The Difference between HITRUST i1 and r2

Julie Butterfield July 5, 2022

HITRUST is the most widely adopted security and privacy framework in the healthcare industry, and it’s required by more than 84% of hospitals and health plans, according to Healthcare Weekly. We talked with 360 Advanced’s Practice Director Ryan Winkler, our HITRUST authority, about the HITRUST Risk-based, 2-year (r2) Validated Assessment + Certification, and the newly released HITRUST Implemented, 1-year (i1) Validated Assessment + Certification.

Can you explain what HITRUST is?
HITRUST is a standard that was derived upon other standards and authoritative sources. The standard is meant to allow organizations to enhance transparency, assurance, and simplify the process of evaluating compliance and security risk.

What is an i1 certification and why it was it developed?
The i1 was released towards the end of 2021. The reason it was developed is twofold. First, it delivers a relatively moderate level of assurance for information-sharing environments with lower risk thresholds. It is designed around relevant information security risks and emerging cyber threats and includes a combination of good security hygiene controls and best-practice controls. Second, the i1 is a best practices assessment; meaning, the standard is meant to stay current with emerging cybersecurity risks. This is a main driver for why the i1 is 1-year certification.

What differentiates i1 and r2?
i1 is a one-year certification. r2 is a two-year certification with an interim assessment required after the first year. Evaluation of i1 requirements is only at the implementation level. The r2 requires evaluation against the policy, process, implemented, optionally measured, and managed maturity levels. Further, the i1 is a static set of 219 requirements. The r2 requirement count, which can be up to 2000+ requirements, is derived based on the organization’s general, organizational, geographical, technical, and regulatory risk factors.

To pass an r2 assessment, organizations need to achieve a Prisma score of at least 3 in each domain to be eligible for certification. Scoring for the i1 is a tad simpler and requires a raw score of 83% in each domain to be eligible for certification.

What makes HITRUST i1 different from other cybersecurity frameworks, such as SOC?
HITRUST i1 utilizes a threat-adaptive framework which is meant to stay current with today’s current threat landscape, so it will be updated more frequently than other frameworks. A scoring model is utilized to assess compliance with requirements within the i1 assessment.