Chances are, if you are reading this, that you are considering obtaining a HITRUST Certification. This post will walk you through the HITRUST certification process. You will learn the major steps needed to prepare, be assessed, and obtain the certification. We will also highlight some of the pitfalls to avoid along the way.
If you are not quite ready to dive into the HITRUST assessment processes, but would like to learn a little more about HITRUST, I would recommend that you take look at one of our earlier blogs that walks you through the basics of HITRUST compliance.
What is a HITRUST Certification and Why Get One?
The Health Information Trust Alliance, or HITRUST, issues certifications to businesses and organizations who are independently assessed for compliance with its Common Security Framework (CSF). An organization can obtain HITRUST certification when all of the required controls are fully implemented within the scoped environment. The CSF is designed for use by a variety of organizations that may create, access, store, or share sensitive data. The CSF incorporates commonly accepted standards such as ISO, NIST, PCI, HIPAA, and COBIT within its baseline security controls.
Most organizations seeking a HITRUST certification are doing so at the request of a valued client or business partner. This is typically sufficient motivation for any organization. However, there are other options or audits that a business may use to evidence its control environment used to secure sensitive data. A few things that the HITRUST CSF provides make it appealing include the following:
- Clear Standard – HITRUST’s CSF provides clear, prescriptive requirements and examples of controls that entities may implement to meet those requirements. Having clear standard helps to both the organization seeking certification and those relying upon it.
- Scalable – The set of controls from CSF applicable to each organization’s assessment is customized on a risk-based approach dependent on its size, type, and complexity.
- Multi-Standard Alignment – HITRUST’s CSF not only draws upon and covers other security standards, but also cross-references the controls within the CSF back to the applicable regulations and standards. This is particularly helpful to organizations with a number of stakeholders (e.g., clients, business partners, government regulators) with varying reporting requirements.
How to Prepare for a HITRUST Assessment?
While you will need to receive and submit a validated assessment to HITRUST for certification, they recommend that your organization start out with self-assessment or readiness assessment. A self-assessment is performed internally by your own personnel against CSF while a readiness assessment is typically performed by an independent third-party. Either of these assessments will help familiarize your business with CSF requirements and identify any control gaps that should be addressed before going forward with a validated assessment.
We recommend that organizations have a readiness assessment performed by the Certified CSF Assessor (like Linford & Company) who will ultimately be performing their validated assessment. This will provide you the assessor’s perspective of the gaps that need to be addressed and allow you an opportunity to discuss any differing opinions regarding those gaps and how best to address them. Either way, be sure to be thorough. This is the time to catch any mistakes.
Another important item to decide is how much you plan to use the MyCSF tool utilized for documenting the self and validated assessments performed for HITRUST certification. HITRUST gives you two options for using the MyCSF tool:
- Purchase A CSF Report – Access for only the assessment (90 days); or
- Subscription – Full access year-round for an annual fee.
Both will work. Each has its Pros and Cons. The first option is less expensive; however, you only have access to the tool for 90 days to complete a self-assessment and for your Certified CSF Assessor to complete the validation of your assessment. As you’ve deduced, the second option is more expensive, but may be worth it in the long run if you plan to maintain your HITRUST certification on an ongoing basis. The annual subscription allows you to track compliance throughout the year, access your information in the tool at any time, and roll-forward the custom control set from CSF as well as updates into your next year’s assessment.
If you do a self-assessment, the last step of preparation is to engage a Certified CSF Assessor to perform your validated assessment. If you elect to do readiness assessment, you will need to do this in the early stages of your preparations.
What is the Process for Completing a Validated HITRUST Assessment?
At this point, we assume that you have performed a self/readiness assessment, remediated any control gaps, obtained access to the MyCSF tool, and engaged a Certified CSF Assessor.
One important item to keep in mind is that once access is granted in the MyCSF tool you will have 90 days to complete the validated assessment and submit it to HITRUST for review.
The first step of a validated assessment is to perform a self-assessment. This requires you or a member of your organization to evaluate your compliance with each required control against the five (5) maturity levels:
As you do this, we recommend that you gather evidence supporting your assessment–you will need it later. Controls are grouped with in 19 different assessment domains. Once you’ve documented your assessment for all of the controls within a domain, you will submit the domain to your Certified CSF Assessor.
Upon receiving a submitted domain, the assessor can begin validating your self-assessment. HITRUST requires that assessors come on-site (for at least a portion of the time) to perform their validation assessment. Similarly, your assessor will be following HITRUST’s sampling guidance to test the controls against the same maturity levels.
If your assessments agree, the assessor will record the agreement in the tool and document the procedures performed to validate the assessment.
If the assessor disagrees with your self-assessment ratings, he/she may kick a control back to you in the MyCSF tool with comments.
If your assessor performed a readiness assessment and you’ve addressed all the gaps, you will have a lot less likelihood of running into surprises or disagreements between the self and validated assessments. If you skipped the preparation phase, did not perform a thorough self-assessment/readiness assessment, this could be a very drawn-out, iterative process to come to an agreement.
How Do We Get HITRUST Certified?
Once the validated assessment has been completed, it is submitted to HITRUST for review. While may take less time, HITRUST estimates that it can take up to six (6) weeks for their review to be completed. During that time HITRUST generates a report and, assuming a passing rating, issue letter of certification.
The HITRUST certification is valid for two years with the expectation that:
- The organization continues to monitor the effective operation of controls over the period
- There are not data security breaches that are required to be reported to federal or state agencies
- There are no significant changes in the business or its security policies and practices
- Annual progress is being made on Corrective Action Plans (CAPs) identified in the assessment
- The timely completion of an interim review by a Certified CSF Assessor
We hope this has helped you understand the process of obtaining a HITRUST certification. The HITRUST process can be lengthy, and requires preparation and planning. However, it can provide your clients and partners peace of mind know that your organization has taken the steps necessary to protect the sensitive data in your possession.
As a Certified CSF Assessor firm, we would be happy to assist you with any of your HITRUST compliance needs. Please contact us to arrange a consultation or with any additional questions that you may have.
Isaac Clarke is a partner at Linford & Co., LLP. He began his career with Ernst & Young in 2003 where he developed his audit expertise over a number of years. Isaac specializes in and has conducted numerous SOC 1 and SOC 2 examinations for a variety of companies—from startups to Fortune 100 companies. Isaac enjoys helping his clients understand and simplify their compliance activities. He is attentive to his clients’ needs and works meticulously to ensure that each examination and report meets professional standards.