Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
HITRUST
An Explanation of HITRUST,
Its Benefits, & How to Get Started
MADE SIMPLE
®
Chapter 1: What is HITRUST?
About HITRUST
Key benefits of HITRUST
HITRUST and supply chain benefits
A note to healthcare organizations
3
Chapter 2: How to get started with HITRUST
Preparing for the first assessment
Picking a HITRUST Authorized External Assessor
Common challenges
HITRUST timeline and project flow
A few more tips before you begin
12
Chapter 3: Continuing the path to HITRUST validation
Understanding HITRUST’s scoring methodology
Measured & managed
Maintaining the certification
21
Chapter 4: Optimizing HITRUST
Combining assessments – SOC 2 and HITRUST, ISO 27001
HITRUST learning opportunities
FAQs & common misconceptions
Definitions
About HITRUST
About LBMC Information Security
30
A guide for your HITRUST journey
How to use this guide
Introduction
CONTENTS
1LBMC HITRUST Guide LBMCsecurity.com
2
This guide was designed so that you could either read it start to finish or dig into the specific topics that are most
applicable to your organization. The guide will enhance your understanding of HITRUST, the HITRUST CSF, and how to
utilize it as part of your information security risk management program. It clarifies the
certification process, allowing you to take your HITRUST CSF Certification to the next
level and optimize your HITRUST experience.
As you progress in your project, revisit this guide for tips and tricks to make
things easier, stay in the “cost-efficient zone” and make your efforts
appear effortless! Most think of “HITRUST-ing” as a
marathon, not a sprint. We also like to think of it as a
team sport where good security is everyone’s responsibility.
INTRODUCTION
A Guide For Your HITRUST Journey
2LBMC HITRUST Guide
Every organization has sensitive data it must protect. Whether that is trademark information, customer lists, health
information, employee data, or data required by a contract to be secured, it is no longer acceptable to leave data or the
systems that house it in an unprotected state. Once a competitive advantage, security functions are now commonplace,
and compliance with a standard methodology is expected.
Organizations can begin the HITRUST CSF implementation journey at various points
in their information security and privacy path. Whether you are a start-up company
just beginning to think about information security or a more established company
with defined information security and risk management programs, the journey to
HITRUST certification will be a commendation recognizing your organization’s
cybersecurity, privacy, and risk maturity.
Every organization can achieve the coveted HITRUST CSF Certification, but it will take a
little patience, a lot of executive support, and, sometimes, a helping hand. This guide will help you identify where you
are on the path, fill in the gaps, and provide insight into the benefits of achieving HITRUST CSF Certification.
LBMCsecurity.com
How To Use This Guide
®
HITRUST Origins
In 2007, representatives of the healthcare industry came together to form HITRUST with the goal of ensuring that
information security would be a pillar of the industry. Fast-forward to modern-day HITRUST, and we find a board of
directors comprised of representatives from multiple industries, multiple councils and working groups with focused
improvement mandates, and a rich user base able to submit and vote on compliance tool updates.
Building on the initial information security goals, the framework now boasts privacy controls,
alignment with AICPA SOC 2 reporting, and an increasing number of regulatory mappings that
cross the range of industry and nation.
Even with growth and change, the principle that controls are evaluated based on maturity scoring remains
the same. There are multiple reporting options, but it remains true that organizations become HITRUST CSF Certified as
part of a completed HITRUST CSF Validated Assessment with at least the minimum required score.
3LBMC HITRUST Guide LBMCsecurity.com
About HITRUST
HITRUST is a:
CHAPTER 1: WHAT IS HITRUST?
Organization Certification body of
assessments and
assessors
Collaborative community dedicated
to improving security and privacy
practices in all industries
HITRUST Organization
HITRUST, in collaboration with leaders from the private sector, government, technology, and information privacy and
security spaces, established the HITRUST CSF, a certifiable framework that can be used by any organization that
creates, accesses, stores, or exchanges sensitive information.
The HITRUST CSF Risk Management Framework
The HITRUST CSF harmonizes multiple frameworks, security
standards, state, federal and international regulations,
and leading practices into a single framework. The
HITRUST CSF’s core structure is based on ISO/IEC
27001:2005 and 27002:2005, published by the
International Organization for Standardization (ISO) and
International Electrotechnical Commission (IEC), and
incorporates more than 40 other security and privacy-
related regulations, standards, and frameworks providing
comprehensive and prescriptive coverage.
