HITRUST Checklist – Readiness for HITRUST Certification

Sensitive data is becoming increasingly vulnerable to cyber threats. Ensuring robust data security and regulatory compliance is paramount, especially in the healthcare industry. HITRUST is a comprehensive framework that provides the necessary guidelines to safeguard electronic protected health information (ePHI).

Since many organizations don’t know where to start on their journey to HITRUST compliance, we created a valuable HITRUST readiness checklist to help your business get started on a successful path.

Download the HITRUST checklist PDF!

Why HITRUST compliance matters

The HITRUST CSF is an industry-leading framework that establishes guidelines and standards for organizations in the healthcare industry to ensure the protection and privacy of sensitive information.

HITRUST compliance is essential for healthcare organizations due to the ever-growing complexity of the regulatory landscape and the increasing prevalence of cyber threats. Achieving HITRUST compliance demonstrates a commitment to meeting industry standards, mitigating the risk of data breaches, and safeguarding patient information.

By meeting HITRUST compliance requirements, organizations can enhance their credibility, build trust with stakeholders, and showcase their dedication to maintaining the highest levels of data security and privacy.

Understanding the HITRUST readiness checklist

Having a well-rounded understanding of the importance of the HITRUST CSF is the first step on the road to compliance. Once your business is aware of the components of the framework, you can start taking steps to ensure you have the correct controls in place to protect information.

By following the HITRUST checklist steps below, your organization can show your dedication to following the framework while also fostering a culture of security that extends beyond the audit process.

Build an information protection program

Formally establish an Information Security Management Program (ISMP) highlighting key responsibilities, oversight structures, organization objectives, and a commitment to ethical values.

Establish endpoint protection

Holistically apply anti-virus/anti-malware and/or equivalent endpoint protection throughout your entire environment for all in scope endpoints such as desktops, laptops, servers, mobile devices, and more.

Initiate media, mobile device, and wireless security controls

To demonstrate media, mobile device, and wireless security, your organization should implement controls over:

• Laptops
• Mobile phones
• Firewalls
• Security configurations
• Placements
• Scanning tools
• Removable media
  • USBs
  • Removable hard drives
  • Backup tapes
  • CDs/DVDs
• Restricted usage
• Proper logging

Implement configuration management

Formally log appropriate Change Management/System Development Lifecycle processes and tools for logging all actions during the change process. Also, conduct annual technical compliance checks.

Log vulnerability management

Clearly define all in-scope assets in a master inventory list and monitoring activities in place to facilitate and evaluate vulnerabilities. In addition, management should implement password complexity and secure password reset procedures.

Establish network & transmission protection

It is essential to appropriately configure network routing and firewalls to limit traffic and create strong network protection. Also, be sure to define encryption in transit protocols expected to be in use and implement those protocols across all traffic.

Implement access control

Ensure there are access controls in place for all account types and phases of access to include onboarding and terminations.

Log & monitor audit activity

Implement proper audit logging and monitoring controls for all user actions and events. Create a segregation of duties to ensure logs cannot be modified or adjusted by administrations of other systems. Be sure to audit these logs annually.

Promote education, training, and awareness

It is imperative to establish a comprehensive training program for all users. This role-based specific training should be conducted annually, and new hires should be given initial training prior to accessing in-scope systems. Also, foster a culture of security by educating staff on acceptable use, policies, and procedures year-round.

Manage third party assurance

Establish vendor management and oversight policies/procedures and ensure they are being used in daily operations to govern all third-party critical and non-critical vendors.

Define incident management, business continuity, and disaster recovery

In case of a major incident, it is critical to formally define policies and procedures to recover from identified security incidents or unexpected business interruptions. In addition, management should establish appropriate incident management policies and procedures to guide users in identifying, reporting, and mitigating failures, incidents, concerns, and other companies.

Conduct risk management assessments

Assess risk management then identify, select, and develop risk mitigations activities for risks from potential business disruptions, including those associated with vendors and business partners.

Establish physical & environmental security practices

Management should create processes around physical and environmental security in accordance with applicable requirements.

Manage data protection & privacy

Management should establish privacy policy and confidentiality policies and procedures in accordance with applicable requirements.

What is the HITRUST assessment process?  

After completing the items on the HITRUST readiness checklist, your business should be ready to begin the HITRUST certification process. The HITRUST assessment process is composed of five steps: 

• Step 1 – Define scope:  During this stage, an organization either works with a third-party assessor or an internal subject matter expert to define scope and determine what type of HITRUST assessment to undergo. 
• Step 2 – Obtain access to MyCSF portal:  The organization (the entity being assessed) contacts HITRUST to get access to the MyCSF portal. After receiving access, the organization should create its assessment object and engage an approved third-party assessor firm.  
• Step 3 – Complete a readiness assessment/gap-assessment:  The assessor performs appropriate tests to understand the organization’s environment and flow of data between systems, and then documents any possible gaps. The gap assessment also ranks gaps in your organization by risk level, allowing you to remediate any gaps before the validated assessment. 
• Step 4 – Validated assessment testing:  During the validated assessment (either the e1, i1 or r2 Assessment) testing phase, assessors review and validate the client scores, then submit the final assessment to HITRUST for approval. HITRUST will then decide whether to approve or deny your organization certification. The HITRUST QA stage in the process (before issuing the certification) can take anywhere from four to ten weeks, depending on the assessment and the assessors’ level of responsiveness. 
• Step 5 – Interim assessment testing:  If certification is obtained as part of the r2 Assessment, an interim assessment is required to be conducted at the one-year mark to maintain certification. It is important to note that an interim assessment is not required if certification was obtained via the e1 or i1 Assessment. 

Partner with A-LIGN for successful HITRUST compliance

Achieving and maintaining HITRUST compliance is vital for organizations in the healthcare industry. By leveraging the HITRUST readiness checklist and working with a leading third-party assessor like A-LIGN, you can confidently navigate the path towards, safeguard your organization’s sensitive data, and build trust with your stakeholders.

Elevate your company’s compliance program and get ready for HITRUST certification by downloading our readiness checklist here.