A-LIGN created a list of the do’s and don’ts to better prepare you for the HITRUST assessment.
Most organizations would agree that HITRUST sets the standard for safeguarding information for organizations worldwide. Originally founded to help healthcare organizations better manage information security systems and protect their data, the release of CSF 9.2 in 2019 allowed the HITRUST CSF certification to be used to support compliance reporting against other widely-recognized privacy and security standards and requirements.
Needless to say, pursuing a HITRUST Assessment can be daunting. Though some organizations can become HITRUST certified in just a few months, the readiness process requires a significant investment in both time and resources. To be truly ready for a HITRUST assessment means there are no shortcuts. It comes down to this: proper planning equals HITRUST success.
To help organizations successfully get started with HITRUST, A-LIGN created a list of the do’s and don’ts to better understand where additional attention is needed and how to prepare for the assessment. To more easily navigate this list, we’ve broken it down into three sections: internal factors, external factors, and the process.
Regardless of the reason you’re pursuing HITRUST, whether it’s a contractual obligation, competitive advantage, or to increase overall security posture, you want to ensure you have executive buy-in. Having the sponsorship and support of the Executive team ensures the proper tone is set as you embark on the process to prepare for the assessment. This also translates to ensuring you have the resources and budget to get started.
You don’t want to find yourself in a position where you need to convince the team to support the efforts after you’ve already started or to try to find the resources and budget later on.
DO ensure you have a strong commitment from management.
DON’T pursue unless you have a committed C-level sponsor for the activity.
Leverage Experience & Training
It might seem obvious, but you can’t do an assessment for a framework you don’t understand. Spend some time before you get started to ensure you understand what HITRUST is and what it requires. This will also help you properly budget the time and resources needed.
Specific areas you need to ensure you’re familiar with include:
DO contact a HITRUST External Assessor Firm or HITRUST staff personnel to educate and inform key stakeholders. In addition, you may want to train one or more key employees in the HITRUST Academy Certified CSF Practitioner (CCSFP) course.
DON’T begin the Validated Assessment Certification process without experience or training in the HITRUST CSF, the Scoring Rubric, and the HITRUST assessment methodology.
Involve Internal Stakeholders
Preparing for a HITRUST assessment is not just a job for the IT department or the security compliance team. It requires involvement from almost every department within an organization to some degree, including HR, finance, legal, privacy, and even engineers and developers.
To ensure everyone understands their roles in the process, be prepared to communicate those needs to each department properly and explain why they are uniquely qualified to assist in providing the necessary information.
DO involve cross-functional teams including HR, training, finance, facilities, maintenance, and more to ensure collaboration and understanding.
DON’T assume that IT and security teams will be the only ones involved in implementing and assessing the HITRUST risk management framework.
The External Factors
Select the Right Assessor Firm
Engaging with an external assessor is a critical part of the process to get ready for your HITRUST assessment. In fact, the earlier you start to engage with the assessor firm, the better. Since you will be working with them closely for a long time, it’s helpful to fully understand what the assessment process will look like and what will be required.
But the most important part of engaging with an assessor firm is to find the right assessor firm. You want to ensure they understand your industry and your business and that they are the right culture fit. For example, you do not want to hire a firm that doesn’t have experience in a number of security frameworks and proven success in HITRUST.
When looking for the right HITRUST assessor firm for your organization, consider the following:
- Confirm they are licensed and accredited
- Ask how many HITRUST assessments they have successfully completed
- Ensure they are appropriately staffed and qualified
- Determine if they use technology to expedite the audit process
- Verify they respond within 24 hours
- Review the quality of their work
- Review their services offered
- Ask to speak with customer references
DO take the time to properly vet an assessor firm to ensure they have the necessary experience with the HITRUST CSF Assurance Program and the technical expertise to understand your industry and business.
DON’T rush the selection of a trusted partner for Readiness and Validated Assessments. While many firms offer HITRUST services, some do not submit Validated Assessments to HITRUST regularly and may be unaware of important changes to the framework and certification process.
