Healthcare is a complicated topic. When the term is raised, the altruists among us focus on helping their fellow man. But like any endeavor managed by people, there is a business aspect to it. The business of healthcare faces the same problems as other types of businesses. It must operate efficiently, securely, and offer something that its competitors don’t. Adding to these pressures, governments add regulatory requirements including the security and privacy of patient data.
Since 2007, HITRUST has responded to some of these business needs by developing a framework, tools, and a HITRUST certification process that can demonstrate a level of trust and compliance with the secure use of data for patients and business partners. In this article, we will consider one approach to these business pressures and potential roadblocks to success.
What is a HITRUST Report? What are the Different Types of Assessments?
The HITRUST Alliance has recognized the need for certifiable and reliable information security assessments and, with the collaboration of industry leaders, developed a standardized approach to assessing an organization’s risk posture. If the organization meets this standard by completing one or more types of validated assessments, a certification can be issued and presented to business partners to convey assurance to other organizations in relation to protections in place for sensitive information.
To meet this standard, organizations must go through a robust process that ends with a validated assessment performed by an approved third-party assessor, the review and validation of the assessment by HITRUST, and, if successful, certification under one of the following:
- Essentials (e1) Validated Assessment + Certification
- Leading Practices (i1) Validated Assessment + Certification
- Expanded Practices (r2) Validated Assessment + Certification
What is a HITRUST Readiness Assessment?
While the readiness assessment was previously labeled as a self-assessment by HITRUST, language has shifted over the past several years to label it as a readiness assessment. One likely reason for this is the importance of working with an authorized HITRUST external assessor organization which can assist in the validation of assumptions relating to the HITRUST requirements, scoring methodology, and the HITRUST assessment and certification process overall. Just as many of us would hire an architect to help design a house, working with an authorized external assessor brings greater insight and value to the readiness assessment process. The first step in the journey towards any one of these certifications should be a quality readiness assessment. The main purpose of a readiness assessment is to:
- Prepare the organization to successfully navigate a validated assessment, typically with the goal of becoming certified.
- Identify gaps in compliance between requirements within the HITRUST CSF and the current posture of the organization’s information security program.
- Improve performance and knowledge by providing personnel with guidance, feedback, and insight into the requirements and the HITRUST assessment process.
- Build confidence by providing personnel with the ability to engage in a preliminary assessment prior to the execution of the more formal and rigid validated assessment process.
Who Can Perform a HITRUST Readiness Assessment?
It is vital that an organization perform an accurate and complete review of the organization’s posture in relation to the HITRUST requirements prior to execution of the formal assessment by an external assessor organization. This process is often called a gap or readiness assessment. More often than not, organizations find significant gaps that must be addressed before certification can be achieved. It is not required that the readiness assessment be performed by or with the support of an authorized external assessor firm, but the outcome of the readiness assessment is much more likely to be truly beneficial if it includes engagement with resources who have been through numerous validated assessments and understand the HITRUST requirements as well as the HITRUST assessment process.
What Are the Objectives of the HITRUST Readiness Assessment?
While the primary benefit of the readiness assessment is preparation, the most valuable outcome of a quality readiness assessment is the identification of gaps in compliance which allows the organization to address them as part of the organization’s ongoing growth and development of the information security program which is intended to support compliance with HITRUST requirements.
In the following sections, we will review a number of the most common pitfalls that may occur in organizations that are operating without a complete understanding of the HITRUST requirements, scoring methodologies, the assessment process, and the minimum expectations for certification.
Pitfall 1 – Improper Scoping Factors or Assessment Selection
The HITRUST CSF (Cyber Security Framework) is the embodiment of this standard. It includes a pool of requirements that have been refined over decades from over 40 authoritative sources including NIST, ISO, PCI, GDPR, CCPA, and more. Just how many HITRUST controls are there? This pool has just under 2,000 requirements, but don’t panic — only a small percentage of these will remain after the scoping step below. This framework is accessed through a web interface called MyCSF.
What is MyCSF?
Think of MyCSF as an empty desk that is waiting to have all the documents for a project put into the drawers while providing mechanisms to evaluate and grade the documents.
What Are Scoping Factors?
In simple terms, scoping factors are the criteria used to figure out what needs to be included in a security assessment or audit. They help determine the boundaries and extent of the systems or environments that require evaluation to ensure security and compliance. In HITRUST vernacular, scoping factors can be considered the “demographics” of the implemented system which is to be assessed.
