A request for proposal has just come out that is in your company’s wheelhouse but instead of only requiring HIPAA and SOC 2, the proposal suggests that those who are HITRUST compliant either receive more consideration or may be the only proposals considered at all. What happens now? Are you prepared? Do you know what that means? It might be time to engage a HITRUST Authorized External Assessor as a trusted partner to assist you on your HITRUST journey.
In this post, we will focus on understanding the HITRUST Framework, the role of a HITRUST assessor, what qualifies someone as a HITRUST Certified CSF Practitioner, the steps taken once you have engaged a HITRUST assessor, and what services your assessor can provide.
HIPAA: The Origins of HITRUST
In 1996, the Insurance Portability and Accountability Act (HIPAA) was introduced as a means for guiding companies on how to safeguard protected health information. Since the conception of this framework, companies have been able to self-certify against the required established criteria. After about a decade, a group known as the HITRUST Alliance was formed to combine the criteria established in HIPAA but take it a few steps further by adding a number of other frameworks to complement HIPAA. HITRUST’s mission is to advocate those frameworks that promote the safety of sensitive information across all industries. In the years since, HITRUST has continued to develop an expansive suite of solutions including the HITRUST CSF Framework, MyCSF, the HITRUST Threat Catalog, the HITRUST Results Distribution System™, and the HITRUST Shared Responsibility and Inheritance Program™ as well as others.
How Has HITRUST Grown to Address More Than HIPAA?
As mentioned above, HITRUST incorporates a number of standards and regulations. Some examples include ISO, NIST, PCI, HIPAA, GDPR, and many others which are relevant across industries far beyond healthcare. By doing this, The HITRUST CSF is intended to be an industry-agnostic, one-stop-shop framework for the protection of sensitive information. Having gone through many iterations over the years, HITRUST has continually revised the HITRUST CSF.
What is a HITRUST Assessor?
If you have gotten to the point where you know that becoming HITRUST certified is the next step, it is time to start looking around for a HITRUST Assessor to partner with. It is important to understand what this means as your company starts researching firms to work with. To become an Authorized External Assessor, firms must go through training, have a certain number of certified assessors on staff, and understand the tools created by HITRUST where assessments are maintained. A firm cannot perform a validated assessment that can result in certification if the firm is NOT a certified HITRUST Assessor, so firms should verify the organization they are considering is listed on the HITRUST website.
What Does it Mean to be HITRUST Certified?
To be HITRUST certified, an organization must demonstrate that it has implemented the necessary controls and processes to secure sensitive information and meet industry-specific regulatory requirements within a given scope, which is typically an implemented system. At a very high level, this includes conducting a risk assessment, implementing a comprehensive security program, and regularly testing and monitoring the effectiveness of the controls in place. HITRUST certification of a system within an organization is different from the certifications HITRUST issues to individuals, which include the Certified CSF Practitioner (CCSFP) and Certified HITRUST Quality Professional (CHQP).
What Is CCSFP & CHQP Certification?
If you are using a firm that is a HITRUST Authorized External Assessor, then the individuals working with your company to complete the HITRUST Assessment should be HITRUST Certified CSF Practitioners, commonly referred to as CCSFP. These practitioners are required to complete an annual refresher course along with a certain number of continuing professional education hours each year to maintain this designation. You should inquire as to the background and qualifications of the individuals who will be working with your team as part of the selection process. The CHQP certification demonstrates competency to perform independent quality assurance (QA) reviews of the assessment results as part of an External Assessor program within a firm.
What is MyCSF & How Is It Used in an Assessment?
Once you have engaged a HITRUST assessor it is time to start planning the assessment. Each assessment starts with the HITRUST-certified company determining which controls will be included across the 19 domains included within the HITRUST framework. This is done within the MyCSF tool. The MyCSF tool is a Software as a Service (SaaS) product created by HITRUST that maintains assessment evidence and provides users with different reporting options. The goal of this tool is to provide one place where companies could track and manage risks that affect a company’s privacy and security.
Within the tool, companies are prompted to enter variables such as contact information, organization profile, company environment, assessment options, and various other elements. It is important to note that over the years, the HITRUST assessment portfolio continues to grow and develop, and you should work with your HITRUST assessor who can provide guidance and feedback in relation to which assessment and certification may be right for your organization.
What is the HITRUST Assessment Process?
Once a company knows what assessment it plans to use in pursuit of HITRUST certification, the company should then start determining which processes are in place or if there are gaps that need to be addressed. Using the criteria and sample controls provided by HITRUST, it is good practice to start by honestly grading oneself on the true state of each process.
One mistake our assessment team often sees is that companies going through this exercise tend to grade themselves based on processes or documentation that is not in place at the time of the review, but in progress or in plans to be created in the future. The issue with this is that it can provide a false sense of preparedness for going through the actual assessment. The best way to avoid this is by responding to each criterion by providing the name of the document or evidence that fulfills each control and the exact location of the information within the evidence, as applicable. If this cannot be done, then there is most likely a gap in the process or in the documentation. Be sure to review this expert-level guide to the execution of a HITRUST gap assessment and pitfalls to avoid.
What is a HITRUST Assessment Report?
There are a couple of types of reports that a company can receive, but only one requires a HITRUST Assessor. A company can first choose to complete a self-assessment. While this could be a great option to start with, as mentioned above, it can provide the client with a false sense of security if the self-assessment considered future work to be completed as compliant or partially compliant.
The other type of report is a validated assessment. A validated assessment is completed by the HITRUST Assessor and begins with the self-scoring of compliance and ends with the assessor providing feedback on the scoring of HITRUST controls. Upon completion of the assessment, the HITRUST Assessor will work with HITRUST to address any questions and finalize the report. We have produced a comprehensive guide on the HITRUST certification process for interested parties to review.
The Role of HITRUST External Assessors: A Summary
If your organization has determined that becoming HITRUST certified is the next step, engaging a HITRUST Assessor is an important next step. Your HITRUST External Assessor should partner with you and provide you with context around the HITRUST process and information about the HITRUST framework as well as the assessment process. Finally, a HITRUST Assessor is the liaison between your company and HITRUST. Luckily, it is easy to know if you are engaging a certified HITRUST Assessor. HITRUST maintains a list of assessors on its website for reference.
Linford & Company employs only experienced HITRUST assessors and all individuals performing HITRUST assessments hold the CCSFP and at least five years of direct experience as HITRUST assessors. If you are looking for more information or in search of an assessor please feel free to reach out for more information on HITRUST Certification.
For more information on HITRUST, check out the following blog posts:
- What is HITRUST? A Comprehensive Guide
- Navigating Compliance Frameworks: SOC 2 vs. HITRUST
- The Benefits of HITRUST Certification: Understanding HITRUST vs HIPAA
This article was originally published on 10/10/2018 and was updated on 1/11/2023.
Richard Rieben is a Partner and HITRUST practice lead at Linford & Co., where he leads audits and assessments covering various frameworks including HITRUST, SOC, CMMC, and NIST. With over 20 years of experience in IT and cybersecurity and various certifications including PMP, CISSP, CCSFP, GSNA, and CASP+, Richard is skilled in helping growing organizations achieve their information security and compliance goals. He holds a Bachelor of Science in Business Management and an MBA from Western Governors University.