Because the HITRUST CSF is risk-based, organizations of varying risk profiles can customize the security and privacy
control baselines through a variety of factors, including organization type, size, systems, and regulatory requirements.
HITRUST CSF’s risk-based approach applies security and privacy resources commensurate with the level of risk, or as
required by applicable regulations and standards, by defining multiple levels of implementation requirements–which
increase in restrictiveness. Three to five levels of requirements are defined based on organizational, regulatory, or
system risk factors. Level 1 provides the minimum baseline control requirements; each subsequent level encompasses
the lower level and includes additional requirements, proportionate to increasing levels of risk. Note that an
organization does not pick which level to comply with but is rather automatically applied to requirements during the
scoping process.
The HITRUST CSF is structured in close alignment to ISO 27001:2005 with the 11 control clauses (or categories);
however, the HITRUST CSF adds a control category to address implementation of an Information Security Management
Program, similar to that of the ISMS of ISO 27001:2005, and a 13th category to address risk management. HITRUST also
incorporated a 14th control category to address specific privacy practices. Overall, there are 156 security and privacy-
related control specifications, with associated implementation requirements; 21 of these specifically address privacy
practices.
CHAPTER 1: WHAT IS HITRUST?
4LBMC HITRUST Guide LBMCsecurity.com
CHAPTER 1: WHAT IS HITRUST?
5LBMC HITRUST Guide LBMCsecurity.com
Key Benefits of HITRUST
The HITRUST CSF incorporates a variety of commonly accepted security frameworks (such as ISO 27001 and NIST CSF)
and regulations (such as GDPR, PCI, HIPAA) to not only assist an organization in meeting regulatory obligations, but also
to help build and manage a robust cybersecurity framework. The HITRUST CSF is regularly updated and adapted to the
changing information security landscape and regulatory environment. Organizations with HITRUST CSF experience have
reduced audit fatigue, increased confidence from security and privacy practices, and the ability to communicate from a
common “dictionary” of control language. These and other factors have driven the adoption of the HITRUST CSF. See
which benefits listed below, and on the following pages, could help your organization.
Top 6 Benefits of Using a HITRUST Assessment
Reduced effort and
increased reliance through
confidence in mapping
Automation of risk management and
maintenance of the assessment, results, and
updates through HITRUST MyCSF software
New business
opportunities
Industry adoption and
widespread acceptance
Increased confidence with the
security and privacy program
Assessment and audit efficiencies
– Assess Once, Report Many
Confidence in Mapping
Organizations often struggle in maintaining various security and compliance regulations issued by multiple governing
bodies. HITRUST has mapped its framework to different authoritative sources to make the HITRUST CSF applicable to a
wide variety of organizations. HITRUST promises to keep its framework up to date and scale based on risk factors
applicable to all organizations. HITRUST works with ANSI, EHNAC, ISACA, AICPA, ISO, NIST, and PCI to ensure that its
standards mapping is reliable. HITRUST employs industry working groups to ensure usability.
With over 44+ regulatory references currently included in the framework, an organization in any industry will find that its
needs from a security or privacy framework have been included. Additionally, HITRUST can leverage its vast working
®
™
group and council entities to gain industry-wide agreement where specific control requirements are unavailable, such
as HIPAA, which is widely known to lack specificity in its implementation requirements for security or privacy.
HITRUST MyCSF
MyCSF is the software-as-a-service platform used to manage assessments.
From the initial setup to the finalization and delivery of the report, here are some
key benefits of using MyCSF as part of the overall effort of an assessment:
MyCSF allows organizations to tailor the program to an organization’s size or areas of specialization, while still
providing an adequate level of protection. This means that the HITRUST CSF isn’t just for large or complex
organizations. It can scale to meet the needs of any organization, regardless of industry, complexity, or size.
The framework manages access of both the organization and the External Assessor as well as creating
assignments of controls to those closest to the control.
The framework leads the project manager through a series of questions and risk-based scaling factors such as
the number of records managed, whether wireless is used in the environment, whether e-commerce takes
place, and identification of any third parties having access to the environment. Within minutes, the risk-based
assessment can be generated! These factors can be changed easily as business needs change.
IT, compliance, security and privacy professionals can build “net-change” profiles to communicate changes
needed in their organizations based on strategic plan scenarios, new business territory changes, or other
changes to the business.
Companies can leverage MyCSF to maintain corrective action plan results as well as to manage assessments
on a go-forward basis.
