In 2023, over two-thirds (68%) of r2 validated HITRUST assessments utilized external inheritance. That means a large majority of organizations that have completed the HITRUST assessment did not go it alone, and instead leveraged external partners to streamline the process.
What is inheritance and how can you, too, use it to your advantage? In this blog we’ll cover everything you need to know about inheritance, how to use it, and the best ways to get started.
HITRUST inheritance is a mechanism that allows organizations to leverage the compliance efforts of their third-party service providers. In essence, it means that if a service provider has already been assessed and certified against the HITRUST CSF, the organization using that provider’s services can inherit the applicable controls instead of undergoing a separate assessment for those controls.
For example, if your organization uses a cloud service provider that is HITRUST certified, such as Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP), you can inherit the controls related to cloud security from that provider. This saves time, reduces internal disruption, and lowers the costs associated with achieving and maintaining HITRUST certification.
One of the most significant advantages of HITRUST inheritance is the reduction in compliance costs. By inheriting controls from a certified provider, organizations can avoid the expenses associated with duplicative assessments and audits.
Achieving HITRUST certification can be a time-consuming process. Inheritance streamlines this process by allowing organizations to bypass the reassessment of controls that are already certified through their providers. This enables faster certification and quicker time-to-market for new services.
By leveraging the certified controls of trusted service providers, organizations can enhance their risk management practices. It ensures that they are adhering to proven security standards and benefiting from the robust security measures implemented by their providers.
Organizations can allocate their internal resources more effectively by focusing on unique controls specific to their operations rather than reassessing inherited controls. This allows for better utilization of expertise and resources within the organization.
Having the ability to inherit HITRUST-certified controls from reputable service providers increases confidence among stakeholders, including customers, partners, and regulators. It demonstrates a commitment to high standards of security and compliance.
If you think inheritance would benefit your organization, here's how to get started.
The first step is to identify which of your service providers are HITRUST certified and then find out if those providers offer inheritance or not. This information is typically available from the provider.
You can find a list of certified inheritance providers on the HITRUST website here.
Determine which controls and domains are eligible for inheritance based on your provider’s certification. This requires a detailed review of the provider’s HITRUST assessment and the specific services they offer. Most providers will be able to share an inheritance mitrice.
Integrate the inherited controls into your own HITRUST CSF assessment. This involves mapping the provider’s controls to your own compliance framework and ensuring that they meet your organization’s specific requirements. As you go through the HITRUST validated assessment process, you can use the MyCSF tool to map requirements and request inheritance from participating providers.
Even with inherited controls, it’s crucial to maintain continuous monitoring and periodic reviews to ensure ongoing compliance. Ensure that your providers remain HITRUST certified and that their controls continue to align with your compliance needs.
Maintain thorough documentation of inherited controls and the evidence supporting their certification. This is essential for your HITRUST assessment and for demonstrating compliance to auditors and other stakeholders.
Read Next: Accelerate HITRUST With the Cloudticity HITRUST Inheritance Program
HITRUST inheritance is a powerful feature that can significantly streamline the compliance process for organizations handling sensitive data. By leveraging the certified controls of trusted service providers, organizations can achieve cost savings, improve efficiency, and enhance their overall security posture.
With the Cloudticity HITRUST Inheritance Program, healthcare organizations can leverage our controls to streamline the certification process by 25-62%. Learn more about the HITRUST Inheritance Program, download the solution brief. Or schedule a free consultation today.