How to Attain HITRUST Compliance in Less Time

At Armor, we’ve helped over 1,000 companies become more secure, many of which became HITRUST certified. We’ve learned that while HITRUST compliance is complicated, you can become HITRUST certified in less time with the right approach.

Unfortunately, some infrastructure companies state in their marketing that all you need to do is to use their technology and you’ll automatically be HITRUST compliant. That’s part of the reason why some customers assume that becoming compliant is as easy as switching to a different infrastructure provider. This is simply not true. 

At Armor, we always tell our customers the nitty-gritty details so they can make an informed decision. While it’s more complicated than simply adopting new technology, we’ve learned a few ways to speed up the process.

In this article we’ll cover why HITRUST originated, what you need to do to follow it, and how you can speed up the process of becoming HITRUST certified.

Want to learn more about how Armor can help you become HITRUST certified? Our Armor Anywhere product can be installed in minutes and does a lot of the work for you. Go here to get a free quote on how much Armor will cost.

Why Did HITRUST Originate?

Before we explain how to become HITRUST certified, we think it’s helpful for you to understand how HITRUST originated.

HITRUST (an acronym for “Health Information Trust Alliance”) is a nonprofit that was created in 2007 to maintain a certifiable framework for companies to be up-to-date with best practices in information security, protect their infrastructure, and secure sensitive information (like patient health information and other protected health information). The standard that was created was the HITRUST CSF (HITRUST common security framework).

HITRUST was created largely by healthcare organizations and other major corporations in the healthcare industry (like health insurance companies).

One major reason HITRUST was created was for businesses and business associates to have a coherent set of security standards if they needed to comply with several data protection regulations (such as HIPAA and PCI DSS).

Another major reason for HITRUST was to create a certification process, so businesses could know that they (and other businesses) are secure. HIPAA did not and does not (as of 2019) have any formal certification process.

A third reason for HITRUST was to improve risk management for companies to be sure that other companies that they do business with are secure.

What Exactly You Must Do to Receive a HITRUST CSF Certification

The first thing you need to do is to take an inventory of all of your tech infrastructure, servers, and data. You should also note all security tools, security controls, and procedures that you are already using.

The second thing you need to do is to figure out all of the regulations that you need to follow, using the information you gathered in the step before this.

The most common regulations you probably need to worry about are PCI, FISMA, NIST cybersecurity framework, ISO/IEC 27001, HITECH, or any state mandated privacy requirements.

The next thing you need to do is establish your scope by going the the HITRUST MyCSF tool to answer a series of questions that will determine the number of requirements you need to satisfy. The number will be anywhere between 300 and 700.

Before you actually start changing any parts of your business, you need to understand how HITRUST is scored.


In order to be HITRUST certified, you need to follow all of the applicable controls specified. How well you follow the controls is measured by five criteria. Each of the criteria has a different weight according to how much it affects your HITRUST score:

  • Policy (25%) Is each requirement written and signed into policy?
  • Procedure (25%) Is each requirement written into process documentation?
  • Implementation (25%) Is the standard being properly implemented?
  • Measured (15%) How is the requirement being measured?
  • Managed (10%) How is the requirement being managed?

When being assessed, your business will receive a score for how compliant your business is for each of the criteria above. Here are the possible scores:

  • Non-Compliant (0%) Barely following the criteria, if at all.
  • Somewhat Compliant (25%) Less than half of the requirements followed.
  • Partially Compliant (50%) Approximately half of the requirements followed.
  • Mostly Compliant (75%) Most of the requirements followed.
  • Fully Compliant (100%) All requirements followed.

You will be scored for each domain that you need to follow.

For example, this is an example score for a requirement in the access control domain:

Category NC SC PC MC FC Multiplier Total
Policy (25%) X 25 x 0.25 6.25
Procedure (25%) X 25 x 1.0 25
Implementation (25%) X 25 x 0.75 18.75
Measured (15%) X 15 x 0.5 7.5
Managed (10%) X 10 x 0.0 0
Total 57.5

In order to become HITRUST certified you need to receive a score over 62 for every domain.

Now that you know how your HITRUST certification will be scored, you should write each of your HITRUST requirements into policy. That gets you 25% of your score.

