Governance, Risk, and Compliance — HITRUST

By Scott Ellis, Security Consulting Practice Lead for Healthcare & Federal

Insight is now an authorized HITRUST External Assessor

Recognizing HITRUST as the premier security and privacy framework and the industry’s best platform for Governance, Risk, and Compliance (GRC) security and privacy assessment, I’m pleased to say that Insight is now an official HITRUST External Assessor (EA) Organization. After a rigorous authorization process, we now have several senior security consultants certified in HITRUST both as Certified Common Security Framework (CSF) Practitioners and Certified HITRUST Quality Professionals (CCSFP and CHQP). Insight has made a solid investment in HITRUST and our security practitioners are best of breed.

As an approved EA Organization, Insight can now assist organizations in performing formal HITRUST Readiness Assessments (formerly Self-Assessment) to evaluate how their control environments align to the HITRUST CSF — this is a first step prior to conducting a Validated Assessment. The Readiness Assessment results in a report, the deliverables of which include an overview of the organization’s current state as well as a corrective action plan.

Insight is also certified by HITRUST to certify an organization’s HITRUST compliance through a Validated Assessment. A Validated Assessment results in issuance of two reports: the HITRUST CSF Report and the NIST CSF Report. Certified organizations are also issued a letter or certification of validation.


While HITRUST was originally designed in 2007 as an information security framework for the healthcare industry, the HITRUST CSF expanded beyond healthcare in version 9.2, becoming applicable across all industries in 2021. It is now completely industry agnostic, so all industries may benefit from the HITRUST security and privacy framework.

The HITRUST CSF is an overarching standard encompassing all leading and authoritative sources relevant to information security and privacy. The intent of HITRUST is to harmonize existing controls and requirements spanning local, federal, and business regulations and third-party standards, incorporating the highest compliance and risk management principles, to define a process that effectively and efficiently evaluates the organization’s compliance and security risk with the goal of HITRUST CSF Certification — the industry’s most recognized standard for comprehensive data protection and compliance.

Why Insight for HITRUST

What makes HITRUST so attractive for Insight clients is that it not only allows organizations to custom tailor security controls to fit their specific needs, but it also does the heavy lifting of including and maintaining many authoritative sources and regulatory requirements such as HIPAA, PCI DSS, NIST, CMMC, GDPR, ISO, and other state regulatory requirements. HITRUST has taken ownership of updating authoritative sources, meaning organizations that operate within the HITRUST framework are relieved of the footwork it takes to ensure compliance is up to date. As a result, HITRUST operates as a one-stop shop opportunity for meeting all of an organization’s security and privacy needs. And now, with Insight certification to carry out HITRUST assessment and validation, the process has become even more attainable for our clients.

Every organization must perform risk management and assess its security posture, and at Insight, we’re confident HITRUST is the optimal platform for doing so. While many standard bodies do not offer certification, HITRUST does, looking across 19 domains of security and including more than 150 security and privacy controls with multiple implementation levels. It is a robust security and privacy framework that is designed to meet all of your organizational security and privacy needs. If aligning your organization to HITRUST standards is something your organization is interested in pursuing, you can save time and money with Insight, as we can offer both HITRUST Readiness Assessments and HITRUST Validation or Certification.

You can learn more about the HITRUST approach and the role of approved EA Organizations at HITRUST’s website. If you have any questions about Insight’s role and what we can do for you, please reach out to Scott Ellis, leader of Insight’s Healthcare Security Consulting Practice: