HITRUST Changes PRISMA Weights and Scoring Rubric
On September 3, 2019 HITRUST announced that they will be updating the HITRUST PRISMA Weights (HAA 2019-007) and the Scoring Rubrics (HAA 2019-009). These new guidelines will go into effect for any HITRUST certifications submitted and accepted on December 31, 2019 or later.
PRISMA Weight Changes
HITRUST is updating the point values or “weighting” for each of the five levels of HITRUST’s PRISMA Maturity Model. The changes will increase weight levels for the categories of Implementation and Managed and will reduce the weight levels for the categories Policy, Procedure and Measured.
Figure 1 shows the changes to the PRISMA weighting effective later this year.
HITRUST has reaffirmed that the category Managed cannot score higher than Measured. This is a result of the logic that you can’t manage what you are not measuring. However, you can still measure something that you are not implementing. An example of this scenario could result in an Implemented score of 0% on a requirement, but a 25% score on Measured if that metric is defined in Process and if it is being Measured.
These changes ensure that organizations not only have the required policies and processes in place but are also implementing and regularly managing the controls in their environment responsible for successfully managing information security and risk.
Scoring Rubric Changes
In addition, the scoring rubric is being updated by HITRUST to provide a more consistent interpretation. Originally designed as a reference aid, this has frequently become a tool that organizations use to determine their rating across the various levels of control maturity.
The new HITRUST CSF Control Maturity Scoring Rubric will provide much more detail and will replace qualitative terms with quantitative ranges. Additional changes to the HITRUST scoring rubric will include:
• Improved definitions for assessment terminology
• Examples of assessment for each scoring category
• Scoring lookup tables for each of the five levels of HITRUST’s PRISMA maturity model
Previous HITRUST Scoring Rubric
Impact to Organizations
These changes will impact all organizations that undergo HITRUST certification and submit the assessment to HITRUST after 12/31/2019. Note that the assessment also needs to be accepted by HITRUST prior to 12/31/2019 to follow the previous weighted scores. HITRUST takes about 7 – 10 business days after an assessment is submitted to accept it, hence if an organization desires to be scored under the old PRISMA, A-LIGN recommends submitting the assessment no later than 12/13/2019.
With the change in PRISMA Weights, the category of Implementation has increased importance in achieving HITRUST certification. A rating of 62.5% and a corresponding score of 3 on HITRUST’s 1- to 5+ scale is still required to achieve HITRUST certification, but without proper implementation, many organizations may not receive their certification and could receive a Corrective Action Plan (CAP). Below shows a HITRUST example of how scores could change under the new Weighting and Rubric Scoring:
How Organizations Can Prepare
To ensure organizations aren’t caught off-guard it’s important that they continuously ensure that the controls that could impact their compliance score have been properly implemented. Many organizations may want to consider hiring more resources to ensure the controls of their environment are being implemented and operate effectively.
For any organization that received HITRUST certification under HITRUST CSF Version 8.x or older, it is recommended that they review the newer HITRUST CSF Version 9.x to identify the additional controls that were added as part of that version. It will be imperative that those controls are being implemented appropriately in order to receive a compliant score for HITRUST certification.
Timing of Changes
These new changes are in effect for any HITRUST submission that is received and accepted on December 31, 2019 or later. For interim assessments, the scoring is based on whatever the scoring model was when the validated assessment was submitted. Interim assessments started after December 31, 2019 will use the previous scoring model that was used when the submission was made.
To ensure that organizations achieve or maintain certification under the new PRISMA weighting and scoring rubric, controls must be implemented and operating effectively for at least 90 days prior to a full validated assessment to ensure a full score is achieved for each maturity level.
In addition, an assessor’s validated fieldwork must be completed within 90-days of the submission date. If remediated or newly implementation controls are in place, they must be in operation for a minimum of 90-days before an assessor can test that control.
How A-LIGN Can Help
A-LIGN can conduct a HITRUST Gap Assessment to help organizations benchmark the implementation of their controls to the new PRISMA weighted scores and scoring rubric to ensure certification will be achieved or maintained. In addition, A-LIGN can help identify any gaps and recommend new controls that will need to be implemented from HITRUST CSF 8.x to HITRUST CSF 9.x.
A-LIGN is one of only a few globally recognized cybersecurity and privacy compliance providers that offer a single-provider approach for organizations. A-LIGN is a HITRUST CSF Assessor firm, Qualified Security Assessor Company, Accredited ISO 27001 and ISO 22301 Certification Body, Accredited FedRAMP 3PAO and licensed CPA firm.
For more information regarding HITRUST Certification contact us at [email protected] or call 1-888-702-5446. Our experienced assessors can answer your cybersecurity and privacy compliance questions.