When we engage with clients who are just starting their HITRUST adoption and certification journey, one of the first steps is a readiness assessment. In this article, we will cover the following topics:
- The various forms of readiness assessments and their characteristics.
- Challenges organizations face when they are performing a readiness assessment.
- Success factors which if properly implemented will lead to an effective readiness assessment delivering quality results.
- The steps between readiness assessments and the completion of a validated assessment and certification.
While this article is focused on HITRUST adoption, the basic readiness assessment concepts presented can be applied to nearly any framework or regulatory requirements including SOC 2, PCI, FedRAMP, NIST/CMMC, HIPAA, GDPR, and others.
Types of HITRUST Readiness Assessments
There are two primary types of readiness assessments we will discuss in this article. The first is a self-assessment, which is intended to be performed with only internal resources and without the engagement with a third party. The second type of assessment is a third-party assessment, where the organization has engaged with a subject-matter expert to obtain professional guidance and feedback as part of the assessment. We recommend that clients engage an external assessor organization or a partner who has worked with their chosen external assessor organization before.
HITRUST Self-Assessments
Self-assessments involve an organization assessing its own compliance status and typically leverage only internal resources. Internal resources could have experience with the HITRUST ecosystem or they could be relatively new to the HITRUST CSF, in which case obtaining HITRUST adoption training from HITRUST would be a good idea.
HITRUST Third-Party Assessments
A third-party assessment is very common, but there are a few variants of this method:
- Working with a HITRUST-authorized readiness partner. These organizations are authorized by HITRUST to perform readiness services, but are not authorized to perform validated assessments.
- Working with an authorized external assessor organization. These organizations are fully authorized to perform both readiness and validated assessments in support of certification.
- Working with a consultant who has sufficient subject matter expertise in relation to HITRUST.
HITRUST Readiness Assessment Challenges
In the following section, we discuss various factors that impact an organization’s ability to successfully complete a quality readiness assessment. The concept of garbage-in, garbage-out is directly applicable in this case, and the more time, effort and focus the organization applies to the readiness assessment, the greater the quality of the output of the assessment.
Organizational Factors
There are various factors within the organization that affect the assessment. Understanding who is responsible for information security roles can be a challenge, as assumptions are often made about these responsibilities. Involving stakeholders is also crucial as it emphasizes the significance of the readiness process, sets the tone at the top, and aligns with the information security program. Resource availability is a very common hurdle. Organizations may struggle with readiness assessments due to conflicting priorities, challenges with remote resources, and a lack of clear guidance from leadership.
Technical Factors
Gaining access to systems often poses a challenge in readiness assessments. This is frequently due to the need to identify the right person with the required system access, which is a crucial aspect of the assessment process. Examples of impacted systems include MDM, AV, or cloud management capabilities.
Complete and accurate inventories are crucial as they influence various aspects of an assessment, such as scope and sample testing. Additionally, challenges arise with cloud sprawl, posing a threat to the assessment scope. It’s common for organizations to use cloud-based services, and a lack of strong governance can result in unexpected issues either during the readiness phase, ideally, or even worse, during the actual assessment.
Assessment Factors
Gaining a grasp of the HITRUST maturity scoring process is foundational. Insufficient knowledge or an inflated assessment score during readiness can result in unexpected outcomes in a validated assessment. This highlights the importance of utilizing adequately qualified resources in readiness assessments, whether they come from within the organization or externally.
Moving forward, gain a comprehension of testing methods to provide context to activities conducted in the readiness assessment. It’s important to be aware of which requirements will entail sample testing, configuration reviews, or inquiries. Lastly, involving subject matter experts (SMEs), as mentioned earlier, poses a challenge. If the initial hurdle is understanding roles and responsibilities, the subsequent challenge lies in tapping into the expertise of SMEs. A common issue is that those individuals whose time is most crucial are often the most challenging to reach.
HITRUST Readiness Assessment Guide to Success
There are many factors that contribute to the successful completion of a quality readiness assessment. While some of them are focused on the organization itself, many of the factors are associated with the techniques employed to perform the assessment. The better an organization understands the contributing factors to a quality assessment, the greater the quality of the assessment results, and the greater the level of assurance that can be provided.
Well-Defined Scope
The single most important factor in the success of any engagement is developing and maintaining a well-defined scope. The scope of the assessment is a way of understanding the people, processes, and technologies that will (or will not be) included in the assessment. A high level of clarity and understanding around the scope of the assessment leads to a greater level of quality and assurance throughout the assessment lifecycle. Until the scope of the assessment is well-defined, the readiness assessment should not begin.
Inquiry-Based Assessment
Executing a readiness assessment based only on inquiry leads to a low-quality assessment. Basing judgments on the inspection of evidence and observation of critical processes allows the organization and an assessor the ability to validate assumptions and verify compliance. For example, it may be a common understanding that all new hires participate in security awareness training, but how recently has that been validated? During our readiness assessments, we seek to obtain evidence that backs up assumptions and verify the operating effectiveness of controls.
Accurate Scoring
Applying precise scoring practices is essential to establish a strong understanding of the organization’s compliance stance. Specific to HITRUST, organizations should obtain and seek to understand the HITRUST Scoring Rubric, which is the go-to resource that explains all of the various factors associated with scoring at a high level. Organizations should ensure that all personnel involved in the assessment have at least a basic understanding of HITRUST scoring practices.
Disciplined Control Maturity
Assessed entities must verify that external assessor (and HITRUST) standards of evaluation are in agreement with the understanding of the assessed entity. Organizations should be conservative in their scoring, and remember that scoring starts with the assessed entity identifying their score, and then providing evidence to the external assessor organization to substantiate the score. Overly optimistic scoring and overestimation of control implementation can result in inaccurate readiness assessment results.
Research Requirements and Evaluative Elements
Developing a comprehensive grasp of testing expectations and the applicability of controls by examining evaluative elements, illustrative procedures, and associated mappings will lead to a greater level of quality during the readiness assessment. A number of resources are available through MyCSF to aid organizations in understanding the detailed nuances of the various requirement statements and evaluative elements. Working with an assessor who can translate requirement statements into guidance that is relevant contributes to the success of a readiness assessment.
Understand Inheritance and Reliance
There are three primary methods of demonstrating compliance from internal shared IT services and external third-party organizations, including vendors and Cloud Service Providers (CSPs). These methods are internal inheritance, external inheritance, and reliance.
Internal inheritance facilitates the inheritance of assessment results and scores from one HITRUST certification assessment and applies them to another assessment.
External inheritance facilitates the inheritance of assessment results and scores from a hosting, cloud, or service provider’s assessment(s). More information is available through HITRUST’s Shared Responsibility and Inheritance Program
Reliance differs from inheritance and an organization may “rely” on a third-party audit or assessment report to validate compliance with particular HITRUST requirements previously reviewed during an audit. Difficulties associated with reliance include variations in scope between the HITRUST assessment and the third-party audit, along with differences in the level of detail provided in the testing documentation found in the third-party audit report.
Perform Strategic Analysis
Implementing a strategic method to address remediation priorities and tracking advancements in line with information security and compliance objectives will allow the organization to leverage a risk-based approach to remediation, assessment, and certification. At the end of the day, whether an organization becomes certified is essentially a mathematical formulation based on the averaging of scores for the number of requirements across a given domain. We talk about detailed scoring in other articles since it is a complex topic.
The Journey from Readiness to Certification
While specific timelines vary based on the type of validated assessment being pursued, the following graphic demonstrates the general process for organizations navigating their HITRUST journey. It is important to note that just as security creates compliance as a byproduct, HITRUST adoption creates positive motion towards a successful validated assessment and certification process. Typically, the timeline from the beginning of readiness to the completion of a validated assessment ranges from four months to a year.
Frequently Asked HITRUST Questions
My organization needs to get HITRUST certified – what should we do first?
First, you should research the various certifications available through HITRUST, then reach out to us as an authorized external assessor organization, to set up a call to discuss scoping and other important factors. Once high-level scoping details have been discussed, we can address questions about timeline and pricing.
Which HITRUST certification is right for our organization?
Which certification is right for an organization often depends on whether the demand for certification is internally driven, or whether it is driven by external business partners. To begin this conversation, we typically seek to understand what the organization does, who the organization serves, and what sensitive data is involved. That open and candid conversation is the beginning of establishing the scope we’ve discussed as being so vital in the process.
Can our external assessor help us with the readiness assessment as well as the validated assessment?
Yes! However, we approach any potential conflicts of interest very conservatively. As a result, the personnel who perform your readiness assessment will not be on the validated assessment team. However, all of our assessors are certified by HITRUST against the same standards to make certain we provide a consistent experience for our clients. In addition, we do not provide any form of managed services for our clients, further eliminating potential conflicts of interest.
Conclusion
It is our hope that the guidance we have provided in this article will assist you and your organization in preparing for and executing a high-quality readiness assessment for whatever framework, regulatory requirement, or standard your organization is seeking to maintain compliance with.
If your organization is just getting started on the compliance journey or looking to make a change and could use a guiding hand along the way, reach out to the team of experienced auditors at Linford & Company to see how we can help make the readiness and assessment process less painful through the application of the concepts we’ve discussed.
Richard Rieben is a Partner and HITRUST practice lead at Linford & Co., where he leads audits and assessments covering various frameworks including HITRUST, SOC, CMMC, and NIST. With over 20 years of experience in IT and cybersecurity and various certifications including PMP, CISSP, CCSFP, GSNA, and CASP+, Richard is skilled in helping growing organizations achieve their information security and compliance goals. He holds a Bachelor of Science in Business Management and an MBA from Western Governors University.