We're ready to help

Our cloud experts can answer your questions and provide a free assessment.

a meeting
Doctor in a white coat sitting at a desk using a tablet

HITRUST™ Compliance on AWS

The HITRUST CSF™ is growing in popularity — it’s used by 26.4% of healthcare companies as their cybersecurity framework for HIPAA compliance, according to the 2018 HIMSS Cybersecurity Survey.

While HITRUST certification is a competitive differentiator for healthcare software and services companies in 2018, it will likely be table stakes in the next 1-3 years. The big health insurance companies are asking all of their vendors for proof of HITRUST certification, and it’s wise to begin thinking about it now — before lack of HITRUST certification hurts your business.

Last week, VP of Product Steve Zeller gave a information-packed webinar on the topic of HITRUST on Amazon Web Services (AWS), through the story of a healthcare SaaS company that Logicworks recently helped to build a HITRUST-compliant cloud.

Watch the Webinar Replay:


Highlights from the Webinar:


  • In June 2015, several of the largest adopting organizations announced that in roughly two years, they would only work with Business Associates that had achieved HITRUST CSF™ certification. This has caused a dramatic rise in interest in the HITRUST CSF, particularly for software and digital health companies who sell services to these companies.
  • The HITRUST CSF integrates the requirements of the HIPAA Security Rule with the standards of NIST, HITECH, PCI DSS, and other controls, facilitating a unified control rationalization.
  • The HITRUST CSF is a cybersecurity framework that can be used (like NIST, ISO, etc.) as a foundation for your HIPAA assessment
  • According to HITRUST, the HITRUST CSF is equal to “credible HIPAA compliance”
  • HITRUST states that the HITRUST CSF certification has been previously accepted by the OCR as supplementary evidence of compliance with HIPAA
  • HIPAA addresses compliance only; HITRUST promotes security while addressing compliance

The HITRUST Assessment Process

  • Begin with a Self-Assessment so that you can work out kinks prior to formal Assessment
  • You must be audited by a CSF Assessor
  • The Assessment is scored from 0% – 100% across five levels: Policy, Procedure, Implemented, Measured, and Managed
  • Must get a score of 71.00 or greater in each control in order to pass Assessment without a Corrective Action Plan
  • Corrective Action Plans must be accomplished by Interim Assessment

Real-Life Example: A Population Health SaaS Company

  • A subsidiary of a major health insurance company that provides online diabetes and weight loss support had existing relationship with AWS + Logicworks
  • Desire to rebuild environment to HITRUST standards in <6 months
  • Company chose CSF Assessor (Coalfire), got access to MyCSF Portal (starts at $12,500 for yearly subscription)
  • Process starts by identifying set of controls that apply to your organization — company determined that they would need to satisfy about 375 separate controls
  • Of those 375 controls, they were responsible for about 200, and Logicworks and AWS for about 175
  • AWS takes care of physical security controls, Logicworks takes care of all infrastructure-level security configurations, company takes care of application and personnel controls
  • The company realized that most of the effort of HITRUST certification is in collecting, managing, and updating documentation related to controls already in place
  • Most of the infrastructure-level controls that were implemented by Logicworks were related to the following CSF domains: Information Protection Program, Vulnerability Management, Network Protection, Password Management, and Data Protection & Privacy.
  • Automation is key to continuous compliance; Logicworks uses services like AWS CloudFormation, Puppet, Chef, Ansible, and AWS’ deployment services like AWS CodeDeploy to ensure that IT controls are maintained even as cloud environments change.
  • Rearchitect process lasted 6 months, and company passed their HITRUST audit in March 2017.
  • Logicworks reduced their time-to-compliance by 6-8 months

To learn more about Logicworks’ Cloud Services for healthcare, contact us or visit our website at www.logicworks.com.