Article

New HITRUST assessments rise to meet the need for varying assurance levels

Exploring the expanded HITRUST assessment portfolio: bC, i1 and r2

March 29, 2022

With the wide variety of assurance service offerings in the marketplace today, organizations are struggling to discern how much assurance they need as well as what types of compliance efforts they should be providing to their clients. On top of that, there’s confusion over how the various HITRUST levels fit in with the assessments they are already performing. 

During a recent webinar, Michael Parisi, vice president of adoption at HITRUST, and Samantha Boterman, senior manager in Baker Tilly risk advisory, discussed the differences among HITRUST’s three assessment types and how they work at all maturity compliance levels.  

Boterman said the challenges and questions organizations are having typically revolve around a couple of issues, including finding a way to provide credible and reliable information risk management assurances not only to relying parties but also to fulfill internal information protection assurance requirements. Another leading concern is the potential waste of time and resources performing duplicative assessments to satisfy multiple compliance frameworks (as opposed to “test once and apply/report to many”). 

Still, the primary question is: What type of information protection assessment is right for my organization? 

Not all assurance mechanisms are created equal, Parisi said. Organizations have a number of different attributes to consider whether they are pursuing an assurance mechanism to provide comfort to their stakeholders or just considering the type they are willing to accept in place of, perhaps, executing additional proprietary procedures around security and privacy. When organizations are trying to understand what assurance reports or certifications to use, it’s not clear to stakeholders the differences among them. 

To clarify the options, HITRUST conducted a 16-month research project in which it plotted all of the assurance mechanisms along a continuum and identified the different attributes and characteristics that made them provide varying levels of assurance. From there, HITRUST found two primary drivers.

1. The first was that many of the assurance mechanisms were based on management-defined proprietary controls, which means they may not be from an industry-recognized source or may not align to specific compliance factors or security standards, Parisi said. This could lead to a high level of inconsistency when trying to evaluate across multiple business stakeholders. 
2. The second identified driver was the rigor of the process that organizations go through in order to produce assurances. At one extreme is self-attestation where there is no level of independent validation, which provides a much lower level of comfort relative to the program maturity and posture as opposed to if it was performed using independent validation and, moreover, if there was a certifying body, like HITRUST, that provided additional validation.