It is important to note that the scoping factors selection process discussed next relates only to the r2 Validated Assessment. It does not apply to the e1 or i1 Validated Assessments since the e1 and i1 are non-tailored assessments.
How are Scoping Factors Determined?
As part of the r2 Validated Assessment, the scoping factors selection process within MyCSF identifies which requirements are needed for certification that pertains to your organization. MyCSF provides a series of questions that will, from the responses, develop a pool of requirements. These questions include things like “How big is the organization,” “What type of organization,” “Do you need to include state regulatory requirements,” “Do you use hardware tokens for multi-factor authentication,” and “Where is covered data stored, processed, or transmitted.”
While these questions seem simple enough, there are significant implications for your responses. Some questions are very straightforward. For example, your type of organization is probably not going to change based on how you answer other questions. If you are an IT service provider, you are not likely to need to change that to a health information exchange. But other questions might change based on where in the organization you apply them. If you use hardware tokens for authentication in the corporate office only and the office is not in scope for the assessment, answering yes to this question will add several requirements that really don’t pertain to the in-scope environment.
There are a number of questions regarding accessing the environment from the internet, public networks, or kiosks. Again, these responses should include careful consideration of what systems and networks are in-scope. It goes without saying that truthful answers must be given to all questions. But truthful for many of these could be a yes or a no, and if you are not sure, then consult an experienced external assessor.
As mentioned above, the scoping factors only apply to the r2 Validated Assessment. However, the same pitfall can occur when an organization selects the wrong assessment based on their needs and the needs of those who will ultimately request and review the HITRUST certification obtained by the organization. Again, speaking to an experienced external assessor can help guide organizations on their path to selecting the appropriate assessment within the HITRUST assessment portfolio.
Pitfall 2 – Improper Scope Definition
Pitfall 2 is related to pitfall 1. Once you have answered all the scoping factors questions correctly, you will generate the set of requirements that really define the assessment. Pitfall 2 occurs when you apply a requirement to a system or network that should be out of scope OR don’t apply it when you should.
What is the Scope of the HITRUST Readiness Assessment?
The scope of the assessment differs from the process of selecting scoping factors. Scoping factors determine what requirements are applicable for a given r2 Validated Assessment, but the scope of the assessment has to do with the people, processes, technologies, and other elements which will be considered “in-scope” for the assessment.
When determining the scope of an assessment, several important criteria should be considered. These criteria help identify the specific areas, processes, and controls that need to be assessed to achieve the assessment objectives. While the importance of specific criteria may vary depending on the nature of the audit, it is important to review and refine the scope of the assessment as needed until both the assessed entity (the entity pursuing certification) and the external assessor organization reach a shared understanding of the intended scope.
The scope is like a roadmap that tells the external assessor what specific areas or aspects they should pay attention to during the assessment. It helps keep the assessment focused and ensures that the right things are being examined to make sure everything is in order and meets the necessary HITRUST requirements. Just like you wouldn’t want to be operating a GPS with outdated maps on it, a complete and accurate definition of scope in an assessment is critical to success. Errors, omissions, and other issues associated with scope are one of the biggest pitfalls organizations face during a readiness assessment, because either too much or too little is being considered.
How Do You Verify the Scope of an Assessment?
One way to answer the question of what systems or networks are in scope is through a review of an accurate network/flow diagram. Find the heart of the environment – the place where the service that you want to certify is hosted. Look for where the data is stored, processed, or transmitted. Are there dedicated security boundaries between the in-scope systems and the systems under question? If there is no firewall or other security mechanism restricting or controlling data flow or access, then the system under question is likely to be in scope.
For example, if the service you wish to certify is hosted in your data center and you have an employee-only wireless network in the office, is the wireless network in scope? The answer depends on several questions. Can a wireless user directly access covered data from his laptop? Are there security controls in place like VDI or terminal server interfaces that must be used to access data? Does the wireless user have to connect through a VPN before accessing covered data? All of these will determine if the wireless network should be considered during the assessment.
This guidance applies equally to all HITRUST assessments. It is very important to work with an external assessor organization (preferably the one that will ultimately perform the validated assessment) since a shared understanding of the scope and applicability of requirements is vital to the success of the certification effort.
