HITRUST Certification: What It Is & Why It Matters
October is Cybersecurity Awareness Month, and organizations across the nation are spending the month educating their employees on the importance of cybersecurity in the workplace and in their personal lives. From avoiding phishing and smishing to learning about common attack vectors and understanding the many ways a nefarious actor might find their way into your systems, the journey to a “locked down” security posture isn’t an easy one.
We should know. We go through all the same things you do—and then a whole lot more. And that’s why, during Cybersecurity Awareness Month 2024, we’re proud to announce that we’ve successfully completed our HITRUST CSF r2 recertification.
And this? This is a big one—both for us and the companies who trust us. Because unlike a claim—HITRUST Certification is something that requires months of preparation, poking, and prodding to complete. And Sepire got it done.
What does that mean? In short, it means that a third-party organization dug into the way we work and found that we’re able to prove our compliance with more than 55 international security protocols. But to us and to our clients, it means even more. Here’s why.
The Basics: Sepire Completes HITRUST r2 Recertification
Over the past six months or so, we’ve been hard at work. And it wasn’t just because we’re ramping up for the busiest busy season yet. It’s because once again, we’ve gone under our biannual HITRUST r2 recertification—the gold standard of the gold standard of cybersecurity certifications.
As announced in our press release, this was an important day—as it once again proved our commitment to data security and showed that we care about yours as well. Why? Because HITRUST isn’t simply about one organization. It’s about the aura that surrounds the organization. Every person, every practice, and every vendor are tested.
And after completing our biannual HITRUST CSF® v9.6.2 Risk-based, 2-year (r2) Certification, we’re taking a look at what this means to us, to you, and to the people whose data you trust us to protect.
Introduction to HITRUST
If you’re not familiar, HITRUST is an organization dedicated to everything security. Since its 2007 founding as the Health Information Trust Alliance, the organization has gone far beyond the world of healthcare. Nearly two decades later, HIRTUST has expanded its scope to deliver a comprehensive, accessible, and scalable security framework for companies of all sizes and industries.
Today, the company’s framework and certifications are used by thousands of organizations to assess their security posture and deliver proof of compliance with dozens of international standards, laws, regulations, and requirements.
HITRUST Certification: What It Is & Why It Matters
In the rapidly evolving threat landscape that exists today, a HITRUST Certification proves that a company can walk the walk and talk the talk when it comes to security.
In fact, according to their 2024 Trust Report, nearly 99.5 percent of HITRUST Certified environments suffered no security breaches.
Earning a HITRUST certification sends a signal to regulators, customers, and stakeholders that they can trust the strength of your cybersecurity and data protection program. It’s no wonder that so many organizations don’t just request but require a HITRUST certification from vendors and third-party service providers for security and privacy assurances.
And today, more companies than ever require it from their first-level and even second-level partners. This includes three-quarters of the Fortune 20, 81 percent of U.S. hospitals and health systems, and 83 percent of health plans.
Different Levels of HITRUST Assessment & Certification: e1, i1, r2
Though HITRUST Certification is an effective way for a business to prove that it can securely handle data, there are three levels of certification, each more complex and comprehensive than the last.
HITRUST e1 Certification: The easiest, lowest level certification, e1 evaluates a company on 44 essential security controls. Able to be completed in as little as 12 weeks, this may not be the most comprehensive certification available, but provides reliable assurance that a company has the fundamentals down.
HITRUST i1 Certification: A threat-adaptive assessment and often the minimum required certification by organizations in the healthcare industry, i1 assessments take 6 to 12 months to complete and cover nearly 200 controls, with certification lasting one year from issuance. Good to provide a moderate level of assurance, many smaller organizations opt to attain the i1 certification.
HITRUST r2 Certification: The gold standard of the gold standard. HIRTUST r2 certification is the most comprehensive of the assessments. Certifications last two years with an interim assessment, cover more than 200 controls over five key areas: policy, procedures, implementation, measurement, and management.
What Goes into HITRUST Certification?
A compliance framework, an assessment platform, and a certification program, HITRUST assurance is built on six essential principles: Transparency, Scalability, Consistency, Accuracy, Integrity, and Efficiency.
But to gain this certification, organizations need to go through a lot of poking, prodding, and pen testing to prove that they’re up to the task. Depending on the version and level of compliance mentioned above, the assessment process covers a range of controls and can take anywhere from a few weeks to a couple dozen months.
Self-Assessment & Audit: Before even approaching the assessment, organizations want and need to ensure processes and policies are in place. This involves a comprehensive audit to determine the path forward and the domains, controls, and requirements that apply.
Implementing the CSF: From here, an organization has to go through the paperwork process to implement the chosen Common Security Framework or CSF and to upload documentation to the HITRUST Portal.
Certification: The certification process of HITRUST Certification, this is the stage where the HITRUST Alliance audits your work to determine if standards are met and documentation is filed appropriately.
Keep Up with the Requirements: Whether it’s an annual recertification or an interim assessment, organizations need to keep their controls up to date and check in every year.
Buyer Beware: HITRUST “Compliance” vs. HITRUST Certification
One little word can make a big difference… especially when it comes to security. And there are a lot of companies out there who may claim to be compliant.
Can you blame them? It’s cheaper and easier to say something than prove something. It doesn’t require all the poking and prodding of certification.
And if you’re unfamiliar with HITRUST, they might gain your business.
But the threat landscape is constantly changing—and so is the HITRUST Certification program.
A HITRUST Certified company will be able to provide you with a letter from the organization documenting that it meets the criteria for certification. They will also be able to provide you with a full HITRUST Validated Assessment Report that shows even more. A ‘HITRUST compliant’ company can’t.
Your Partner in Secure Printing & Mailing
At Sepire, we care about our security and the privacy of our clients—as well as their clients. And we go through a lot of work to prove it. Have any questions about this certification or one of the many other security evaluations we go through? Check out our security & compliance page—or drop us a line with any questions you might have.