MyCSF can inherit controls from other internal assessments and business partners (when those organizations
allow access to their testing).
Advanced analytics and benchmarking allow an organization access to custom and analytic dashboards,
benchmarks, and other information.
CHAPTER 1: WHAT IS HITRUST?
6LBMC HITRUST Guide LBMCsecurity.com
1
2
3
4
5
6
7
New Business Opportunities
Many organizations that achieve HITRUST certification also experience a rise in revenue, either from a new business
relationship that required the certification or an increase in opportunities with a current partner where competitors
were unable to achieve the certification.
That said, it is easy to see why security and privacy practices are a common focus in beginning business relationships:
CHAPTER 1: WHAT IS HITRUST?
7LBMC HITRUST Guide LBMCsecurity.com
$3.86M is the average cost of a
data breach. (IBM Security,
“Cost of a Data Breach Report
2020”)
In a 2019 Verizon study, 69% of survey
respondents would avoid a company
that had suffered a data breach, and
29% of those surveyed would never
visit that business again. (Verizon,
“What Customer Experience Do
Consumers Really Want?”)
Companies experienced an
average stock price decline of
5% immediately following the
disclosure of their breach.
(Ponemon Institute report,
“The Impact of Data Breaches
on Reputation & Share Value")
Industry Adoption and Widespread Acceptance
Security and privacy are no longer restricted to just the financial or healthcare industries. All industries are
experiencing the inherent risks of being linked to the internet. With expansion of the “walls” of the business to cloud
locations – customer devices, employees’ homes or hotspots – and the ability to connect everything from anywhere, all
organizations seek to enhance security practices and protect the privacy of their customers and business intelligence.
As HITRUST continues to increase report options and expand mappings of the HITRUST CSF framework to state-specific
Invest in your security and privacy practices from the beginning, as they can pay off exponentially. Some insurance
companies even provide discounts on their cyber-policies when HITRUST certification is achieved.
If you are a relatively new organization, check into HITRUST’s RightStart Program which is meant to help an
organization avoid resource constraints associated with risk, compliance, security, and privacy practices during the
start-up phases of business.
and international security and privacy laws, organizations – regardless of industry – want to utilize HITRUST’s
framework to guide compliance efforts and convey to business partners and customers that a recognized system of IT
security controls tailored to the organization’s risk profile is in place.
CHAPTER 1: WHAT IS HITRUST?
8LBMC HITRUST Guide LBMCsecurity.com
Regardless of industry, every organization has data that is important. As organizations increasingly expand their
boundaries to working with cross-industry partners, move to the cloud, or allow more workers to work from anywhere,
industry-wide adoption will continue to rise and expand to even more industries. As more organizations learn the
benefits of using the HITRUST, the adoption rate is likely to increase even more.
Banking &
Finance
➢ HITRUST has mapped the FFIEC IT Information Security Booklet to its framework.
➢ Banking and financial industry vendors are showing participation.
➢ 75% of Fortune 20 companies participate (based on internal HITRUST subscription and download data).
Healthcare
➢ Healthcare organizations were earliest adopters of HITRUST CSF methodologies due to lack of HIPAA prescriptiveness.
➢ Healthcare organizations are key contributors to risk factor data based on flexibility and adaptability needs.
Entertainment
& Travel
➢ Recent breaches have demonstrated the need to protect customer data.
➢ The 2020 pandemic has increased need to protect health information of customers.
Cloud
Providers
➢ Interaction with every industry allows organizations to leverage control testing and save cost in the audit chain.
➢ Large amounts of risk are averted through ongoing risk management.
➢ 8/10 top cloud service providers are users of the HITRUST CSF.
Increased Confidence with the Security and Privacy Program
HITRUST has incorporated multiple features into the process to increase the confidence with the overall program,
reliability of the testing, and reporting process. Here are a few benefits:
CHAPTER 1: WHAT IS HITRUST?
9LBMC HITRUST Guide LBMCsecurity.com
➢ Testing is performed by an authorized External Assessor organization that has
been pre-certified by HITRUST.
➢ The External Assessor must abide by certain criteria such as maintaining at least
five Certified CSF Practitioners (CCSFPs) on staff.
➢ The External Assessor must maintain minimum training standards for its CCSFPs.
➢ Testing must be performed within 90 days so that all testing is completed timely,
and issues such as “remediating in place” are not incurred.
