The Importance of Choosing HITRUST Compliant Vendors and Partners
Why is it important to assess the security of your vendors? Because your organization is only as secure as your outside resources and it’s imperative to ensure your vendors are HITRUST certified.
Regardless of if you just started your HITRUST journey or if you’ve been certified for years, you probably ask yourself the typical questions … “What is our security posture?”, “what controls do we have in place?”, and “what controls do we need to implement, measure, and manage, to become compliant and maintain the HITRUST CSF Certification?”.
What is one thing all these questions have in common? An inward focus. Although you’re right in the fact that these questions are important to answer, by focusing inward, you’re overlooking crucial areas that could put your organization at risk- those areas handled by external service providers and vendors.
In 2015, many large corporations in the healthcare industry, including Anthem, Health Care Services Corporation (HCSC), Highmark, Humana, UnitedHealth Group, and many more, issued a requirement for all of their downstream vendors to achieve HITRUST certification. The purpose of this requirement was to ensure the safe handling of all sensitive information. Fast forward six years, and it’s now an industry standard for all vendors, large or small, to offer a HITRUST CSF solution.
Let’s take a look at why it’s so important to assess your vendor’s security posture.
What is HITRUST CSF?
The HITRUST CSF is a robust and scalable framework for managing regulatory compliance and risk management of organizations and their business associates. Originally designed specifically for the healthcare industry, the HITRUST framework has found success across multiple industries thanks to it unifying regulatory requirements and recognized frameworks including, but not limited to:
- ISO 27001
- NIST SP 800-53
- PCI DDS
With its ability to combine several assessments and standards into one framework, the HITRUST CSF allows organizations to decide what regulatory factors they want to include in their assessment based on the level of risk and the regulatory requirements. This “assess once, report many” approach means that assessors are performing several different audits, but the organization feels like they’re only undergoing one – saving them time, money, and resources. Because of this benefit and its comprehensive focus on security and privacy, the HITRUST CSF has been widely praised and adopted by organizations around the world.
If your organization works with outside vendors or partners, it’s important to ensure they take data security and privacy as seriously. After earning your own HITRUST CSF certification, the next step is to assess your vendors.
Why Assess Vendor Security?
The HITRUST CSF Assessment methodology requires testing of all relevant controls for in-scope data, systems, and applications- even when they are owned and performed by a third-party. The controls can be directly tested as part of your assessment, explained in a formal security assessment, such as a SOC 2, or they can be ‘inherited’ from the vendor.
What this means for a company seeking HITRUST certification is that all related controls must be satisfied for every location (including cloud service providers and software-as-a-service products) and every application in the solution. Examples of related controls include the following:
- Physical security for the datacenter where information is stored
- Network security for the application that is used
- Encryption of sensitive data
- Monitoring for unauthorized access and devices
- And more
Cybersecurity compliance is advancing and it’s no longer good enough for you to have great security if your vendors do not. Now that you’re ready to select your HITRUST-certified vendors, it’s important that you learn where they are in their HITRUST certification process. Your vendors can provide you with a self-assessment, validated assessment or certified assessment.
At the very least, it’s suggested they provide a validated assessment as it’s a more rigorous process due to independent testing of the controls performed by an authorized CSF external assessor firm. Upon completion, HITRUST reviews the complete assessment and issues a Validated Report as the outcome if the organization has failed to receive a rating of 3 or higher on any of the controls. When undergoing the validated assessment, any gaps in evidence or control performance affect their certification attempt and may disqualify them from your vendor selection process. If you are unsure about whether your vendors and suppliers meet the necessary requirements, it’s important to have the tough conversations to learn what assessments have been performed, whether they will provide full reports for review, and whether they participate in the HITRUST inheritance program.
How Can A-LIGN Help?
A-LIGN’s Advisory Team will review your company’s policy and procedure documents and evaluate them against the HITRUST CSF. We will share any gaps identified and will remediate those gaps by updating and documenting the policies and procedures accordingly to meet the HITRUST CSF specifications. If your company needs policies and procedures created, we can design and document those appropriately after performing interviews to understand the control environment. We can also assist in documenting non-technical controls such as Risk Assessment, Incident Response, Disaster Recovery, and more.
Once all gaps are remediated, the A-LIGN Assurance team will perform an independent review and submit the assessment to HITRUST for certification.
Our team of HITRUST experts are here to answer any question you might have through every step of the process by responding to all inquiries within 24 hours. With A-LIGN, you’re on the right path to HITRUST certification success.
Interested in learning more about HITRUST CSF? Complete a form and one of our cybersecurity and compliance professionals will reach out soon.