Avoiding HITRUST Self-Assessment Pitfalls

HITRUST Self Assessment Pitfalls

Healthcare is a complicated topic. When the term is raised, the altruists among us focus on helping their fellow man. But like any endeavor managed by people, there is a business aspect to it. The business of healthcare faces the same problems as other types of businesses. It must operate efficiently, securely, and offer something that their competitors don’t. Adding to these pressures, governments add regulatory requirements including the security and privacy of patient data.

The HITRUST Alliance has responded to some of these business needs by developing a framework, tools, and a HITRUST certification process that can demonstrate a level of trust and compliance to the secure use of data for patients and business partners. In this article, we will consider one approach to these business pressures and potential roadblocks to success.

What is a HITRUST Report? What are the Different Types of Assessments?

The HITRUST Alliance has recognized the need for certifiable and reliable information security assessments and, with the collaboration of industry leaders, developed a standardized approach to assessing an organization’s risk posture. If the organization meets this standard by completing one or more types of validated assessments, a certification can be issued and presented to business partners to convey assurance to other organizations in relation to protections in place for sensitive information.

To meet this standard, organizations must go through a robust process that ends with an authorized assessment performed by an approved third-party assessor, the validation of the assessment by HITRUST, and, if successful, certification under one or more certification programs; currently the i1 Validated Assessment with Certification and the r2 Validated Assessment with Certification are viable options for organizations to consider.

It is vital that an organization perform an accurate and complete review of the organization’s posture in relation to the HITRUST requirements prior to execution of the formal assessment by an external assessor organization. This process is often called a gap or readiness assessment. More often than not, organizations find significant gaps that must be addressed before certification can be achieved.

In the following sections, we will review a number of the most-common pitfalls that may occur in organizations that are operating without a complete understanding of the HITRUST requirements, scoring methodologies, the assessment process, and the minimum expectations for certification.


Improper HITRUST scoping

Pitfall 1 – Improper Scoping – Requirements

The HITRUST CSF (Cyber Security Framework) is the embodiment of this standard. It includes a pool of requirements that have been refined over decades from over 40 authoritative sources including NIST, ISO, PCI, GDPR, CCPA, and more. Just how many HITRUST controls are there? This pool has just under 2,000 requirements, but don’t panic — only a small percentage of these will remain after the scoping step below. This framework is accessed through a web interface called MyCSF.

What is MyCSF?

Think of MyCSF as an empty desk that is waiting to have all the documents for a project put into the drawers while providing mechanisms to evaluate and grade the documents.

The first step in either a validated or self-assessment is to scope the assessment. You may ask yourself: “what is required for HITRUST certification?” The scoping step identifies which requirements are needed for certification that pertain to your organization. MyCSF provides a series of questions that will, from the responses, develop a pool of requirements. These questions include things like “How big is the organization,” “What type of organization,” “Do you need to include state regulatory requirements,” “Do you use hardware tokens for multi-factor authentication,” and “Where is covered data stored, processed or transmitted.”

While these questions seem simple enough, there are significant implications for your responses. Some questions are very straightforward. For example, your type of organization is probably not going to change based on how you answer other questions. If you are an IT service provider, you are not likely to need to change that to a health information exchange. But other questions might change based on where in the organization you apply them. If you use hardware tokens for authentication in the corporate office only and the office is not in scope for the assessment, answering yes to this question will add several requirements that really don’t pertain to the in-scope environment.

There are a number of questions regarding accessing the environment from the internet, public networks, or kiosks. Again, these responses should include careful consideration of what systems and networks are in-scope. It goes without saying that truthful answers must be given to all questions. But truthful for many of these could be a yes or a no.

It is important to note that the scoping factors selection process discussed above relates only to the r2 Validated Assessment, it does not apply to the i1 Validated Assessment since the i1 is a non-tailored assessment.


Where to apply HITRUST requirements

Pitfall 2 – Improper Scoping – Where to Apply the Requirements

Pitfall 2 is related to pitfall 1. Once you have answered all the scoping questions correctly, you will generate the set of requirements that really define the assessment. Pitfall 2 occurs when you apply a requirement to a system or network that should be out of scope OR don’t apply it when you should.

