Healthcare organizations often choose to build and run their applications on public cloud platforms for their flexible pricing, scalability, security, and cutting-edge technologies. Many also recognize the potential benefits of using cloud services to accelerate HITRUST certification.
HITRUST certification can provide tremendous benefits to healthcare organizations. By proving compliance with strict healthcare regulations for data security and privacy, including HIPAA (the Health Insurance Portability and Accountability Act of 1996), organizations can enhance competitive differentiation, open new business opportunities, and speed sales cycles.
Pursuing HITRUST certification can be costly and time-consuming, but cloud services can streamline that effort. By building on Google Cloud, for example, your organization can experience all the benefits of cloud services while avoiding a significant portion of work required for achieving HITRUST certification.
What Is HITRUST?
Founded in 2007, HITRUST (originally an acronym for the Health Information Trust Alliance) is a privately held organization that is today a leading source for standards development and certification. It is dedicated to programs that safeguard sensitive information and manage information risk for organizations across industries.
The HITRUST Common Security Framework (CSF) is a comprehensive, standardized, and certifiable framework designed to help organizations manage the risks of sensitive data and comply with regulations. In addition to HIPAA, the framework can be used to address requirements for the Health Information Technology for Economic and Clinical Health (HITECH) Act; International Organization for Standardization (ISO) standards; the European Union’s General Data Protection Regulation (GDPR); the Payment Card Industry Data Security Standard (PCI DSS); and more.
The CSF is continuously updated to help ensure organizations can protect themselves from emerging threats and comply with evolving standards. CSF v11 is the most recent update.
What Is HITRUST Certification?
HITRUST certification was initially developed for the healthcare industry, though now it is used by organizations in a wider array of industries. Healthcare organizations use HITRUST certification to demonstrate their compliance with key regulations, such as HIPAA and HITECH. Previously, organizations could not easily prove that they were adequately securing Protected Health Information (PHI). Partner businesses and patients did not realize that many organizations were not in fact complying with the HIPAA Security Rule.
Though complying with HIPAA is mandatory, HITRUST certification is voluntary. Still, a growing number of hospitals and other institutions require their vendors to be certified.
HITRUST offers three certification and assessment options:
- HITRUST Essentials 1-year (e1) Assessment: An entry-level validated assessment and certification.
- HITRUST Implemented, 1-year (i1) Assessment: An assessment that provides a moderate level of assurance that organizations have adequately addressed cybersecurity threats.
- HITRUST Risk-based, 2-year (r2) Assessment: The most rigorous assessment, with the most comprehensive set of control requirements. An interim assessment must be conducted every other year.
How Is HITRUST CSF Certification Earned?
HITRUST sets a high bar for certification. The multi-step process for an r2 assessment typically includes:
- Conducting a self-assessment using HITRUST software
- Working with an external assessor to close gaps
- Preparing a validated assessment report with the assessor
- Submitting the assessment to HITRUST for auditing
- Receiving certification
- Conducting an interim assessment every other year
This process can be time-consuming and expensive. Depending on which HITRUST assessment your organization chooses, initial certification could take six months to a year—requiring your team to spend hundreds of hours on the project.
How Does Google Cloud Help with HITRUST Certification?
Moving to Google Cloud can help you accelerate the HITRUST certification process. Currently, Google Cloud offers 157 services that have already achieved HITRUST certification. Here are just a few examples:
- AI Platform Training and Prediction
- API Gateway
- AutoML Natural Language
- BigQuery
- Cloud Billing
- Cloud Healthcare
- Cloud Life Sciences (formerly Google Genomics)
- Document AI Warehouse
- Generative AI on Vertex AI
- Google Kubernetes Engine
- Healthcare Data Engine (HDE)
- IoT Core
- Identity & Access Management (IAM)
- Sensitive Data Protection
If your organization uses any Google Cloud services that are HITRUST certified, you can “inherit” controls from Google Cloud and apply them to your own HITRUST assessment. In other words, you can avoid implementing controls that Google Cloud has already implemented. Inheriting controls can significantly reduce the time and effort you need to invest in the certification process.
