HITRUST Certification Essentials: What You Missed in Our First Webinar


If you missed our first HITRUST Certification Essentials webinar, no worries. I’ll recap some of the webinar highlights as well as a few of the key questions asked by our audience of healthcare professionals.

Our Chief Information Security Officer, Mark Ferrari, MS, PMP, CISSP, HCISPP, and I presented the first webinar from the perspective of our work as HITRUST Certified Practitioners and CSF Assessors.

Together, we focused on building knowledge of four topics essential to understanding the pathway to HITRUST certification, including:

  1. The Value of HITRUST
  2. Background on the HITRUST Common Security Framework (CSF)
  3. Our Methodology for Preparing Clients
  4. Evaluation Criteria and Scoring

If you’re considering HITRUST certification, or are required by a covered entity to become HITRUST certified, our monthly webinar provides an opportunity to have your burning questions answered.

The graphic below was presented and highlights the three phases of achieving HITRUST certification. By completing an accurately scoped self-assessment, an organization can identify areas in their program that need improvement.  Once those deficiencies are addressed in what we call the remediation phase, your organization is in a position to perform a validated assessment.  Once an assessor has validated that the assessment scores merit certification, the only thing left is the submission of the assessment to the HITRUST Alliance.


Also, we covered how the HITRUST requirements are derived from the CSF controls and how each organization is uniquely assessed against them. Essentially, the exhaustive CSF framework is organized into 14 control areas.  Those controls are then represented by a superset of over 1,000 requirement statements - organized into three levels across 19 domains.


Questions asked…and answered.

For our first, monthly webinar, we had a whole lot of questions. Great questions.

Here are a sampling from the questions asked along with our answers.

  1. How many requirements will my organization be assigned?
    The total number of requirements your organization will be responsible for demonstrating compliance to, is dependent on how the assessment is scoped.  A domain could contain anywhere from 2 requirements to over 40 requirements.
  2. If we fail our validated assessment, how soon can I do another submission?
    There is no timeline or time lapse limit. However, you wouldn’t want to submit a validated assessment that doesn’t meet the minimum scores. You want to identify the gaps that need to be addressed and re-assess so that you are confident that your scores are healthy enough for submission.
  3. How many staff members do I need assigned to this project to get through the certification process?
    We know that this is a challenge for most organizations. We have seen that it’s best to have a single FTE, such as a project manager, who owns it. That person will need to rely on staff from functional areas, like compliance, system administration, and human resources.

Next Webinar – Wednesday, April 26, 12 pm ET

Join us for our next webinar when we’ll dive deeper into the pathway to certification and the essentials to be successful, as well as how to avoid the challenges and pitfalls.

To register, click here.