Are Your Policies and Procedures Strong Enough for HITRUST?
For many businesses, the biggest challenge in obtaining a HITRUST CSF certification is having to establish policies and procedures that satisfy the HITRUST criteria, which is a requirement for the r2 Assessment. Note that policies and procedures are still required in an i1 Assessment, but without the rigorousness of the r2 Assessment as described in this blog.
While organizations focus carefully on implementing each HITRUST control requirement, I also suggest they pay close attention to their policies and procedures. Prioritizing strong HITRUST policies and procedures is crucial to passing the audit and earning a HITRUST certification.
It’s also best to create and document policies and procedures for the HITRUST CSF sooner rather than later, as they must be in place for at least 60 days prior to the audit carried out by an external assessor.
Read on to learn more about HITRUST policies and procedures, the minimum requirements for documentation, and what to do if you don’t have sufficient resources to handle such an initiative.
Understanding HITRUST Policies and Procedures
A big reason why companies often treat HITRUST policies and procedures as an afterthought is that they have existing documentation mapped to another standard (such as SOC 2 or ISO 27001) and assume they can carry over to cover HITRUST requirements. This is not the case — in fact, most of the time, an organization will have to completely rewrite their policies and procedures in order to meet HITRUST requirements.
Here are the key points to know about HITRUST policies and procedures.
What are HITRUST policies?
HITRUST policies are the rules an organization and its employees must follow in order to achieve a specific goal. According to the most recent HITRUST Assurance Advisory (2021-014), “A documented policy must specify the mandatory nature of the control requirement in a written format which could reside in a document identified as a policy, standard, directive, handbook, etc.”
HITRUST policies should contain statements from management describing how your organization plans to adhere to each HITRUST control requirement. For example, “Acme Corporation will keep up a vulnerability management program that proactively identifies and detects information security vulnerabilities, so that the business may…” (ending with the goal the company aims to achieve through vulnerability management).
What are HITRUST procedures?
HITRUST procedures provide an explanation of the “how” behind HITRUST policy implementation by describing step-by-step instructions for specific routine tasks. As per the latest HITRUST Assurance Advisory, “A documented procedure must address the operational aspects of how to perform the requirement. The procedure should be at a sufficient level of detail to enable a knowledgeable and qualified individual to perform the requirement.”
- This means each of your procedures must give a detailed description of:
- How the policy is being implemented
- When each step of the procedure should be performed
- Who is performing specific actions related to the procedure
- Additional details on timing and accountability
HITRUST procedures should answer the “how,” and provide some details on “when,” and “who” where applicable behind each policy. For example, the official Vulnerability Management Procedure for Acme Corporation would provide a comprehensive account of its scope and goals, key responsibilities assigned to specific roles and departments, descriptions of various security assessments involved in the program, a schedule delineating the frequency of audits, and more.
What HITRUST Policies and Procedures Does My Organization Need to Document?
Because the HITRUST CSF is a flexible and scalable security framework that is tailored to the compliance needs of each organization, the exact policies and procedures required will depend on the scope of your assessment.
That being said, at a minimum you must have policies and procedures in place that address the 19 HITRUST control domains. Your organization must receive a maturity score of at least “3” (on a maturity level scale from 1-5) for each control domain in order to earn HITRUST r2 certification. Having strong policies and procedures in place and effectively implemented make up the baseline of HITRUST compliance. The HITRUST CSF control domains are:
- Information Protection Program
- Endpoint Protection
- Portable Media Security
- Mobile Device Security
- Wireless Security
- Configuration Management
- Vulnerability Management
- Network Protection
- Transmission Protection
- Password Management
- Access Control
- Audit Logging and Monitoring
- Education, Training, and Awareness
- Third-Party Assurance
- Incident Management
- Business Continuity and Disaster Recovery
- Risk Management
- Physical and Environmental Security
- Data Protection and Privacy
Again, to address the 19 HITRUST control domains, the information included in your documentation depends on the compliance needs of your business and the scope of your assessment. Scoping factors that determine your organization’s number of control requirements and therefore inform your policies and procedures include:
- Company industry
- Company size
- Company location
- Types of data handled
- Data access and usage (including third parties)
- How systems process, store, and transmit data
For example, a company with a HITRUST CSF assessment that covers 250 control requirements will have a different password management policy than a company with 450 control requirements. The latter organization may have a control that states employees must change their password every 90 days while the former organization may not have any such control.
Solving for a Resource Deficit When Designing HITRUST Policies and Procedures
After comprehending the structural nuances of the HITRUST CSF, it is very common for organizations to realize they simply don’t have the resources and/or budget required to create and document the necessary HITRUST policies and procedures from scratch.
If you are worried your organization does not have the proper resources in place — a trusted HITRUST advisor can help. Following a Readiness Assessment designed to pinpoint gaps in your organization’s environment, A-LIGN can provide comprehensive HITRUST Risk and Advisory Services that include any combination of:
- Creation of policies and procedures
- Documentation of policies and procedures
- Gap remediation for policies and procedures
- Implementation of nontechnical controls
- Gap remediation for nontechnical controls (e.g., develop an incident response plan or BCDR plan, help conduct HIPAA training, etc.)
Our practiced guidance will accelerate your path toward HITRUST certification, saving both time and resources. Read the story of our partnership with Sandata Technologies that inspired the company’s Security Director, Michael Alcide, to say, “[A-LIGN’s] guidance throughout the entire [HITRUST] process was invaluable. They helped us understand the small nuances and specific requirements that are always changing.”
Take the Stress Out of HITRUST
It’s no secret that achieving HITRUST certification can be complex and, at times, confusing. Leverage industry experts who are deeply familiar with HITRUST (500+ assessments with a 100% successful certification rate) and your organization will be more efficient with assessment preparation, including documentation of the necessary policies and procedures.
Looking to expedite your path to HITRUST certification?