Next, you should create a documented process for each of your HITRUST requirements.

Then, you should make sure that the requirements are implemented. This will be the most complicated part of becoming HITRUST certified.

If you have been thorough with your policies, processes and implementations, you will have enough to pass the certification. For any areas that are lacking, consider how you will measure and manage those items and put those controls in place. 

Keep in mind, anything that is scored for measured and managed will be scrutinized by the QA process. We recommend working to get Fully Compliant (100%) scores for all policy, process and implementation scores.

After that, you should perform a self-assessment using the MyCSF tool to formally score yourself against the requirements.

When the self-assessment is complete, a Certified CSF Assessor will perform a validated assessment. The assessor will validate your scores and adjust them based on their examination and testing.

They will submit their findings to HITRUST for evaluation and QA. You may need to submit additional evidence to satisfy HITRUST during this phase of the process, but for the most part you will be HITRUST certified once HITRUST is satisfied.

Saving Time on Becoming HITRUST Compliant

Becoming HITRUST is a large and complicated undertaking that will bring about some major changes to your organization.

We recommend that you work with someone who has experience with helping companies like yours become HITRUST certified.

While it’s possible that you could become HITRUST certified without any outside help, it’s a complicated process and it’s quite possible that you’ll do something wrong.

Messing up the process and having to undergo multiple assessments can add weeks of time to the process and cause the costs to your business go up.

Unfortunately, hiring consultants can be quite expensive. However, if you use any of our Armor products, we’ll give you access to our team of compliance experts.

They have years of experience helping companies like yours become HITRUST certified. They can advise you on the changes you need to make to your application and business to become compliant.

At Armor, we have two products, both of which can help you secure your infrastructure: Armor Complete and Armor Anywhere.

Armor Complete is where you host your application and data on our physical servers.

Armor Anywhere is our solution that secures your data no matter where it is (public cloud, private cloud, hybrid, or on-premise).

Here are the different features that they offer:

Armor Complete Armor Anywhere
Vulnerability Scans X X
Operating System X X
Intrusion Detection X X
File Integrity Monitoring X X
Log Collection & Management X X
Malware Protection X X
Patch Monitoring X X
Compute X
Storage, Database, & Networking X
Regions, Availability Zones, & Edge Locations X
Identity & Access Management
Data Management

In short, Armor Complete helps secure the infrastructure, network, and more. Armor Anywhere secures your infrastructure but can run anywhere.

By using either of our products, you can significantly lessen the amount of work that goes into becoming HITRUST certified, since you get several requirements fulfilled out-of-the-box.

Plus, we’re constantly updating Armor to use state-of-the-art security tools in order to comply with updating requirements. Since HITRUST (and other standards) are constantly being updated, we are constantly improving the products we send to you.

One example of how our tools automatically make you more compliant is our compliance scanning tools. Our tools scan your servers and infrastructure to see if you’ve misconfigured any plugins. For instance, our tools can scan whether you’re using default passwords for a plugin (which is against PCI compliance).

Doing any of these protections yourself (like log management or having a 24/7 SOC) would cost a significant amount of time and money.

That’s why we consider Armor to be a no-brainer when it comes to securing your infrastructure. The time saved will more than pay for itself.

In Conclusion…

As we’ve shown, becoming HITRUST compliant is a major undertaking. It requires you to possibly undertake major changes to your business.

You also need to set up formal policies, procedures, and management around your security team that may not have existed before.

It was designed to be stringent since it was created by major companies in the health industry to make sure that they (and other companies) were compliant and secure.

You can lessen the amount of work to get there by partnering with someone who has experience with HITRUST certification.

As an Armor customer, you automatically get access to a team of compliance experts with years of experience.

Our software takes care of several HITRUST requirements automatically and is constantly evolving to be more secure and follow updating standards.

That’s why we feel like Armor is the best solution if you want to quickly and effectively become HITRUST compliant.

We’d be happy to help you become HITRUST certified. Armor Anywhere can be installed in minutes and does a lot of the implementation work of being HITRUST certified for you. Go here to get a free quote on how much Armor will cost.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals