HITRUST certification explained

For industries where security, privacy, and risk management are top-of-mind, HITRUST certification is one of the most important a company can hold. This achievement places Ricoh in an elite group of organizations worldwide that have earned this certification. 

By including federal and state regulations, standards, and frameworks, and incorporating a risk-based approach, the HITRUST Assurance Program helps organizations address security and data protection challenges through a comprehensive and flexible framework of prescriptive and scalable security controls.

What is HITRUST certification?

The Common Security Framework (CSF) was created in 2007 by the Health Information Trust Alliance (HITRUST Alliance). The organization initially focused on HIPAA, ISO 27001, and similar regulations, and expanded the framework to embrace other industries, such as financial services, information technology, and more.

The framework helps organizations demonstrate their security and privacy through a standardized compliance assessment and certification process.

What does it mean to be HITRUST certified?

HITRUST certification demonstrates that the organization has met key regulations and industry-defined requirements and is appropriately managing risk.

Organizations worldwide use the region- and industry-agnostic control framework, assessment platform, and independent certification program to assure customers, partners, and vendors that their sensitive information is protected.

Which products are HITRUST certified?

Ricoh obtained HITRUST certification for its Intelligent Business Platform hosted at Amazon Web Services (AWS). Also in scope are desktops located in Ricoh’s processing centers at Rancho Cordova, Cali., and Parma, Ohio. (Read the press release.)

IBP gives customers the tools to convert data into highly valuable insights, workflows, and documents, enabling remote workers to connect without compromising network security, automating manual steps and billing, empowering workers to solve customer issues from anywhere, and more.

Ricoh is committed to providing our customers with the finest technology, services, programs and resources — along with the expertise to assist them in meeting security, compliance, and policy requirements.

With Ricoh, security is not an after-thought or a reaction to a problem. Security-focused thinking extends across the portfolio — from devices to software to professional and managed services.

What are the HITRUST certification requirements?

HITRUST certification requirements incorporate security, privacy, and other regulatory requirements from existing frameworks such as the International Organization for Standardization (ISO) and the Health Insurance Portability and Accountability Act (HIPAA).

The 19 control domains within the HITRUST CSF are:

1. Information security and protection program

2. End point protection

3. Portable media controls

4. Mobile device security

5. Wireless access

6. Configuration and change management

7. Vulnerability detection and management

8. Network security protection

9. Data transmission protection

10. Password strength and management

11. Access control to servers and software

12. Audit logging and monitoring

13. Employee education, training, and awareness

14. Third-party contracts and management

15. Incident response and management

16. Business continuity and disaster recovery

17. Risk assessment and management

18. Data center physical security

19. Data protection and privacy

The 19 domains of HITRUST certification are broken into 14 control categories:

1. Information security management program

2. Access control

3. Human resources security

4. Risk management

5. Security policy

6. Organization of information security

7. Compliance

8. Asset management

9. Physical and environmental security

10. Communications and operations management

11. Information systems acquisition, development, and maintenance

12. Information security incident management

13. Business continuity management

14. Privacy practices

Organizations are audited every two years to determine compliance with stringent HITRUST certification. The oversight is designed to provide peace-of-mind that organizations with HITRUST certification are implementing the strongest standards for security.