HITRUST
What is HITRUST?
HITRUSTA risk- and compliance-focused security framework, the HITRUST CSF, widely used in US healthcare to demonstrate alignment with HIPAA, NIST and other authoritative sources.
HITRUST (originally the Health Information Trust Alliance) is a US-based organisation that publishes the HITRUST Common Security Framework (CSF), a control-based framework first released in 2009 and updated regularly (current major version: CSF v11). The CSF harmonises requirements from HIPAA, HITECH, NIST SP 800-53 and 800-171, ISO/IEC 27001/27002, PCI DSS, GDPR, the EU AI Act and other sources into a single set of prescriptive, scoped controls. Organisations can pursue three levels of certification (e1, i1, r2) issued by accredited HITRUST assessors. Although strongly associated with healthcare, it is increasingly used in financial services, technology and other regulated industries as a single audit-ready assurance.
● Examples
- 01
A US healthcare SaaS achieving HITRUST r2 certification to satisfy hospital customers requiring HIPAA assurance.
- 02
A payer organisation requiring HITRUST e1 certification from a small startup vendor before onboarding.
● Frequently asked questions
What is HITRUST?
A risk- and compliance-focused security framework, the HITRUST CSF, widely used in US healthcare to demonstrate alignment with HIPAA, NIST and other authoritative sources. It belongs to the Compliance & Frameworks category of cybersecurity.
What does HITRUST mean?
A risk- and compliance-focused security framework, the HITRUST CSF, widely used in US healthcare to demonstrate alignment with HIPAA, NIST and other authoritative sources.
How does HITRUST work?
HITRUST (originally the Health Information Trust Alliance) is a US-based organisation that publishes the HITRUST Common Security Framework (CSF), a control-based framework first released in 2009 and updated regularly (current major version: CSF v11). The CSF harmonises requirements from HIPAA, HITECH, NIST SP 800-53 and 800-171, ISO/IEC 27001/27002, PCI DSS, GDPR, the EU AI Act and other sources into a single set of prescriptive, scoped controls. Organisations can pursue three levels of certification (e1, i1, r2) issued by accredited HITRUST assessors. Although strongly associated with healthcare, it is increasingly used in financial services, technology and other regulated industries as a single audit-ready assurance.
How do you defend against HITRUST?
Defences for HITRUST typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for HITRUST?
Common alternative names include: HITRUST CSF, Health Information Trust Alliance.
● Related terms
- compliance№ 475
HIPAA
The U.S. Health Insurance Portability and Accountability Act, which sets national standards for protecting individually identifiable health information.
- compliance№ 557
ISO/IEC 27001
The international standard specifying requirements for an Information Security Management System (ISMS), against which organizations can be formally certified.
- compliance№ 731
NIST Cybersecurity Framework
A voluntary risk-based framework published by the U.S. National Institute of Standards and Technology that organizes cybersecurity outcomes into six core functions.
- compliance№ 1063
SOC 2
An AICPA attestation standard in which an independent auditor evaluates a service organization's controls against Trust Services Criteria.
- compliance№ 807
PCI DSS
A global information-security standard for organizations that store, process, or transmit payment card data, maintained by the PCI Security Standards Council.
- compliance№ 737
NIST SP 800-53
A NIST publication providing a comprehensive catalog of security and privacy controls for U.S. federal information systems and many private-sector adopters.