Pitfall 3 – Evaluation and Scoring
I am going to state right up front that HITRUST scoring involves high-level mathematics and maybe some good ole Kentucky windage. For the r2 Validated Assessment, each HITRUST requirement is scored from five different perspectives –
- Policy
- Procedure
- Implementation
- Measured
- Managed
Each of these is weighted and the aggregate weight equals 100%. During an assessment, a percentage is assigned to each from a list of 0%, 25%, 50%, 75%, or 100%, and a special N/A (not applicable). There are specific requirements for each of these levels.
One of the approaches I have used in helping organizations prepare to perform their own, unassisted readiness assessments is to go through several typical requirements and evaluate and score evidence from their environment. It is very easy for the first-timer to over-rate their position and underestimate the requirement. To remove lots of confusion and increase alignment with what HITRUST expects, I refer to a table published by HITRUST called the scoring rubric.
The scoring rubric is a grid that includes all five aspects to be considered versus the six possible scores. In each corresponding cell is a definition that must be applied for that specific score. Any deviation from this approach during the readiness assessment will increase the deviation from the validated assessment. To support consistency during readiness and validated assessments, assessed entities should be just as familiar with the rubric as assessors. If assessed entities are interested in training internal resources, HITRUST offers a HITRUST adoption course as well as the more robust Certified CSF Practitioner Course.
How Does Scoring Work for the e1 and i1 Assessments?
The difference between the e1, i1, and r2 when it comes to scoring is rather simple. The r2 assessment includes all five maturity levels described above. The e1 and i1 on the other hand, include only the “implementation” maturity criteria for the assessment. This does not mean that things like policies and procedures do not matter in the i1 assessment, but they are not scored separately.
Pitfall 4 – Misunderstanding HITRUST Requirements
The HITRUST CSF includes specific terms, concepts, and expectations that the first-time user may not appreciate. Terms like measured, managed, metric, independent, and operational all have very specific meanings that might change in different contexts. It is important to apply the expected definition to these terms as will the third-party assessor.
For example, one aspect of a requirement is how well the organization “measures” the effectiveness of the control. An organization might do this through a review of a report. It is important to know who generated the report, how often the report is reviewed, and what it includes. If the report is generated by the team that manages the control, it is considered operational and is limited to a maximum score. If the report is run every week and a number can be identified to track effectiveness from cycle to cycle, it can be considered a “metric.” Metrics have a higher possible score than a measurement.
What Are the Potential Benefits of a HITRUST Readiness Assessment?
Organizations that have built successful HITRUST compliance programs often perform readiness assessments every year to ensure they are prepared for new changes in HITRUST requirements and their own environment. Organizations learn from each readiness assessment and are able to refine their controls and internal HITRUST expertise. A quality readiness assessment will generally allow an organization to predict its own success in a given validated assessment through the application of discipline and attention to detail associated with scoping factor selection, scope definition, and analysis of the HITRUST requirements.
While some organizations have the expertise to perform a HITRUST readiness assessment without guidance, most organizations are not as lucky. It is important to remember that these are common pitfalls – each of these can seriously jeopardize the accuracy and therefore, effectiveness, of the readiness assessment and increase the deviation from the Validated scores.
Summary
HITRUST assessments, both readiness and validated, are complicated efforts. It is only with experience that accuracy can improve. Each of these pitfalls is typical of what many organizations, big and small, encounter during a readiness assessment.
The primary takeaway from the support we have provided to dozens of HITRUST clients is that a readiness assessment is a great way to start the HITRUST journey, but it must be done carefully. If you are considering HITRUST, and specifically a readiness assessment, you might consider the guidance of an experienced third party to help you avoid these pitfalls.
If you have any additional questions regarding HITRUST Certification or any of the many audit services provided by Linford&Co, please contact us.
This article was originally published on 12/29/2020 and was updated on 5/31/2023.
Richard Rieben is a Partner and HITRUST practice lead at Linford & Co., where he leads audits and assessments covering various frameworks including HITRUST, SOC, CMMC, and NIST. With over 20 years of experience in IT and cybersecurity and various certifications including PMP, CISSP, CCSFP, GSNA, and CASP+, Richard is skilled in helping growing organizations achieve their information security and compliance goals. He holds a Bachelor of Science in Business Management and an MBA from Western Governors University.