Google Cloud also offers Assured Workloads, which are designed to simplify the path to running more secure and compliant workloads on the platform. The HITRUST Assured Workload (currently available as a preview) sets support access controls for first-level support personnel located in the United States.
The Shared Responsibility Model
Google Cloud has adopted a shared responsibility model for cloud security. So, for example, while the Google Cloud team is always responsible for its platform infrastructure and network, customers are always responsible for their access control policies and data. (See the Google Cloud shared responsibility matrix.)
Meanwhile, responsibility for other services depends on the customer’s deployment model. For example, when an organization has an Infrastructure-as-a-Service (IaaS) deployment, that organization is responsible for access policies, web application security, and network security. If the organization has a Software-as-a-Service (SaaS) deployment, it is responsible only for the access policy; Google Cloud takes responsibility for the rest.
HITRUST certification is also a shared responsibility with Google Cloud. While you can inherit controls from a HITRUST-certified service from Google Cloud, it is still your organization’s responsibility to double-check all parameters and ensure controls are configured correctly.
Benefits of Using the Google Cloud Infrastructure
Google Cloud ranks among the top cloud platforms. Organizations often choose Google Cloud because of their team’s familiarity with the company’s tools, including the productivity tools in Google Workspace. Google also offers competitive pricing, extensive resources, easy scalability, and strong security.
Pricing
Google Cloud is dedicated to offering transparent and competitive pricing. You can start exploring Google Cloud for free. If you decide to move forward with the platform, you pay only for the resources you use, allowing you to avoid large upfront costs and giving you the flexibility to increase or decrease your services as needed. At the same time, the platform offers significant discounts when you pre-pay for services.
Resources
Google Cloud helps organizations get up to speed quickly on emerging cloud technologies through training and certification resources. The Google Cloud Skills Boost platform provides a range of online learning, skills development, and certification opportunities.
Scalability
With Google Cloud, you have multiple ways to scale your cloud environments to meet shifting requirements. For example, the platform’s managed instance groups allow you to seamlessly scale virtual machines up or down. Serverless computing options provide managed compute, database, and other services that scale up rapidly. And autoscaling enables you to dynamically expand resources used by your application as demand fluctuates.
Security
Google Cloud employs the same robust security capabilities that Google uses to keep millions of people safe online. The cloud platform incorporates threat intelligence; modern security operations for detecting, investigating, and responding to threats; and a secure-by-design and secure-by-default infrastructure with controls for maintaining digital sovereignty.
Massive Ecosystem
Google Cloud has a deep portfolio of services. You can access a range of compute and storage resources, developer tools, databases, productivity apps, analytics and AI tools, security capabilities, and more. Because many of those services are already HITRUST certified, you can build on Google Cloud without constraints—while also reducing the effort for maintaining regulatory compliance and achieving HITRUST certification. In addition, Google Cloud enables you to capitalize on hundreds of partnerships and software integrations within its data and AI ecosystem.
How Much Does HITRUST Certification Cost?
The cost of HITRUST certification can vary according to the assessment you choose and your organization’s risk profile. See how much HITRUST certification might cost for your organization: Try the free Cloudticity HITRUST Cost Calculator tool.
Read the Blog: What's the Cost of HITRUST Certification?
HITRUST Acceleration
Because Google Cloud has already met key HITRUST benchmarks, and since you can inherit many controls, Google Cloud can help you significantly accelerate the process of achieving HITRUST certification. This HITRUST acceleration is such a value add for healthcare companies, many are migrating to Google Cloud and other cloud platforms primarily for simplifying HITRUST certification.
Want to learn more about how your organization can accelerate HITRUST certification with Google Cloud and Cloudticity? Schedule a free consultation.
