Contact Us

HITRUST™ on Amazon Web Services (AWS)


The HITRUST CSF™ is growing in popularity — it’s used by 26.4% of healthcare companies as their cybersecurity framework for HIPAA compliance, according to the 2018 HIMSS Cybersecurity Survey.

While HITRUST certification is a competitive differentiator for healthcare software and services companies in 2018, it will likely be table stakes in the next 1-3 years. The big health insurance companies are asking all of their vendors for proof of HITRUST certification, and it’s wise to begin thinking about it now — before lack of HITRUST certification hurts your business.

Last week, VP of Product Steve Zeller gave a information-packed webinar on the topic of HITRUST on Amazon Web Services (AWS), through the story of a healthcare SaaS company that Logicworks recently helped to build a HITRUST-compliant cloud.


Watch the Webinar Replay:


Highlights from the Webinar:


  • In June 2015, several of the largest adopting organizations announced that in roughly two years, they would only work with Business Associates that had achieved HITRUST CSF™ certification. This has caused a dramatic rise in interest in the HITRUST CSF, particularly for software and digital health companies who sell services to these companies.
  • The HITRUST CSF integrates the requirements of the HIPAA Security Rule with the standards of NIST, HITECH, PCI DSS, and other controls, facilitating a unified control rationalization.
  • The HITRUST CSF is a cybersecurity framework that can be used (like NIST, ISO, etc.) as a foundation for your HIPAA assessment
  • According to HITRUST, the HITRUST CSF is equal to “credible HIPAA compliance”
  • HITRUST states that the HITRUST CSF certification has been previously accepted by the OCR as supplementary evidence of compliance with HIPAA
  • HIPAA addresses compliance only; HITRUST promotes security while addressing compliance

The HITRUST Assessment Process

  • Begin with a Self-Assessment so that you can work out kinks prior to formal Assessment
  • You must be audited by a CSF Assessor
  • The Assessment is scored from 0% – 100% across five levels: Policy, Procedure, Implemented, Measured, and Managed
  • Must get a score of 71.00 or greater in each control in order to pass Assessment without a Corrective Action Plan
  • Corrective Action Plans must be accomplished by Interim Assessment

Real-Life Example: A Population Health SaaS Company

  • A subsidiary of a major health insurance company that provides online diabetes and weight loss support had existing relationship with AWS + Logicworks
  • Desire to rebuild environment to HITRUST standards in <6 months
  • Company chose CSF Assessor (Coalfire), got access to MyCSF Portal (starts at $12,500 for yearly subscription)
  • Process starts by identifying set of controls that apply to your organization — company determined that they would need to satisfy about 375 separate controls
  • Of those 375 controls, they were responsible for about 200, and Logicworks and AWS for about 175
  • AWS takes care of physical security controls, Logicworks takes care of all infrastructure-level security configurations, company takes care of application and personnel controls
  • The company realized that most of the effort of HITRUST certification is in collecting, managing, and updating documentation related to controls already in place
  • Most of the infrastructure-level controls that were implemented by Logicworks were related to the following CSF domains: Information Protection Program, Vulnerability Management, Network Protection, Password Management, and Data Protection & Privacy.
  • Automation is key to continuous compliance; Logicworks uses services like AWS CloudFormation, Puppet, Chef, Ansible, and AWS’ deployment services like AWS CodeDeploy to ensure that IT controls are maintained even as cloud environments change.
  • Rearchitect process lasted 6 months, and company passed their HITRUST audit in March 2017.
  • Logicworks reduced their time-to-compliance by 6-8 months

To learn more about Logicworks’ Cloud Services for healthcare, contact us or visit our website at


Posted on April 5, 2018 in Cloud Compliance, Cloud Security, DevOps

Share the Story

About the Author

Logicworks is a cloud automation and managed services provider with 20+ years of experience in IT operations. To learn more about Logicworks, contact us at (212) 625-5300 or
Back to Top