One way to answer the question of what systems or networks are in-scope is through a review of an accurate network/flow diagram. Find the heart of the environment – the place where the service that you want to certify is hosted. Look for where the data is stored, processed, or transmitted. Are there dedicated security boundaries between the in-scope systems and the systems under question? If there is no firewall or other security mechanism restricting or controlling data flow or access, then the system under question is likely to be in-scope.

For example, if the service you wish to certify is hosted in your data center and you have an employee-only wireless network in the office, is the wireless network in-scope? The answer depends on several questions. Can a wireless user directly access covered data from his laptop? Are there security controls in place like VDI or terminal server interfaces that must be used to access data? Does the wireless user have to connect through a VPN before he can access covered data? All of these will determine if the wireless network should be considered during the assessment.

This guidance applies to both the i1 and r2 Validated Assessments. It is very important to work with an external assessor organization (preferably the one who will ultimately perform the validated assessment) since a shared understanding of scope and applicability of requirements is vital to the success of the certification effort.

Pitfall 3 – Evaluation and Scoring

I am going to state right up front that HITRUST scoring involves high-level mathematics and maybe some good ole Kentucky windage. Each HITRUST requirement is scored from five different perspectives –

  • Policy
  • Procedure
  • Implementation
  • Measured
  • Managed

Each of these is weighted and the aggregate weight equals 100%. During an assessment, a percentage is assigned to each from a list of 0%, 25%, 50%, 75%, or 100%, and a special N/A (not applicable). There are specific requirements for each of these levels.

One of the approaches I have used in helping organizations prepare to perform their own, unassisted self-assessments is to go through several typical requirements and evaluate and score evidence from their environment. It is very easy for the first-timer to over-rate their position and underestimate the requirement. To remove lots of confusion and increase alignment with what HITRUST expects, I refer to a table published by HITRUST called the scoring rubric.

The scoring rubric is a grid that includes all five aspects to be considered versus the six possible scores. In each corresponding cell is a definition that must be applied for that specific score. Any deviation from this approach during the self-assessment will increase the deviation from the validated assessment.

The difference between the i1 and r2 when it comes to scoring is rather simple. The r2 assessment includes all five maturity levels described above. The i1 on the other hand, includes only the “implementation” maturity criteria for the assessment. This does not mean that things like policies and procedures do not matter in the i1 assessment, but they are not scored separately.


HITRUST expectations

Pitfall 4 – Misunderstanding HITRUST Expectations

The HITRUST CSF includes specific terms, concepts, and expectations that the first-time user may not appreciate. Terms like measured, managed, metric, independent, and operational all have very specific meanings that might change in different contexts. It is important to apply the expected definition to these terms as will the third-party assessor.

For example, one aspect of a requirement is how well the organization “measures” the effectiveness of the control. An organization might do this through review of a report. It is important to know who generated the report, how often the report is reviewed, and what it includes. If the report is generated by the team that manages the control, it is considered operational and is limited to a maximum score. If the report is run every week and a number can be identified to track effectiveness from cycle to cycle, it can be considered a “metric.” Metrics have a higher possible score than a measurement.


HITRUST assessments, both self and validated, are complicated efforts. It is only with experience that accuracy can improve. Each of these pitfalls is typical of what many organizations, big and small, encounter during a self-assessment. One large and well-known Seattle-based organization I have worked with does a self-assessment every year to ensure they are prepared for new changes in HITRUST and their own environment. It has done this since its first foray into HITRUST. It has learned from each self-assessment and has refined its controls and HITRUST evaluation ability. Its self-assessment scores are very close to the third-party assessor scores.

While some organizations have the expertise to perform a HITRUST Self-Assessment without guidance, most organizations are not as lucky. It is important to remember that these are common pitfalls, each of these can seriously jeopardize the accuracy and therefore, effectiveness, of the self-assessment and increase the deviation from the Validated scores.

I think the chief takeaway from this experience is that a self-assessment is a great way to start the HITRUST journey, but it must be done carefully. If you are considering HITRUST and specifically a self-assessment, you might consider the guidance of an experienced third-party to help you avoid these pitfalls.

If you have any additional questions regarding HITRUST Certification or any of the many audit services provided by Linford&Co, please contact us.

Leave a Reply

Your email address will not be published. Required fields are marked *