➢ Strict quality standards are defined for the External Assessor to follow during
testing, such as adhering to test sample criteria, testing to a defined base
standard of illustrative procedures, and review by a certified quality assurance
member of the External Assessor’s firm. These Certified HITRUST Quality
Professionals, known as CHQPs, must also maintain minimum ongoing education
requirements.
➢ HITRUST performs its quality assurance review of all External Assessor
validation testing submitted to HITRUST for an organization’s pursuit of HITRUST
certification.
➢ Standard reporting is produced by HITRUST, inclusive of a verbose scope
description, scoring, and corrective action plan results.
Additionally, we have seen organizations adopt the HITRUST CSF to ensure they have covered the controls for security
and privacy considered “best practice” for their industry.
Audit Once, Report Many
CHAPTER 1: WHAT IS HITRUST?
10LBMC HITRUST Guide LBMCsecurity.com
HITRUST has aligned its framework with multiple mappings and
risk-based implementation levels to provide a comprehensive set
of controls, per assessment, that can be tested, inclusive of all
authoritative source requirements.
This has many benefits to organizations experiencing “audit
fatigue,” including the ability to:
➢ Identify all controls necessary for the organization to meet the
entirety of its regulatory, standard, compliance, and privacy obligations.
➢ Define sample sets and test periods that cover these same requirements.
➢ Pre-plan with the assessor or audit organization to cover all testing procedures.
➢ Undergo testing during a single period, utilizing test materials and results as a basis for reporting for multiple
entities, formats, or needs.
➢ Assure the NIST Cybersecurity Framework and the AICPA Trust Services Criteria for security, confidentiality, and
availability, as well as other authoritative sources.
HITRUST and Supply Chain Benefits
Are you a third party to a business partner? Do you employ third parties as part of your overall business model? Chances
are, you may be both. Various industries and regulations refer to these relationships by different names such as covered
entity, business associate, controller, processor, third-party, etc.
Your organization probably outsources work, performs outsourced work, and takes advantage of expertise or cost
savings in your business or supply chain. You likely have a compliance officer and legal counsel who provide some
oversight to make sure you are meeting the baseline regulatory requirements and include these requirements in your
contract terms. Security requirements formerly glossed over in contracts are becoming enforced through formal terms
that require you to either provide some independent audit report or answer a questionnaire about your information
security practices. Poor security or privacy practices left unchecked can lead to a breach, with the penalty incurred
either financial or personal. The level of effort to assess each relationship can be resource-intensive and overwhelming
for everyone in the supply chain. This is where the HITRUST CSF framework provides multiple benefits, including:
CHAPTER 1: WHAT IS HITRUST?
11LBMC HITRUST Guide LBMCsecurity.com
Consolidating requirements into a single period of
testing, assessing once, and providing the resulting
report to numerous business partners
Reduced need to answer
various questionnaires from
multiple business partners
Redirecting resources to
securing the business and
more value-added activities
Increased business partner satisfaction
using an industry-standard assessment
and report format
Utilization of an industry-standard set
of expectations regarding security
and privacy practices
A Note to Healthcare Organizations
Initially built for healthcare organizations—and business associates or service organizations working in the healthcare
industry— the HITRUST CSF provides a standardized guide for organizations to assess their information security risks,
take corrective action, document the process, and maintain best practices.
While originally built using ISO 27001, the framework initially included HIPAA as a built-in authoritative source. Now,
you will need to select “HIPAA” as a regulatory factor to continue to incorporate HIPAA-specific control requirements.
It’s important to note that, while no regulatory bodies require HITRUST certification, the U.S. Department of Health and
Human Services and the Office for Civil Rights consider mitigating factors, such as an organization’s use of a
certification process, like HITRUST, in the event of a security breach.
While there is no officially recognized HIPAA certification, HITRUST is mapped to the HIPAA security, privacy and breach
notification (if selected) rules and can assist an organization in HIPAA compliance. However, it is equally important to
note that HITRUST CSF Certification does not—in and of itself—guarantee HIPAA compliance.
12LBMC HITRUST Guide LBMCsecurity.com
Preparing for the first assessment
CHAPTER 2:HOW TO GETSTARTED WITH HITRUST
Many organizations that adopt HITRUST begin their journey by learning as much as possible about the HITRUST
program, downloading the HITRUST CSF, and then obtaining access to the MyCSF software-as-a-service tool. An
essential early step is also preparing to communicate their compliance goal to various internal and external
stakeholders. Sometimes the goal is set by stakeholders predicated by new business relationships or promise of new
business. In other cases, the goal is to improve security or privacy practices. Whatever the reason, it is beneficial to
know the purpose and approximate timelines to meet it.
