• Home
  • /Learn
  • /HITRUST Certification & Penetration Testing Requirements
background image


HITRUST Certification & Penetration Testing Requirements


In the security world, healthcare records are known to be some of the most valuable forms of data that threat actors can get their hands on. It has a higher selling point, a longer shelf life and serves multiple possible uses including extortion, prescription purchasing power, and fraudulent medical claims.

Most people almost never think about it – whether we are feeling ill or just staying on top of our regular checkups – when we show up at our family doctor’s office and hand over our health card, we assume our healthcare professionals are following all the best practices concerning the security of our personal data. What about filling a prescription for medications at the pharmacy? There is a lot that can be gathered from a person’s prescription history.

So, how do healthcare organizations confirm their attention to properly enforced cybersecurity, and how do consumers make the best choices when it comes to the matter of managing their own PHI?

What is HITRUST Certification?

In short, the HITRUST Alliance was founded in 2007 as a not-for-profit to develop and advocate security programs to safeguard sensitive information such as electronic protected health information (ePHI). HITRUST Certification aims to fill the gap that regulations, such as HIPAA, do not fully address. For example, while the HIPAA Security rules involve many suitable requirements, there is a distinct lack of enforcement.

As of today, the HITRUST certification represents the most comprehensive and broadly acknowledged security framework in healthcare. The HITRUST certification represents a bonified roadmap for cybersecurity standards – it was developed and supported by healthcare industry experts who sought to come up with an objective and quantifiable way to manage healthcare security threats. Essentially, it is designed to be a blueprint for how to improve your organization’s data management policies.

Simply put, a HITRUST certification represents the gold seal of approval with respect to how a business handles its data and its cybersecurity practices. To attain a HITRUST certification is to earn the vote of confidence from the HITRUST Alliance. Just as medicine must meet a high standard of security and sensitivity, their cybersecurity standards must offer similar levels of protection – that is why HITRUST certification is quickly gaining credibility and popularity amongst the healthcare sector.

Requirements for HITRUST Certification

For any healthcare organization, the gold seal of approval that comes along with HITRUST Certification is very attractive – it serves to demonstrate both security and integrity. Even if an organization is not particularly enthusiastic in their pursuing a HITRUST Certification, demonstration a willingness to protect your patients’ personal health data, should be a top priority for any organization operating in the healthcare industry. Keeping personal health data more secure and upholding privacy should be a leading priority for organizations serving the healthcare community.

Indirectly, when an organization willfully prioritizes improved cybersecurity and pursues HITRUST certification as a means to get there, their cybersecurity will undoubtedly see significant improvements. Below, we have highlighted some of the common requirements of the HITRUST certification to determine certification readiness:

  • Organization – HITRUST certification is a major commitment for an organization. For perspective, SOC 2 clients may have upwards of 100 controls tested within a SOC 2 report. In contrast, HITRUST certification may require upwards of 400 control requirements! This sort of commitment requires a lot of work from the security teams and may involve other departments within the organization to make changes to their operations in order to meet the rigorous demands.

  • Policy – HITRUST Certification incorporates a number of regulations and standards, including ISO, NIST and HIPAA. One of the HITRUST requirements is that your organization has documented policies that expressly communicate management’s expectations of required controls operation for each HITRUST requirement. If your current policies are not based on NIST or ISO, they will need to be upgraded before beginning your certification process.

  • Risk Assessment & Testing – HITRUST certification requires an organization to perform a regular comprehensive risk assessment of security operations based on a formal methodology that evaluating multiple factors that could impact security. HITRUST certification requires that an organization has implemented a number of technical controls to help validate security. These controls will include penetration testing and several other security checks on a minimum annual basis – noting that the frequency could be as often as quarterly.

  • Business Continuity – HITRUST certification requires an organization to have a formal business continuity plan that assesses potential events that may impact all critical operations. As well, a formal strategy to address those risks is required.

  • Proper Documentation – HITRUST certification will require an organization to provide evidence of all control implementation. The organization is required to implement a formal change management procedure outlining the testing and approval process to meet all HITRUST requirements.

  • Timing – HITRUST certification requires that all policies, procedures and control implementation is in place for no less than 90 days prior to testing by an external assessor – proof of this will also be required. Additionally, it should be noted that there are tiers of maturity that only accrue with certification.

In order to receive certification, a validated assessment must be completed by a ‘HITRUST assessor’. This validated assessment requires that an independent auditor assess compliance with the applicable HITRUST requirements. If no significant issues are identified in the validated assessment, the organization will receive HITRUST certification that is eligible for renewal after two years when an interim certification can be completed for one more year – after which point, the entire certification process must be completed again.


As the unease over breach-related liability costs, shifting standards and public concern for privacy continues to grow, the HITRUST certification common security framework provides many significant benefits by delivering a comprehensive set of standards that any healthcare organization can apply. As a result, your organization will be able to control vulnerabilities, adjust policies and procedures, and gather the appropriate resources to implement and maintain security protocols.

At Packetlabs, we have worked with a variety of organizations across the healthcare sector, and have great experience identifying key areas for concern. A successful HITRUST certification plan requires a thorough review of all existing infrastructure, applications and policies.

If you would like to learn more about how Packetlabs can assist your organization in fulfilling your HITRUST requirements, please contact us for more information!