Why You Should Get HITRUST e1 Certified
Though considered somewhat abbreviated in comparison to HITRUST’s other certification options, the HITRUST e1 Certification still represents a potentially beneficial path, particularly for those organizations that have already established their compliance programs.
Though these initiatives began as extra obligations to fulfill customer requests, compliance is now moving beyond these basic requests—adding more third-party assurance has become a powerful way organizations can differentiate themselves from their competitors in their markets.
As a single-provider cybersecurity assessments firm with a broad suite of services, we have and continue to witness clients invest more in compliance and see returns. HITRUST certification continues to grow in popularity among organizations of all kinds, and while each of those options is worth pursuing on its merits, in this article, we’re going to focus on the e1 and why it would make a great addition to your compliance program.
What is the HITRUST e1 Certification?
A newer introduction by HITRUST, the essentials 1-year (e1) Validated Assessment, at its core, is a static set of 44 requirement statements that—if met—will demonstrate that your organization’s scoped system(s) have foundational cybersecurity in place.
Here’s how it would work (at a base level):
- First, you’ll gauge whether each of those 44 requirement statements has been implemented and score yourself, with the assistance from your external assessor – an audit firm recognized by HITRUST, appropriately.
- Then, an external assessor—will use the evidence you provide them to verify those scores.
- That assessment will be sent to HITRUST which will then perform its own quality assurance (QA) and makes the final decision on whether to issue you a certificate.
For more details on this process, you can check our article on how to get HITRUST certified.
3 Reasons to Get HITRUST e1 Certified
If you’re familiar with compliance at all, that process may sound fairly familiar and similar to other initiatives you’ve undergone. So why should the e1 be next for you, among your other potential options?
Here are three great reasons to get HITRUST e1 certified.
1. Convenient Mapping to Other Compliance Standards
First and foremost, the HITRUST e1 certification provides an easier jump from other compliance assessments.
While any new compliance initiative will command more of your budget and precious internal resource time, adding HITRUST e1 certification would be a prudent use of both primarily due to how well it maps to and from two other prominent standards:
If your organization already performs an annual Type 2 SOC 2 examination, that evidence you’re already pulling to test your SOC 2 controls has a 66% overlap with the evidence required to test the 44 requirements in the HITRUST e1.
Why Does This Matter?
Should you elect to add an e1 Certification, you’d save resources and time and avoid additional audit fatigue while achieving an additional certification that can be helpful, if not required, to do business with certain prospective clients.
If your organization currently holds an ISO 27001 Certification, that evidence you’re already pulling to test your Annex A controls has a 63% overlap with the evidence required to test the 44 requirements in the HITRUST e1.
Why Does This Matter?
In fact, while the HITRUST CSF—the set of requirements that HITRUST is built on—incorporates many frameworks and regulations, its most dominant influence is ISO 27001.
Similar to what was noted above for SOC 2, this overlap between your ISO 27001 efforts would make adding a HITRUST e1 Certification simpler, as you would again save internal resource time and avoid additional audit fatigue while adding more to your compliance portfolio.
Plus, if you use the same assessor firm for both audits—whether it’s SOC 2 and the e1 or ISO 27001 and the e1—you can also combine those walkthroughs/interviews to further reduce your time spent doing audit activities.
2. Easier Segue to Other HITRUST Certifications
Speaking of overlap, the HITRUST e1 also crosses over with the other HITRUST certification options.
We mentioned the “abbreviated” nature of the e1, which could initially seem off-putting in comparison to those other HITRUST avenues.
However, the 44 requirements in the e1 Certification are nested within both:
- The 182 requirements in the i1 Certification; and
- The varied number of requirements in the r2 Certification (which uses risk-based questions that can drive the number of requirements anywhere from 200-something requirements up to well over 1000).
All this to say, even if you are later required to upgrade to an i1 or r2, if you’ve previously acquired e1 Certification, you’ll have already taken a big step toward your efforts for either of the other two. Not only that, but going for the e1 Certification first can also provide:
- Exposure to the HITRUST process
- Insight into what would be required to upgrade, and
- The necessary time to implement more robust controls, as needed, for those upgraded certifications.
3. A Door Into Healthcare
If e1 Certification maps well to more broad security standards in SOC 2 and ISO 27001, it also can clear a path through to a specific market—if your organization is trying to break into the healthcare vertical, you’ll eventually run across potential clients that not only view a HITRUST certification as nice to have but also those that actually require it for you to even be considered for the use of your products/services.
Each healthcare client is likely to have their own formula / flow chart for determining the risk level that your organization’s product presents for them. (Our article here can provide a sense of what that risk assessment might look like.)
Still, the HITRUST e1 Certification, with its smaller cost and necessary lift, represents a great starting point for compliance to satisfy healthcare organizations (unless you’re certain that your organization’s system(s) would fall into healthcare’s “high-risk” category—in which case it likely wouldn’t suffice and you’d need to move to the i1 or r2).
Once you do get that foot in the door, there may be eventual situations where prospective clients are looking for a higher level of HITRUST certification, and should that happen, most will allow you a grace period—typically 18 months—to achieve the desired level, and again, with an e1 Certification in hand, you’ll already be better positioned to make that move.
Next Steps for Your HITRUST e1 Certification
HITRUST certification has become an excellent, sector-agnostic compliance option for any organization seeking to prove its cybersecurity measures. Though organizations will be more familiar with the established and robust i1 and r2 options, HITRUST’s newest alternative in the e1 can also particularly benefit those organizations with existing compliance programs that want to more easily leverage an additional piece into new possibilities.
As you use this information to mull over how to best move your organization forward with HITRUST, learn more details about more of the latest updates from our other articles:
About RYAN MEEHAN
Ryan is a Senior Manager at Schellman. He has worked in public accounting since 2007 specializing in compliance auditing, including SOC examinations, ISO certifications, and healthcare audits such as HIPAA and HITRUST. Ryan has serviced clients in a multitude of industries including business process outsourcing, financial services, information technology, and healthcare. Ryan holds certifications including the CISSP, CISA, ISO 27001 Lead Auditor, CIPP/US, CCSFP, and the Advanced SOC certification.