For organizations that are starting their first HITRUST CSF assessment journey, we suggest the following:
Purchase a MyCSF License
MyCSF is HITRUST’s SaaS tool used to verify compliance with the framework. In addition to creating many efficiencies
throughout the entire assessment process, MyCSF helps auditors and their clients manage the extensive HITRUST
assessment process and provides valuable analytics to track both compliance and assessment completion.
There are various subscription levels for MyCSF available through HITRUST. To learn more or to obtain a license, visit
the HITRUST website at https://hitrustalliance.net/mycsf/.
Determine the Assessment and Report Type Needed
Deciding which assessment type to pursue requires some self-analysis.
➢ Is your organization experienced with security and privacy audits?
➢ Have you obtained other security and privacy certifications?
➢ Are you confident that your organization has incorporated all controls necessary to
support authoritative sources to be included in the assessment?
Where answers to the above cannot be confidently answered, it is best to start with a self-assessment, or readiness
assessment, to identify and resolve any gaps. Additionally, it is our experience that even the most experienced
organization identifies gaps, so a self-assessment is a prudent first choice.
An essential component of the goal is identifying whether a report from HITRUST is needed. There are currently three
types of reports:
CHAPTER 2: HOW TO GET STARTED WITH HITRUST
13LBMC HITRUST Guide LBMCsecurity.com
An assessment performed by a
HITRUST Approved External
Assessor, with achievement of
“certified” where minimum
scores are achieved.
Validated Assessment
The targeted assessment is
generated from the library of
authoritative sources. Reporting is
generated through scorecards. A
proper subscription level is required
to have access to a target
assessment.
Target Assessment
The outcome of an
organization self-reporting
their own assessment of the
control requirements.
Readiness Assessment
Helpful Tip: Reports are purchased separately from HITRUST, depending on your subscription level. A
report purchase is required at the time of the assessment. Give careful consideration to your expected
return on your investment in this purchase!
Establish and Narrow Your Scope
To create an assessment, the organization will identify the in-scope business units, locations, and systems, along with
several organizational, geographic, and regulatory factors. Based on that input (particularly, system and regulatory
factors), the MyCSF software will build a customized assessment.
Project Planning
At the outset of an assessment, the External Assessor must confirm the scope of the project, generate a test plan, and
have these steps reviewed by their internal quality assurance process. Once complete, the “testing” phase can
commence.
CHAPTER 2: HOW TO GET STARTED WITH HITRUST
14LBMC HITRUST Guide LBMCsecurity.com
Identify Your Level of Readiness
Readiness Assessments are a prudent step in the process meant to identify any “gaps” and work out any issues. The
tests during readiness can identify scoping issues and hidden security flaws and allow time to resolve “long lead
time” issues. Typical “finds” at this stage are:
➢ Policies have not been approved 90 days prior to the assessment.
➢ Process documentation is missing.
➢ Independent security reviews have not been performed.
➢ A risk register has not been built.
➢ Business continuity plans have not been tested.
➢ Log files are not retained according to retention requirements or are overwritten due to space limitations.
Readiness Assessments are usually worth the investment to ensure the validated assessment goes off without a
hitch. Assessments must be completed within a 90-day test window and cannot be “remediated in place.” The extra
time spent can be great insurance. Remediation of “gaps” can take time depending on the type of issues identified
and the lead time needed to resolve the issue. A key component to issue resolution is the culture of the organization
and how the organization responds to these challenges.
Add time to your overall timeline if the organization has a significant vendor review process, requires an RFP
process, has a complex technical environment, or is known to resist change. You will also want to add time to your
project timeline if issues require an extended budget review process.
A self-assessment will be a requirement for any organization looking for a validated assessment using a third-party
assessor. However, some organizations that don’t already have a robust IT security program in place may be
overwhelmed due to the number of controls, and the amount of documentation required, to accurately provide
scoring against the framework.
HITRUST was designed to be customizable for an organization’s unique set of needs. That, too, can be a challenge for
internal teams that may not have the requisite knowledge to scope and score their internal assessment. We recommend
that organizations encourage a team member to obtain the HITRUST CCSFP Certification and leverage this credential to
become a HITRUST Authorized Internal Assessor. The individual should be part of a team that allows them to be
competent and objective (usually an audit or compliance group but not required if competence and objectivity
requirements are met). This certification can be further leveraged to lower your External Assessor costs.
