VITech has recently crossed a major milestone—our offices and AWS infrastructure are now officially certified under the HITRUST e1 standard. Here's what that means for the healthcare companies we work with.

When you work with healthcare or fintech, security pops up in the very first conversation. And if saying “We follow HIPAA” used to be enough, it’s not anymore. Clients now come right out and say they want a HITRUST certificate on the table.

For us, this was both a challenge and an opportunity. We knew that getting HITRUST certified would open the door to enterprise healthcare and prove we could operate at the same level as the biggest players in the industry.

The scale of the work we needed to do was like a marathon: 800 person-hours of meetings, more than 1,000 screenshots collected as evidence of controls, and over 40 policies and procedures built or updated. 

Screenshot from VITech's A-SCEND profile showing the real certification timeline from initial assessment to receiving the certificate

Now, it’s high time to share our story honestly: how it unfolded, the challenges we faced, what we learned, and what it means for the healthcare organizations we work with.

What HITRUST is in simple words 

HITRUST works like a universal adapter for cybersecurity. It brings together the key standards (ISO, NIST, HIPAA, GDPR, PCI DSS) and establishes a common set of rules across all of them.

Coverage of other standards within the HITRUST framework

There are certification levels: 

As a rule, large insurance companies and medical institutions prefer to work with HITRUST-certified vendors. In 2025, 99.62% of HITRUST-certified environments had no breach. That figure is part of what makes this milestone meaningful for our clients.

What this means for you 

Before we get into the story, here's the short version of what our HITRUST e1 certification means for you as a potential partner:

• Your data is handled under controls that go well beyond basic HIPAA compliance

• Security is embedded into how our team works every day 

• Documentation your compliance team can review. Policies, evidence artifacts, control records, we have everything organized and audit-ready.

• Large insurers and health systems require HITRUST certification before a vendor can be internally approved. We've done that work.

Now here's the full story of how we got there.

Why we did it

Picture this: you're selecting a technology vendor for a healthcare project. Their pricing is competitive, their team is strong, their expertise is exactly right. But one of your mandatory requirements is a HITRUST certificate and without it, they don't even make the shortlist.

We didn't want to be that vendor. And beyond the commercial reality, we genuinely believed that if you're handling protected health information on behalf of your clients, you owe them more than a signed BAA and good intentions.

HITRUST gave us a framework to prove it to our clients, to their compliance teams, and to ourselves.

Why we certified the whole company

Most IT businesses certify a single product or a platform. We took a different approach: we certified our entire infrastructure, including both offices and our AWS environment.

By all means, we could have gone the easier route with a minimal scope. But we made a conscious decision to certify our internal processes across the whole organization because that's what gives partners real confidence.

When a client works with VITech, it's not just one isolated product that meets the standard; it's the entire team, the entire workflow, and the entire infrastructure behind their project.

The path to certification 

We first looked into certification 5 years ago, but we made a deliberate decision to wait until we were better prepared. Later on, we made certain commitments to our customers about pursuing HITRUST as a vendor. 

When we went through a major tender last year with our largest client, the fact that we were already mid-process became a deciding factor. An assessment engagement letter from our consultants confirmed it and helped us sign a three-year framework agreement.

By 2023, it was clear that we couldn't get through certification alone, so we ran a competitive selection process and chose A-LIGN, a HITRUST-certified partner. We went in with a clear picture of the investment involved, both external (partner fees) and internal (people, time, tools). More importantly, we were ready for changes.

In March–April 2024, we signed an agreement with A-LIGN to prepare for the validation assessment conducted by HITRUST itself.

Stage 1: Initial assessment

The A-LIGN auditors came in, reviewed our processes, and were straight with us: "You've got a lot of work ahead." That was actually helpful because we got a clear picture of where we stood and where we needed to go.

Results of the initial assessment conducted by the consulting firm.

Stage 2: Remediation phase

Six months. 230 pages of policies and procedures. Every page had to go through review, approval, and sign-off. We joked that our engineers were clicking "Sign" in HiBob more than they were in Jira. That's when we felt it: policies weren't just paper anymore, they were becoming real practice.

But it wasn't only about documents. Simultaneously, we set up all the necessary control points to make sure those policies were actually being followed: incident monitoring, log auditing, access controls, asset inventory, and more. Those control mechanisms gave us the evidence we needed to show auditors that the policies and procedures were alive.

3. Pre-validated assessment

Evidence collected across our assessment platforms. Hundreds of screenshots, all verified. Then the formal review by A-LIGN.

