The Drummond Group

HITRUST Assessment Services

HITRUST Authorized CSF Assessor

The Drummond Group is proud to support the Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) as one of its first CSF Assessors. The HITRUST Alliance has brought together healthcare, technology, and information security leaders to build a common framework that can be used by organizations to guide their security and privacy practices.


How This Benefits You

Exclusive Engagement Methodology

We developed the Drummond Compliance System (DCS) to expedite the pre-assessment phase and evidence collection process to get your organization HITRUST CSF Certified as quickly and inexpensively as possible. Our clients have told us that they’ve saved as much as 50% in labor costs through the utilization of our automation and engagement methodology.

Top HITRUST Assessor

We have performed 125+ certifications, which makes us a top performer in the industry. Our experience lessens the time and money you must expend for certification. We also have a team of 11 practitioners which ensures that we have the bandwidth to complete your project on time. Many of our competitors have only 5 assessors, which is the bare minimum necessary to be an Assessor.

Combined Audits – Assess Once, Report Many – HITRUST, PCI, SOC, ISO 27001, GDPR

This will lower your expense and labor costs if you have more than one certification to obtain. We gather the evidence once and use it for multiple certifications.

Pre-Assessment Phase to Prepare You for Certification

The pre-assessment phase ensures you have the necessary controls, tools, policies, and procedures in place. All our clients that submitted to HITRUST achieved certification.

We aren’t going anywhere.

Many of our competitors are small organizations that could fail, and leave you stranded. We provide “high touch” personalized service to each of our clients.

No Jerks Policy

We only hire personnel with a pleasant personality. Let’s face it, auditors can be pretty dry. Why not work with people that are personable?

Complete Set of HITRUST Aligned Policies and Procedures and Document Templates

This will jump start your certification process by providing you with template policies and procedures and other necessary documents.

U.S. Based Full-Time HITRUST Practitioners

You will work with a U.S. based team that covers all the time zones. We only use full-time personnel who have been in the field for many years and have all of the leading industry certifications.

Longest Tenured HITRUST Practitioners

We have one of the most experienced team in the industry, this ensures that our team is very knowledgeable about HITRUST and will be able to help you get HITRUST certified as quickly and painlessly as possible. Most of our competitors have limited experience.

The HITRUST CSF is an information security framework which:

  • Leverages existing, globally recognized standards, including HIPAA, NIST, ISO, PCI, FTC and Cobit
  • Scales according to type, size and complexity of an implementing organization
  • Provides prescriptive requirements to ensure clarity
  • Follows a risk-based approach offering multiple levels of implementation requirements determined by risks and thresholds
  • Allows for the adoption of alternate controls when necessary
  • Evolves according to user input and changing conditions in the healthcare industry and regulatory environment

The Drummond Group is certified to conduct CSF assessments for healthcare organizations. The CSF assessment will help your organization:

  • Use findings from a single assessment to understand adherence to multiple compliance requirements (e.g. SOC 1 and 2, PCI-DSS, HIPAA, ISO 27002, etc.)
  • Achieve increased insight into internal and third-party risks
  • Reduce cost with and efficient approach for reporting compliance with internal stakeholders, HIPAA, HITECH, state, and business associates

As a framework, the CSF provides organizations with the needed structure, detail and clarity relating to information security tailored to the healthcare industry. The Drummond Group CSF assessments fulfill the HIPAA Security Rule § 164.308(a)(1)(ii)(A) and Centers for Medicare and Medicaid Services (CMS) Meaningful Use Stage 1 risk analysis requirements and provide actionable recommendations for treatment of risks and vulnerabilities to the confidentiality, integrity, and availability of Protected Health information (PHI).

What You Need to Know About

HITRUST Certification

Get Answers to Frequently Asked Questions that pertain to HITRUST®

HITRUST Frequently Asked Questions

Who is HITRUST®?

The Health Information Trust Alliance (HITRUST®) is an independent non-profit company that acts as a certification body for healthcare organizations and those providing services to healthcare organizations.

Who is requiring HITRUST® certification?

Healthcare organizations such as CVS Caremark, Health Care Services Corp., Highmark, Humana, United Healthcare Group, and WellPoint now require their service providers to be HITRUST® certified.

What is HITRUST® CSF®?

The HITRUST® Common Security Framework (CSF®), developed in collaboration with healthcare and security experts, is a certifiable, information security framework that provides organizations with an actionable roadmap tailored to the unique needs of the healthcare industry. To date, the HITRUST® CSF® is the most widely-adopted security framework in the U.S. healthcare industry and has become the de facto standard. For more information on the HITRUST® standard go to:

Why is becoming HITRUST® certified important?

Becoming HITRUST® certified is a significant competitive advantage and is becoming necessary to perform services in the healthcare field. Many healthcare organizations are now requiring their Business Associates/Service Providers that either capture, store, or process Protected Health Information (PHI) to become HITRUST® CSF® Certified. This is a necessary step to ensure that their Business Associates/Service Providers have established adequate controls to protect PHI and comply with the HIPAA Privacy, Security, and HITECH regulations. The number of controls that will be scope will depend on the answers provided in your HITRUST® Scoping Spreadsheet. Please answer the HITRUST® Scoping Questionnaire that we will send once you fill out our Registration.

What do I need to provide in order to show compliance with each HITRUST® control?

At a minimum you must show you have a policy, procedure, and proof of implementation for each in-scope control.

How long does it take to get HITRUST® certified?

It takes approximately 6 months to get certified.

How long does it take HITRUST® to issue my certification once everything submitted?

It takes 4 to 6 weeks for HITRUST® to do their quality assurance review and issue the certification report.

How much does Drummond Group charge?

Our fee depends on the number of HITRUST® CSF® controls in scope. Please answer the HITRUST® Scoping Questionnaire that we will send once you fill out our Registration form.

How much does HITRUST® charge for my certification?

The HITRUST® fee is based on your annual revenue. We will provide a pricing sheet when we return our pricing.

What should questions should I ask my potential HITRUST® assessor?

We have created a set of ten screening questions to ensure that you get the best fit with your HITRUST® Assessor.

Do you have a proven methodology in place?

Yes, our system has been developed over the last four years to get your organization HITRUST® Certified as quickly and inexpensively as possible. Give us 30 minutes to prove it!

We need a lot of assistance; do you guide us through the process?

Yes, we guide you every step of the way. Our Drummond Compliance System (DCS) includes daily collaboration with your assigned HITRUST® Assessor.

Have you worked with firms in my line of business?

We’ve worked with companies of all types, including: cloud providers, data analytic companies, data centers, third party processors, health care organizations, SaaS providers, print companies, medical device companies, and wellness companies.

Do you have references that you will provide?

Absolutely! We have a lot of happy customers. We will be happy to provide references.

Do you use off-shore assessors?

We provide our services to clients all over the world, but the Drummond Group only uses U.S. based HITRUST® Practitioners.

Do you use resources that are not HITRUST® Certified Assessors to perform the work?

No, all our resources are HITRUST® Certified Assessors.

Do you use junior auditors?

We only use senior HITRUST® Assessors with 20+ years of experience. Our Assessors have the leading industry security and compliance certifications.

Is your team pleasant to work with?

A lot of organizations overlook this aspect. You are going to be working with your HITRUST® Assessor for quite a while. Our people are pleasant to work with, and have a good sense of humor, just ask our references.

Register for Drummond’s HITRUST Services today!

Get Started
The Drummond Group


Request A