15LBMC HITRUST Guide LBMCsecurity.com
Picking an External Assessor
HITRUST has a rigorous selection process for designating approved External
Assessors. External Assessors must demonstrate expertise in information security,
have sufficient resources to carry out assessments, document their assessment
processes and quality controls, and participate in initial HITRUST training and
continuing education. With so many professional service firms embracing the
HITRUST methodology, how do you choose from the many approved External
Assessors to lead you through the process or conduct your assessment? If you are at
this point, let’s explore some lessons learned about choosing your External Assessor
and some ideas about how to prepare for HITRUST CSF Certification during this
phase.
To start evaluating External Assessors, ask yourself the following questions:
CHAPTER 2: HOW TO GET STARTED WITH HITRUST
How many assessments has the
External Assessor performed, and
what’s the quality?
Some External Assessors have performed countless assessments but may
have burned out their staff, and that experience is no longer in-house. Others
can count on one hand how many they have performed, but they did them
well. Experience matters, but it is just as important as the quality of the work.
What benefit will they bring to your
organization?
Is HITRUST the only offering, or do they provide other services that will add
value? Understanding the full scope of solutions will help you determine
whether a true partnership is realistic.
16LBMC HITRUST Guide LBMCsecurity.com
Common challenges
CHAPTER 2: HOW TO GET STARTED WITH HITRUST
Are they a CPA firm, a security firm,
or a compliance organization?
Are your goals for the assessment to be more secure, to answer a business
partner requirement, or build discipline in your organization? Make sure you
seek a partner that can help improve your business, consolidate assessment
work, be efficient in their work, and not waste your time.
What are their credentials? Everyone will tell you they have been doing this a long time, have the best
External Assessors, and can get you across the finish line. But what do their
references say? What positions do they hold, if any, on HITRUST councils?
What evidence of External Assessor credentials can they give you? How
many CCSFP or CHQP employees do they have (on their team, not
contractors), and how long have they been there? Are their customers
happy? Did they have trouble representing and supporting their work to
HITRUST? Checking references on the front end will pay off in dividends in
the long run.
What is the culture of the
organization?
Do you like them? Do they return your phone calls promptly? Can you call
them, or are you directed to a website to ask questions? Do they offer to
adapt to your business needs? Do they seem to oversell their capabilities or
services? Finding a culture and personality fit is a crucial part of choosing
your External Assessor. After all, you will be working with them.
Scoping
Scoping an assessment is easily the biggest challenge organizations face when embarking on their HITRUST journey.
Several factors make this a complex hurdle:
➢ As the first step in the process, scoping the assessment requires the organization and its personnel to use new
HITRUST skills.
17LBMC HITRUST Guide LBMCsecurity.com
CHAPTER 2: HOW TO GET STARTED WITH HITRUST
➢ The organization must know its network, applications, and users well enough to understand where any dividing or
segmenting can occur. This can be particularly challenging if not explored before scoping begins.
➢ Some organizations realize through the testing phases that their assumptions about segmentation or control
implementation may be wrong.
The implications of a poorly scoped environment can also present challenges:
➢ Effort expended impacts the timeline to HITRUST certification which may be
critical depending on any contractual requirements or agreements.
➢ Resources spent cannot be reused or recovered.
➢ Teams are frustrated with “wasting effort” or having to start over.
➢ Timeframe impacts the project service level agreements to perform the assessment with
boundaries set by HITRUST, causing the project to start over.
Companies also often struggle with regulatory factors. Here are some data points to collect
when deciding which regulatory factors to incorporate into your scope:
Identify which regulatory factors apply to the business or scoped environment.
Identify any requirements by business partners that may be requiring a regulatory factor to be included in the
HITRUST assessment.
Identify any business needs or requirements for the regulatory requirement.
Regulatory factors increase the effort associated with the compliance assessment.
1
2
3
4
The organization should evaluate its “needs” against those requirements that are “nice to haves” as well as the
resources they have available to demonstrate compliance. Many organizations find that this level of analysis is
beneficial to conduct during the scoping phase to define an achievable scope of work during their first assessment.
Organizations report that adding regulatory factors into later assessments are a way of phasing in the additional effort
that comes with demonstrating regulatory factor compliance.
