Healthcare Cloud Blog | Cloudticity

HITRUST on Azure: A Guide for Getting Started | Cloudticity

Written by Josh Ray | Jun 28, 2024 2:25:50 PM

HITRUST certification can be extremely valuable to healthcare organizations. By proving compliance with strict healthcare regulations for data security and privacy, including HIPAA (the Health Insurance Portability and Accountability Act of 1996), organizations can enhance competitive differentiation, open new business opportunities, and accelerate sales cycles.

While pursuing HITRUST certification can be costly and time-consuming, using cloud services can streamline that effort. By building on Azure, for example, you gain all the benefits of cloud services while potentially eliminating a portion of the work needed to achieve HITRUST certification.

What Is HITRUST?

Founded in 2007, HITRUST (originally an acronym for the Health Information Trust Alliance) is a privately held organization that is today a leading source for standards development and certification. It is dedicated to programs that safeguard sensitive information and manage information risk for organizations across industries.

The organization’s HITRUST Common Security Framework (CSF) is a comprehensive, standardized, and certifiable framework designed to help organizations manage the risks of sensitive data and comply with regulations. In addition to HIPAA, it covers the Health Information Technology for Economic and Clinical Health (HITECH) Act; International Organization for Standardization (ISO) standards; the European Union’s General Data Protection Regulation (GDPR); the Payment Card Industry Data Security Standard (PCI DSS); and more.

The CSF is continuously updated to help ensure organizations can protect themselves from emerging threats and comply with evolving standards. CSF v11 is the most recent update.

What Is HITRUST Certification?

HITRUST certification was initially developed for the healthcare industry, though now it is used by organizations in a wider array of industries. Healthcare organizations use HITRUST certification to demonstrate their compliance with key regulations, such as HIPAA and HITECH. Previously, organizations could not easily prove that they were adequately securing Protected Health Information (PHI). Partner businesses and patients did not realize that many organizations were not in fact complying with the HIPAA Security Rule.

Though complying with HIPAA is mandatory, HITRUST certification is voluntary. Still, a growing number of hospitals and other institutions require their vendors to be certified. 

HITRUST offers three certification and assessment options:

  • HITRUST Essentials 1-year (e1) Assessment: An entry-level validated assessment and certification.

  • HITRUST Implemented 1-year (i1) Assessment: An assessment that provides a moderate level of assurance that organizations have adequately addressed cybersecurity threats.

  • HITRUST Risk-based 2-year (r2) Assessment: The most rigorous assessment, with the most comprehensive set of control requirements. An interim assessment must be conducted every other year.

How Is HITRUST CSF Certification Earned?

HITRUST sets a high bar for certification. The multi-step process for an r2 assessment typically includes:

  • Conducting a self-assessment using HITRUST software
  • Working with an external assessor to close gaps
  • Preparing a validated assessment report with the assessor
  • Submitting the assessment to HITRUST for auditing
  • Receiving certification
  • Conducting an interim assessment every other year
  • Repeating the full process every two years

Not surprisingly, this process can be time-consuming and expensive. Depending on which HITRUST assessment your organization chooses, initial certification could take six months to a year—requiring your team to spend hundreds of hours on the project. 

Does Azure Meet the Demands of the HITRUST Framework?

Azure has approximately 170 services that have achieved HITRUST CSF certification. Here are just a few examples:

  • API Management
  • Azure AI Search
  • Azure Cosmos DB
  • Azure DevTest Labs
  • Azure Health Bot
  • Azure Health Data Services
  • Azure Machine Learning
  • Microsoft Genomics
  • Multi-Factor Authentication

If your organization is using one of those services, you can inherit controls from Azure and apply them to your HITRUST assessment. Inheriting controls can significantly reduce the time and effort you need to invest in the certification process. 

You can also take advantage of the Azure HITRUST Blueprint to simplify your preparation for certification. The Blueprint, which is free, can help you identify a set of Azure services for ingesting, storing, analyzing, and interacting with data, as well as managing identity and security. It also includes a sample use case scenario, deployment template, automation scripts, list of relevant HIPAA/HITRUST requirements, and additional resources. 

The Shared Responsibility Model

Azure employs a shared responsibility model for information security. The Azure team is fully responsible for the physical security of data centers, the network, and hosts. Customers are fully responsible for accounts and identities, devices, and their own data. (See the Azure shared responsibility matrix.)

Meanwhile, Azure and its customers share responsibility for securing operating systems, apps, and network controls, depending on the type of deployment. So, for example, when customers have a Software-as-a-Service (SaaS) or Platform-as-a-Service (PaaS) deployment, Azure assumes responsibility for the operating system. In an Infrastructure-as-a-Service (IaaS) deployment, customers secure the operating system.

HITRUST certification is also a shared responsibility. If you are using a HITRUST-certified service from Azure, you can inherit Azure controls. But it is your organization’s responsibility to double-check all parameters to ensure controls are configured correctly.

Benefits of Using Azure Infrastructure

Azure continues to be among the leading cloud platforms available. Many organizations turn to Azure because they are already familiar with, or using, Microsoft tools and applications. Just as important, Azure offers the right combination of pricing flexibility, resources, scalability, and security for many businesses.

Competitive Pricing

Azure prides itself on offering competitive pricing. The company promises to match AWS prices for comparable services—and in many cases, it claims to beat AWS on cost. Meanwhile, like other cloud providers, Azure enables you to pay as you go, allowing you to avoid large upfront costs and giving you the flexibility to expand or reduce your cloud services as needed.

Resources

Because Azure was created by Microsoft—a large, well-established technology company—it’s not surprising that Azure has the infrastructure in place for providing a wealth of training and certification resources for users. Your teams can tap into self-directed training, instructor-led training, and Azure certifications to get up to speed quickly for building in the cloud.

Security

Azure continues to make significant investments in security capabilities. The cloud provider has implemented multi-layered security, spends heavily in security R&D, and employs thousands of cybersecurity experts to help customers meet data protection requirements. 

At the same time, Azure has a clear commitment to helping customers maintain compliance with regulatory requirements and industry standards. In addition to HITRUST certification, Azure helps ensure that its services are compliant with HIPAA, ISO, SOC, PCI, plus other regulations and standards. 

Scalability

Many organizations move to the cloud for its scalability. In healthcare, organizations might need greater IT resources for their services during certain times of the year, such as in the winter months, when respiratory illnesses often peak. 

Azure simplifies scaling. Your organization can scale up or out as needed, or take advantage of autoscaling to ensure you are always using the capacity you need. You pay only for the resources that you use.

Tap into the Azure Ecosystem

Azure has a broad portfolio with hundreds of services. You can access developer tools, databases, analytics services, machine learning and AI tools, security capabilities, and more. Because many of those services are already HITRUST certified, you can build without constraints—while also reducing the effort for maintaining regulatory compliance and achieving HITRUST certification.

How Much Does HITRUST Certification Cost?

The cost of HITRUST certification can vary according to the assessment you choose and your organization’s risk profile. See how much HITRUST certification might cost for your organization: Try the free Cloudticity HITRUST Cost Calculator tool.

Read the Blog: What’s the Cost of HITRUST?

HITRUST Acceleration

Because Azure has already met key HITRUST benchmarks, and you can inherit many controls, Azure can help you significantly accelerate the process of achieving HITRUST certification. This HITRUST acceleration is such a value add for healthcare companies, many are migrating to Azure primarily for simplifying HITRUST certification.

Want to learn more about how your organization can accelerate HITRUST certification with Azure? Schedule a free consultation to learn how Cloudticity can help.