Health Insurance Portability and Accountability Act (HIPAA) compliance is a continual challenge for healthcare organizations. Faced with a tangle of nuanced regulatory standards and requirements, a staggering 69 percent are non-compliant and subject to costly penalties. HITRUST CSF certification helps organizations achieve HIPAA compliance, among many others. As healthcare organizations increasingly recognize the importance of HIPAA compliance, more are seeking to become HITRUST certified.

However, the HITRUST CSF process offers its own set of challenges, and completing it can be a difficult and protracted journey. AWS makes it considerably easier with a secure, agile infrastructure and a slate of tools and services customers can use to ensure their workloads are compliant that can help accelerate the HITRUST certification process.

[Related Reading: HITRUST vs. HIPAA]

What is HITRUST?

The Health Information Trust Alliance is a private company that developed and maintains its own cybersecurity framework to help organizations manage information risk and achieve HIPAA compliance.

The framework, called the HITRUST CSF (Common Security Framework), encompasses and harmonizes aspects of other common security frameworks including HIPAA, PCI, ISO, DSS, COBIT, and NIST, and provides a set of controls that meet their requirements.

Organizations can use the HITRUST CSF to guide the implementation of HIPAA-compliant practices and ensure they have the right security controls in place to reduce the risk of data breaches.

According to the alliance, HITRUST “was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges.” It provides a set of 135 prescriptive controls to meet the HIPAA security and privacy rules. These controls are prioritized and implemented in phases to enable healthcare organizations to balance risk mitigation measures with their resource, skill, and budgetary constraints. Once all necessary remediations are implemented, organizations can demonstrate HIPAA compliance by receiving a HITRUST certification.

HITRUST Certification Process

HITRUST certification is a way for healthcare organizations to demonstrate compliance with HIPAA. As HIPAA doesn’t prescribe what practices and security controls organizations should implement to meet its regulatory requirements, healthcare organizations have historically used signed or verbal agreements to assure business partners they had the proper security controls and practices in place for HIPAA compliance.

HITRUST replaces these agreements, which couldn’t be easily validated, with a vetted assessment and certification process. A HITRUST certification allows healthcare organizations to show that they are operating in line with HIPAA guidelines and requirements and establish themselves as a trusted business partner.

The HITRUST certification process includes three levels of assessment called Degrees of Assurance. Each assessment builds on the previous one and receives more thorough vetting:


Organizations can do their own independent assessment using the myCSF tool. After answering a series of questions, the organization receives a customized HITRUST assessment of how well that business’ particular environment is meeting applicable compliance standards. The myCSF tool issues a self-assessment report identifying areas where the organization is in compliance with HITRUST criteria and areas where it needs improvement.

CSF Validated

After completing the self-assessment and taking the recommended corrective actions to meet compliance requirements, the organization can request a third party to confirm that they meet the relevant HITRUST criteria. A HITRUST-approved CSF Assessor makes an on-site visit to verify the information the organization gathered during the self-assessment and issues a validated report.

CSF Certified

For the final Degree of Assurance, the organization submits its validated assessment to HITRUST for review. HITRUST examines all the information gathered by the organization combined with the CSF Assessor’s information and grants the organization a HITRUST CSF certification. The certification is good for two years, after which the company’s compliance must be assessed again.

How AWS Helps Customers Achieve HITRUST CSF Certification

The HITRUST CSF is rigorous and achieving HITRUST certification can be expensive and time-consuming. AWS offers several ways to reduce the cost and complexity of HITRUST certification while speeding up the process.

AWS follows the Shared Responsibility Model for security and compliance — AWS manages the security of the cloud, while the customer is responsible for security in the cloud. Essentially, AWS offers a compliance-ready infrastructure and provides customers with the necessary tools and services to ensure their workloads in AWS cloud are compliant.

Among these is a suite of AWS-native tools and services customers can use to isolate their resources, secure workloads, and encrypt and conceal PHI (personal health information). AWS also connects customers with AWS Healthcare and Life Sciences Competency Partners to help them manage their compliance requirements. For customers who need a business associate agreement under HIPAA, AWS offers a standard Business Associate Addendum (BAA) to the AWS Customer Agreement, which considers the unique services AWS provides and accommodates the AWS Shared Responsibility Model.

Another way AWS helps facilitate HITRUST certification is through automation. Achieving the certification isn’t a one-time effort. Healthcare organizations must prove they have implemented the proper controls to maintain continuous compliance. That requires automation. AWS allows customers to perform tasks via API, enabling them to automate infrastructure management and to more quickly satisfy the applicable controls required for HITRUST certification.

Enlist a Partner with AWS Experience

With its robust tools for implementing and maintaining continuous monitoring of your environment, AWS can significantly accelerate the HITRUST certification process. But migrating to and managing an AWS environment requires expertise many healthcare organizations don’t have.

An MDR provider can help ensure you’re following the architectural principles that will keep your environment secure and compliant. They can also help you achieve comprehensive visibility into your environment and provide you with a range of reports to help you understand where you meet requirements with specific HITRUST CSF control categories and where you are falling short, so you and move more quickly toward HITRUST certification.

Learn more about how Fortra’s Alert Logic MDR can help your organization navigate HITRUST CSF. To find out more about HITRUST compliance, check out: What You Need to Know About HITRUST Compliance.


Antonio Sanchez
About the Author
Antonio Sanchez
Antonio Sanchez is Fortra’s Principal Evangelist. He has over 20 years of experience in the IT industry focusing on cyber security, information management, and disaster recovery solutions to help organizations of all sizes manage threats and improve their security posture.

Related Post

Ready to protect your company with Alert Logic MDR?