those on our team, carries out your facilitated assessment and they would tell you what should be strengthened in your program in order to meet the requirements for all 19 domains.

  5. My academic medical institution just wants to submit the hospital for CSF Certification. Is that possible?
    Yes, you can look at your total entity and decide on which verticals you want to submit for certification. Because the self-assessment can be tailored to your organization, we can address the requirements that apply to the organization at a system-level or service/program-level and refine the scope of the assessment.

Would you like to discuss the certification process with someone knowledgeable from our HITRUST team? Contact us by completing the simple form on our information page.

By Keith Kenna, PMP, HCISPP, CCSFP
Vice President, Program Management
BluePrint Health Information Security Services, an Intraprise Health business