A request for proposal has just come out that is in your company’s wheelhouse but instead of only requiring HIPAA, the proposal suggests that those who are HITRUST compliant either receive more consideration or may be the only proposals considered at all. What happens now? Are you prepared? Do you know what that means? It might be time to hire a HITRUST Assessor.
In this post, we will focus on understanding the HITRUST Framework, what a HITRUST assessor is, if you need a HITRUST Certified CSF Practitioner, the steps taken with once you have engaged a HITRUST assessor, and what reports your assessor can provide.
Understanding the HITRUST Framework
In 1996, the Insurance Portability and Accountability Act (HIPAA) was introduced as a means for guiding companies on how to safeguard protected health information. Since the conception of this framework, companies have been able to self-certify against the required established criteria. After about a decade, a group known as the HITRUST Alliance was formed to combine the criteria established in HIPAA but take it a few steps further by adding in a number of other frameworks to complement HIPAA. HITRUST’s mission is to advocate those frameworks that promote the safety of sensitive information across all industries.
As mentioned above, HITRUST incorporates a number of standards and regulations. Some examples include HIPAA, Security, Breach, and Privacy Rules; ISO 27001, 27002, 27799; COBIT 4.1 and COBIT 5; NIST Cyber Security Framework; PCI-DSS; CSA Cloud Control Matrix, HHS Secretary Guidance, and the list goes on. By doing this, the hope is that HITRUST is, in essence, a one-stop shop framework for the protection of sensitive information. As a side note: while this is the intention, it is still important to ensure that the framework covers all needs required. While this framework incorporates many different standards, it may not include all requirements from one specific framework or standard.
What is a HITRUST Assessor?
If you have gotten to the point where you know that becoming HITRUST certified is the next step, it is time to start looking around for a HITRUST Assessor. It is important to understand what this means as your company starts researching firms to work with. To become a HITRUST-Certified Assessor, firms must go through training, have a certain number of certified assessors on staff, and understand the tool created by HITRUST where assessments are maintained. A firm cannot provide organizations with a certified assessment if the firm is NOT a certified HITRUST Assessor.
Is there a difference between a HITRUST Assessor and a HITRUST Certified CSF Practitioner?
If you are using a firm that is a HITRUST Assessor, then the individuals working with your company to complete the HITRUST Assessment are considered HITRUST Certified CSF Practitoners or CCSFPs. These practitioners are required to complete an annual refresher course along with a certain number of continuing professional education hours each year to maintain this designation.
Planning Your HITRUST Assessment
Once you have engaged a HITRUST assessor it is time to start planning the assessment. Each assessment starts with the HITRUST-certified company determining which controls will be included across the 19 domains included within the HITRUST framework. This is done within the CSF tool. The CSF tool, for those of you that do not know, is a Software as a Service (SaaS) product created by HITRUST which maintains assessment evidence and provides users with different reporting options. The goal of this tool is to provide one place where companies could track and manage risks that affect a company’s privacy and security.
Within the tool, companies are prompted to enter variables such as contact information, organization profile, company environment, assessment options (which we will quickly review in the next section), organization factors, geographical factors, system factors, and regulatory factors. Once each of these areas of interest is filled out, the scope of controls will be provided to the organization to be assessed. This will be the basis that the assessment is completed.
Determining Compliance Processes, Identifying Gaps & Validation
Once a company knows what controls they are required to include as part of their assessment, the company should then start determining which processes are in place or if there are gaps that need to be addressed. Using the criteria and sample controls provided by HITRUST, it is good practice to start by honestly grading oneself on the true state of each process.
One mistake our assessment team often sees is that companies going through this exercise tend to grade themselves based on processes or documentation that is not in place at the time of the review but in progress or in the future plans to create. The issue with this is that it can provide a false sense of preparedness for going through the actual assessment. The best way to avoid this is by responding to each criterion by providing the name of the document or evidence that fulfills each control and the exact location of the information within the evidence, as applicable. If this cannot be done, then there is most likely a gap in the process or in the documentation.
Finally, once this process is complete, the HITRUST assessor can validate that the process, and documentation does, in fact, address the controls that are required by HITRUST to be addressed.
There are a couple types of reports that a company can receive, but only one requires a HITRUST Assessor. A company can first choose to complete a self-assessment. While this could be a great option to start with, as mentioned above, it can provide the client with a false sense of security if the self-assessment considered future work to be completed as compliant or partially compliant. The other type of report is a Validated Assessment. A validated assessment is completed by the HITRUST Assessor and is done onsite. The client provides the evidence used to satisfy the control requirements and the assessor determines if the evidence meets that requirement fully, partially, or not at all. Upon completion of the assessment, the HITRUST Assessor will work with HITRUST to address any questions and finalize the report.
Summarizing the Role of a HITRUST Assessor
If your organization has determined that becoming HITRUST certified is the next step, engaging a HITRUST Assessor is the best next step. This is an important part of the process as they will be able to provide you context around the HITRUST process and information about the HITRUST framework. Finally, a HITRUST Assessor is the liaison between your company and HITRUST. Luckily, it is easy to know if you are engaging a certified HITRUST Assessor. HITRUST maintains a list of assessors on their website for reference.
If you are looking for more information or in search for an assessor please feel free to reach out to Linford & Company for more information on HITRUST Certification.
For more information on HITRUST, check out the following blog posts:
- What is HITRUST? A Practical Guide to Certification
- Navigating Compliance Frameworks: SOC 2 vs. HITRUST
- Healthcare Security Compliance & The Benefits of HITRUST Certification
- How to Score HITRUST CSF Controls?
- Understanding the HITRUST Certification Process
Jaclyn Finney started her career as an auditor in 2009. She started with Linford & Co., LLP. in 2016 and is currently a manager with the firm. She is a CISA with a special focus on SOC, HITRUST, FedRAMP and royalty examinations. Jaclyn works with her clients to provide a process that meets the needs of each customer and generates a tailored report that is useful to the client and the users of the report.