Results of the pre-validated assessment conducted by the consulting firm. 

4. HITRUST QA

Weeks of waiting. Daily anxiety, second-guessing, re-checking everything. And then—the HITRUST e1 certificate. The feeling was like winning the Super Bowl or a Champions League final: pure euphoria, the knowledge that all the effort was worth it, and the kind of shared pride that's hard to put into words.

QA results by HITRUST domain.

The challenges and how we handled them

HITRUST doesn't just audit your policies. It audits your culture. At times, it felt like we were building a new company inside the company. We stumbled more than once, but that's exactly what made us stronger, and what makes our security posture more reliable for the clients depending on us.

Policy creation that took six months 

We thought: how hard can it be? Write the policy, get it reviewed, get it signed. The reality: 200-plus pages, dozens of review rounds, and an endless stream of "hey, can you sign this?"

We set an SLA for sign-off. 10 business days, or access gets blocked. It kept things moving.

Alongside the documents, we set up control points for each policy, from asset audits and log reviews to regular security check-ins. Those control mechanisms became the foundation for collecting the evidence HITRUST actually recognizes.

Security baked into onboarding from day one

Every new hire now gets access to projects only after:

• signing all relevant policies

• completing security awareness training

• passing the HIPAA exam

This turned compliance from a checkbox into part of the culture. From their first day, security isn't some abstract concept but part of your daily work.

Phishing simulations: the corporate version of Among Us

We built our own phishing simulation series, tailored to each department:

• HR: "A new candidate left their resume"

• Developers: "GitHub update required"

• Finance: "Invoice from a client"

Early results were uncomfortable. They showed exactly where the weak spots were. Eventually, phishing became a company tradition: whoever clicks buys coffee. Lessons learned that way tend to stick.

A baseline for approved tools

We created a registry of approved applications and continuously monitored workstations for compliance. No "I installed this for convenience." Everything gets checked for security and logged in to SnipeIT. It removed shadow risks and closed casual weak links before they became problems.

Monitoring architecture built around clarity

Early on, we tried to cover everything: SIEM, MDM, vulnerability scanning, asset tracking, Jira boards, HiBob, and about a dozen other systems. The result was noise: lots of data, no single source of truth.

We rebuilt around a few core systems: Jira, Confluence, and SnipeIT, with a clear data flow where every control had a defined home.

Now, an audit or review means opening one page with all the relevant artifacts, not digging through months of Slack history.

Dedicated security leadership

HITRUST changed not just our processes but our professional structure. We created an Information Security Manager role, expanded the responsibilities of the Delivery and HR teams, and introduced monthly reviews covering risks, incidents, and assets.

Security became everyone's responsibility.

The budget surprise

We planned the budget carefully. But the reality was that certification is a living process: one HITRUST update and the numbers look different. The final cost came to around $130,000, roughly twice what we projected.

Budget lesson: build in a 30–50% buffer. It's not padding; it's just the reality of any certification process.

And the biggest takeaway from all of it: security doesn't live in documents. It lives in daily habits, transparent processes, and shared accountability across the team.

What you get when you work with a HITRUST-certified partner

All of that work translates directly into what you experience as a client. Here's a plain-language breakdown:

• Verified security. Everything in our security posture was assessed and confirmed by a third-party auditor. You don't have to rely on our word.

• A team that treats security as a daily practice. Phishing simulations, mandatory training, controlled access, monthly risk reviews — these aren't annual events. They're how we operate.

• Documentation ready for your compliance team. If your legal or compliance team needs to review our controls, policies, or evidence artifacts, we have everything organized and audit-ready.

• A vendor your enterprise can approve. Large insurers and health systems often require HITRUST certification before a vendor can be approved internally. We've already done that work.

Key takeaways 

HITRUST e1 certification cost us significant time, money, and organizational effort. We'd do it again without hesitation because the alternative is asking healthcare organizations to trust a vendor on good faith alone, and that's not a position we're comfortable with.

If you're evaluating technology partners and security is on your checklist, we're happy to walk you through our controls, share our documentation, or answer any questions your compliance team has. That's exactly what this certification is for.

FAQ

How do we verify the certification is current?

Through the HITRUST public registry or the Health3PT trusted vendor catalog. Both are publicly searchable and don’t require anything from us.

What does the certification actually cover?

Our entire company: both offices and AWS infrastructure. Most vendors certify a single product; we certified the whole organization, so every project benefits from the same verified controls.

How long is the certification valid?

One year, with an annual renewal assessment. Any change in status appears in the HITRUST public registry immediately.