Purchase an Annual MyCSF Subscription
Perhaps the second most important thing to do, behind hiring the right assessor firm, is selecting and purchasing the CSF subscription that best fits your company.
Sometimes, organizations that have gone through previous assessments, like SOC 2 or ISO, for example, believe that HITRUST will be a simple process. However, HITRUST requires a very different approach to documentation and leverages a scoring rubric that is a different concept than other assessments.
Obtaining a MyCSF subscription provides access to tools and information that will allow you to manage and perform risk assessments more easily while supporting Corrective Action Plan (CAP) management. A subscription also provides organizations with advanced analytics for managing risk posture and benchmarking data, in addition to authoritative source reporting, including a fully customizable view of the HITRUST CSF.
DO get an annual subscription to MyCSF. On average, an organization going through a HITRUST Validated Assessment for the first time takes between nine and 24 months to get certified.
DON’T underestimate the time it takes to complete a HITRUST certification. HITRUST certification takes several months to complete and submit.
Properly Scope the HITRUST Process
It can be easy to assume you have all the pieces you need to move forward with your assessment. But you don’t want to discover mid-way through an assessment that you forgot to include something important. After all, HITRUST has a 90-day maturation period that requires new controls to be implemented for 90 days before testing. So, if you implement a new control at any point during the assessment, it will reset your testing time frame.
Invest the time early on to complete a thorough scope of the HITRUST process so you understand every piece that will be required. Proper scoping with your assessor firm from the beginning will set you up for success.
DO engage with a HITRUST External Assessor Firm for assistance with scope definition and related exclusions. Note that HITRUST does not certify processes, locations, people, or mobile applications — only implemented systems. Someone must also define other organizational, geographical and regulatory factors if your organization is required to report on additional security and or privacy frameworks, such as SOC 2, ISO 27001, PCI-DSS, NIST 800-171, GDPR, etc.
DON’T define the scope of a first-time HITRUST Validated Assessment on your own. Changing scope late in the assessment process can result in long delays or months of remediation and rework, so it’s important to define the scope accurately from the beginning.
Start with a Readiness Assessment
Working with your assessor firm to leverage a readiness assessment can help identify gaps and provide tangible recommendations to remediate those gaps. This is all about preparation; it is invaluable to learn to recognize the areas where you may experience setbacks or delays and work to fix them before they impact the overall assessment.
DO have a HITRUST-approved External Assessor Firm guide you through a comprehensive Readiness Assessment to learn about the assessment process, review and discuss requirements, identify gaps, provide remediation recommendations, and adequately prepare for a Validated Assessment.
DON’T assume that other compliance audits, such as SOC 2, ISO 27001, or PCI DSS, will adequately prepare you for a HITRUST Validated Assessment.
Continuously Monitor & Improve
HITRUST is not a one-and-done certification. Though the certification is good for two years, it’s a continuous improvement and monitoring assessment. Therefore, during your interim year, spend the time working through CAPs to show HITRUST you’re doing remediations so you can maintain your certification.
It can also be helpful to build a calendar to ensure you can clearly map out the requirements for your certifications. This, coupled with an internal governance committee, can help the organization understand how to move through the calendar year and meet the various requirements for certification.
DO dedicate resources to ongoing efforts. For example, develop a compliance calendar to monitor controls and ensure continuous improvement with no control degradation.
DON’T view HITRUST as a “one and done” certification.
Prepare for HITRUST Today
The best way to set yourself up for success when it comes to a HITRUST assessment is to make the time and resource investment upfront. Hire an external assessor firm that understands your business and industry and has proven HITRUST certification success. Spend time with your assessor to ensure you understand everything you’ll need for your HITRUST assessment with a thorough scoping effort. And create a calendar that helps you understand the requirements for each of your certification efforts.
After all, proper planning equals HITRUST success.