Path to HITRUST Certification Part 1: Security Compliance from the Ground Up

Path to HITRUST Certification Part 1: Security Compliance from the Ground Up

Having spent the better part of my career in TechOps/Security-focused roles in healthcare, it’s clear that enabling technical tinkerers to move fast is critical to their success. However, this can be easier said than done in a world where slow and steady is the norm: move too fast and you might not adhere to, or fully complete all of the necessary requirements; move too slow and you might lose the drive to innovate.

Regulation in healthcare helps define what’s required to provide health services that are high quality, patient-focused, safe, and effective; yet, some regulations can be challenging to navigate, which can slow innovation and cause some teams to cut corners. At Pearl Health, we’re uncompromising in our commitment to security best practices, which is why we’re building them into the foundations of how our team operates and innovates.



HITRUST originally served as an acronym for “Health Information Trust Alliance,” but the company has since rebranded as simply HITRUST. The HITRUST CSF (Common Security Framework) exists to certify that systems and processes comply with all applicable regulations they’re subject to. It was created as a privately held company to work with leaders within information security, technology, and healthcare to create a clearer path toward compliance. Today, it is one of, if not the most, widely adopted security and privacy frameworks, and many healthcare organizations view it as the industry standard in ensuring compliance with all applicable regulations.

So what’s the difference between HITRUST & HIPAA?

HITRUST leverages HIPAA as part of its base and builds upon it within the structure of the HITRUST CSF. By deconstructing HIPAA requirements (a non-standardized framework that offers no prescriptive measures), HITRUST is able to expand upon the underlying principles to create a prescriptive and certifiable framework.

Most new organizations put HITRUST certification on the back-burner until they’re more established and/or an opportunity presents itself that requires them to do so. Why? It’s a huge lift. Depending on the business, the scope of items to address can easily become overwhelming. HITRUST not only assesses whether certain processes, systems, and functions are executed, documented, and configured, it also seeks to confirm that they are followed, maintained, updated regularly, etc. Each assessment item is multi-faceted + introduces a textbook example of ‘opening a can of worms.’

For example, let’s say you have a process for how access control is managed at your organization: Is it well documented? Is it reviewed periodically? If so, how often? Is it inclusive of this and that? But not this or that? How is it logged? What approvals are required to change the process and under what circumstances?

Many organizations that wait until further down the road to take on this type of lift fail to recognize the magnitude of the undertaking.

Many organizations that wait until further down the road to take on this type of lift fail to recognize the magnitude of the undertaking. Sure, they may have made a process for this or documented that, but their systems and processes will not be aligned with the regulations they need to comply with, and may not be configured to deliver necessary technical safeguards, which can have very serious implications for their businesses and their customers.

At Pearl, we recognize the need to embed compliance in everything we do from the onset. We’re hitting the ground running on our path to becoming HITRUST certified. Sure, we won’t be able to obtain our certification for quite some time given the resources needed — HITRUST advises most organizations take around 12-18 months for certification. However, by committing to this from the start, we’re able to architect our processes and systems in a compliant way that fully aligns with the assessment criteria.

In this series of blog posts, I’m going to document our journey to HITRUST certification. More to follow — stay tuned for part two.

Russell Fowles

Russell Fowles

Head of Technical Operations & Security, Pearl Health