Guest blog by HITRUST Integration Partner Crowe LLP
Problem Statement: Third-party assessments can take months to complete, requiring labor and time intensive manual reviews. These timelines are often unacceptable to business relationship owners. When third-party risk management (TPRM) timelines compound upon additional procurement processes, business owners may be unable to react quickly to business opportunities, experience a loss of revenue, or be unable to meet new customer or compliance requirements in a timely manner.
Break away from the notion that HITRUST is only for the healthcare community. Industry-agnostic, consistent controls allow insight into the operational maturity of each specific control category. Because SOC 2 reports are tailored to each organization’s system, scope, and control language, they can be mapped to standardized control sets, but not with the same consistency or comparability across vendors that a more prescriptive framework like HITRUST provides. HITRUST provides the granular control details, which TPRM teams can map to internal controls, as well as customer and regulatory requirements. With coverage over a majority of industry standard security and privacy controls, TPRM teams can focus on asking engagement-specific, pointed due diligence questions resulting in thoughtful risk reduction.
It’s in the name; HITRUST aims to promote supply chain trust and transparency. One way it enables customers to do so is via their free Results Distribution System and HITRUST TPRM Services (via ServiceNow) solutions. These tools allow you to exchange HITRUST reports with your supply chain, removing the need for manual vendor or customer outreach. Your HITRUST report is available to your customers as it becomes available, and the results of your third parties are ingested in real time for your review. Coverage. HITRUST offers three certifications, e1 (Essentials 1-year certification consisting of 43 cyber hygiene controls), i1 (Implemented 1-year certification consisting of 182 controls), and r2 (200+ risk-based controls) for organizations of all sizes and maturity. As shown in the table below, the r2 provides an average of 99% coverage over industry baselines for Security and Privacy controls. The i1 provides 73% and 27% coverage over industry baseline Security and Privacy controls, respectively. The e1, with the lowest percentage of overlap, serves as a basic cybersecurity “Essentials” certification for small businesses or startups which may not be aligned with another information security framework.
| Framework Area | Count Per Area | e1 Coverage | i1 Coverage | r2 Coverage |
|---|---|---|---|---|
| Security | 198 | 28% | 73% | 98% |
| Privacy | 22 | 23% | 27% | 100% |
| AI | 17 | 0% | 0% | 100% |
Analysis provided by HITRUST
Many organizations that elect to accept HITRUST r2 reports that meet acceptable maturity levels can supplement TPRM due diligence entirely. Third-party assessments where HITRUST reports are provided by the third party are completed 33% faster (<40 days vs. 60 days) when considering average timelines for vendor questionnaires and follow-up question turnaround for Crowe clients in regulated industries. Assessor time per review is reduced by ~50% when HITRUST reports are provided.
Based on Crowe analysis, assessments involving third parties that provided a HITRUST r2 or i1 report demonstrated potential cost savings of up to 45% compared to vendors with no certification or attestation report, and up to 33% compared to vendors providing a SOC 2 report. Unlike HITRUST, SOC 2 reports can vary significantly in control implementation and testing approach depending on the organization and audit firm, often requiring more detailed, case-by-case review by TPRM assessors. HITRUST’s standardized control framework and consistent level of testing depth enable more efficient mapping to internal TPRM questionnaires and a more streamlined assessment process. Promoting HITRUST throughout your supply chain could result in immediate efficiencies and cost savings for your program.
Leveraging these efficiencies, your TPRM program can promote business buy-in to TPRM processes by shortening the onboarding process. Additionally, this allows you to spend less time dealing with administrative tasks, and more time validating inherent risk, tracking findings, and fine-tuning continuous monitoring procedures or other steps of the third-party lifecycle. For organizations struggling with vendor assessment volume, program development, and lack of TPRM expertise, Crowe LLP can step in to support, enabling you to get the most out of your HITRUST-focused program. Crowe's team of global cybersecurity experts provide support for companies addressing new issues and challenges.