In the latest episode of our Risk & Accounting Advisory podcast, National Technology Business Development Leader Marc Montoro is joined by Information Assurance & Cybersecurity Senior Managers Keith Jackson and Brian Kirk. Together, they discuss the basics of the HITRUST Framework, exploring its evolution from a healthcare focus to an industry-agnostic standard. Their conversation is packed with insights. From the foundational elements of HITRUST to its benefits and strategic advantages, discover how this robust framework can set your business apart. Tune in to learn why HITRUST certification might be your next step in safeguarding sensitive information and achieving compliance across various sectors.
Listeners will learn:
- What is HITRUST CSF?
- The benefits of being HITRUST Certified
- The different types of HITRUST Certification and the pros and cons of each
- How to become HITRUST Certified
View All Risk & Cybersecurity Podcasts
HOST: Hi and welcome back to the Risk and Accounting Advisory podcast. I'm MARC MONTORO, National Technology Business Development Leader at Cherry Bekaert. Today I'm joined by Keith Jackson and Brian Kirk, who are both senior managers in our Information Assurance and Cybersecurity practice.
HOST: Today we're going to talk about the High Trust security framework. We'll cover the foundational elements, starting with what it is, the available certification options, and which organizations would benefit from High Trust certification. My clients are asking about it a lot, so I'm looking forward to hearing from Brian and Keith. Thanks for joining me today. Are you ready to get after it?
KEITH JACKSON: Absolutely, Mark. The High Trust organization began back in 2007 focused on addressing growing concerns around PHI, or protected health information. Its original name was an acronym for Health Information Trust Alliance, but over the years High Trust has become industry-agnostic.
KEITH JACKSON: High Trust developed and maintains a risk and compliance framework called the High Trust CSF, where CSF stands for Common Security Framework. This framework is certifiable and allows organizations to demonstrate compliance with a robust set of controls.
HOST: You mentioned healthcare origins but also other frameworks and industries. How was High Trust developed?
BRIAN KIRK: High Trust developed a control library by integrating multiple regulatory requirements and best practices into a comprehensive framework, the High Trust CSF. It incorporates controls from other authoritative sources, including HIPAA, HITECH, ISO, and PCI.
BRIAN KIRK: Essentially, High Trust performed a mapping exercise across multiple frameworks, such as NIST and ISO, to identify common controls and build their control library. Companies can tailor that control set based on specific risk factors, which is unique to the R2 assessment.
BRIAN KIRK: High Trust also built in a control maturity model with different maturity levels depending on the assessment type. For an R2 assessment there are five maturity levels: policy, procedure, implemented, measured, and managed. For I1 or E1 assessments, the maturity model is the implemented level.
BRIAN KIRK: High Trust conducts continuous updates to their assessment library. For example, when revisions are issued to NIST 800-171, High Trust reviews their library and updates it as needed based on changes to the authoritative sources they rely upon.
KEITH JACKSON: When you dig into an E1, I1, or R2 assessment, each assessment is broken into 19 domains, from access control to mobile device and endpoint protection, privacy, and more. That is basically how High Trust developed this framework.
HOST: Does High Trust remain specific to healthcare?
BRIAN KIRK: Initially it was focused on healthcare and helping organizations comply with HIPAA and HITECH. Over time, High Trust expanded its scope and became industry-agnostic. The High Trust CSF now incorporates controls from regulatory and industry frameworks, making it applicable to financial services, defense contracting, and other sectors beyond healthcare.
KEITH JACKSON: As part of moving away from a healthcare focus, the framework is tailored to protect any type of data an organization wants to protect. Examples include credit card information subject to PCI, personally identifiable information covered by GDPR or CCPA, and non-public customer information for banking and financial services.
KEITH JACKSON: High Trust can also address governmental and best-practice standards such as FedRAMP, StateRAMP, and various ISO and NIST frameworks. Essentially, the High Trust CSF is designed to protect any type of important data and offers a certification to demonstrate compliance with the framework.
HOST: That helps us understand the what. What are the benefits of getting High Trust certified?
KEITH JACKSON: High Trust certification demonstrates that an organization adheres to strict requirements for protecting data. Benefits include helping the organization meet regulatory requirements like HIPAA, PCI, and others.
KEITH JACKSON: Certification provides assurance to third parties that you maintain an appropriate environment for security and privacy of their data. From a business development perspective, it can differentiate an organization from competitors and help win contracts.
KEITH JACKSON: There are also developments in cyber insurance. High Trust announced a partnership with a cyber insurance provider, Trium, offering a cyber insurance product exclusively to High Trust–certified organizations, potentially at a lower cost.
BRIAN KIRK: The benefits you highlighted translate into financial impacts: retaining clients, winning new contracts, and potentially reducing insurance costs. Those are significant considerations.
HOST: Is High Trust certification one-size-fits-all, regardless of company size, maturity, or industry?
BRIAN KIRK: High Trust can be right-sized to fit the needs of an organization. Often organizations receive High Trust requirements from third parties. When engaging a client, we first understand the requirements and where they originate, then right-size High Trust appropriately.
BRIAN KIRK: There are three assessment types: E1, I1, and R2, each providing varying levels of assurance. The E1 assessment offers a foundational level of assurance with a fixed set of 44 controls. The I1 assessment offers moderate assurance with 182 controls. The R2 assessment provides the highest assurance, covering comprehensive risk management and allowing tailoring of the control set based on risk factors.
BRIAN KIRK: For an R2 assessment, you scope the assessment in High Trust's MSF tool. You complete the scoping section and input risk factors, and the tool determines the number of requirements in scope. It’s important to take a measured approach to identify the appropriate level and tailor the control set to your needs.
HOST: What are the pros and cons of each certification level? Why would a company choose one over another?
KEITH JACKSON: There are pros and cons to each assessment. Starting with E1: it's the baseline certification and the easiest entry point to High Trust. It has 44 controls and tests only the implemented maturity level, so the level of effort and cost are low.
KEITH JACKSON: The main con of E1 is the lower level of assurance, which may not meet third-party assurance needs. E1 is appropriate for smaller organizations with lower risk or complexity that need certification for specific reasons.
KEITH JACKSON: The I1 assessment is the middle option. It has 182 controls and still tests only the implemented maturity level. It requires more effort and cost than E1 but less than R2. A key pro is the rapid recertification: after year one tests all 182 controls, year two may only require retesting around 60 controls if you scored well, saving time and money.
KEITH JACKSON: The cons of I1 are the increased controls and costs compared to E1 and that its assurance level is lower than R2. I1 suits medium to large organizations with a moderate risk profile and established information security processes.
KEITH JACKSON: The R2 assessment is the most comprehensive and offers the highest level of assurance. It's risk-based and tailored to the organization. Depending on complexity and regulatory factors like HIPAA and PCI, you could have 300 to 500-plus controls in scope.
KEITH JACKSON: One major pro of R2 is the ability to "test once and apply many": you can include multiple regulatory factors into one assessment and demonstrate compliance across those requirements. The cons are higher cost and effort, and all controls must be tested within a 90-day window, which is a tight but doable timeframe.
BRIAN KIRK: Many companies that need R2 certification start with a phased approach. They may begin with E1 in year one, move to I1 in year two, and then achieve R2. Each assessment builds on the prior one, and this laddered approach can make the large lift to R2 more manageable.
KEITH JACKSON: That is why High Trust implemented the I1 assessment around 2022 and the E1 assessment in 2023 — to create a bridge for organizations transitioning to R2.
HOST: Is there a requirement to use an external assessor firm for High Trust certification?
KEITH JACKSON: Yes. High Trust requires organizations seeking certification to be assessed by a High Trust–certified external assessor firm. Only specific firms are approved by High Trust to assess organizations for certification.
KEITH JACKSON: You would contact one of those approved firms, such as Cherry Bekaert, to start the engagement. Not all assessor firms have the same experience, so engage a firm experienced with High Trust that knows the ins and outs and has a deep bench to support certification.
HOST: That was helpful and aligned with questions I'm discussing with clients. For upcoming resources, check www.bh.com/events for an upcoming webinar, "High Trust CSF: A Comprehensive Overview," airing Tuesday, November 12 at 1:00 p.m. Eastern. The webinar is eligible for two CPE hours, and a recording will be available on our website if you cannot attend live.
HOST: For more information on High Trust, SOC reporting, information security, cyber risks, and migration strategies, visit www.cbcommunitybank.com.
HOST: Thanks, Keith and Brian.