18LBMC HITRUST Guide LBMCsecurity.com
HITRUST timeline and project flow
The timeline for HITRUST CSF Validation Assessments can vary depending on an
organization’s initial readiness level, and the amount of remediation
needed, to fully implement all the requirements in the assessment scope.
Most organizations will perform at least one self-assessment to gauge
their readiness for certification and, once an organization is comfortable
that they will meet the certification requirements, they will hire an External
Assessor to perform a validated assessment. These independent assessments can
take anywhere from 4-12 weeks on average, depending on the size and complexity of the
organization and the scoped environment, and it can take a minimum of 8 weeks for the validated
assessment to be processed and certification awarded by HITRUST. In general, it can take up to 3-6 months to
complete the assessment and obtain certification once an organization is ready.
HITRUST Certification vs. Validation
It can be a challenge to estimate the attainability of a HITRUST certification in the first assessment. The rigor of testing
combined with the burden of interviews and documentation required is usually a significant project for an organization,
and not achieving “certification” can be a disappointing experience at best. More importantly, it should be a budgeted
project expense.
Many organizations that undergo other types of assessments are sometimes overconfident without fully realizing the
intricacies of the HITRUST assessment. While some organizations do achieve HITRUST certification, it is our experience
that organizations benefit from a readiness assessment. Keep in mind that a minimum score of 61.99 must be attained
in all 19 domains of the HITRUST CSF Validated Assessment to achieve certification.
CHAPTER 2: HOW TO GET STARTED WITH HITRUST
CHAPTER 2: HOW TO GET STARTED WITH HITRUST
19LBMC HITRUST Guide LBMCsecurity.com
Implementation of Controls
HITRUST scoring of controls is another area where organizations struggle. HITRUST utilizes a scoring rubric that
combines elements defined within “illustrative procedures” associated with a control requirement’s expected
implementation. These illustrative procedures are further broken down and implemented to the fullest degree. It is not
“the spirit of the control” that is assessed, rather the exact elements. This is one of the key differences of the
HITRUST exam.
A few more tips before you begin
Here are some other recommendations as you begin your HITRUST journey:
➢ Learn all you can by watching the HITRUST website videos, talking to their sales and support teams, and reading the
white papers. These resources will help you identify External Assessors that know their material.
➢ Leverage your relationships and ask about their experience with their HITRUST External Assessor. Those that are
certified would be happy to share their experience – good or bad.
➢ Conduct a gap assessment, but not just “a” gap assessment. Conduct a deliberate, framework or standard-based,
security-focused gap assessment. HITRUST will allow you to download their HITRUST CSF framework for free, and
External Assessor firms can assist you in this process as well.
➢ Define your “why.” You need a baseline statement for why HITRUST CSF Certification is necessary to focus your
effort. HITRUST is a dynamic program that can scale to many different business needs. At this time, there are 44+
authoritative sources (mostly laws and standards) upon which the HITRUST CSF is mapped. It is easy to lose sight of
the goal if it is not defined.
➢ Define your “when.” It is important to know what your critical milestones will be. Achieving HITRUST CSF
compliance is a reward on top of demonstrating good risk, compliance, security, and privacy principles as processes
ingrained in your organization. Having a defined plan to achieve that goal is imperative to communicate to your
External Assessor to determine the optimal time to test your organization. Define your timeline and whether it is
flexible.
20LBMC HITRUST Guide LBMCsecurity.com
CHAPTER 2: HOW TO GET STARTED WITH HITRUST
➢ Carefully consider the scope of your assessment. With all the rigor involved with an assessment, defining its scope is
of critical importance. If you plan to share a certification report with third parties, consider the systems they care
about and ensure the scope of your assessment is relevant to those systems.
➢ Avoid the temptation (as nice as it sounds) to come out of the gate with an “enterprise” certification assessment,
unless it is necessary. Be sure to work with an External Assessor organization with experience working with
companies on a collaborative basis to get them over the HITRUST goal line.
21LBMC HITRUST Guide LBMCsecurity.com
CHAPTER 3:CONTINUING THE PATHTO HITRUST CERTIFICATION
Understanding HITRUST’s scoring methodology
Assessment is Not Pass/Fail
One common misconception about becoming HITRUST CSF Certified is that it is a binary, pass/fail endeavor. Rather,
each baseline statement is evaluated using a complex 5-level scoring rubric that equates to a percentage of compliance
in five maturity categories. Those categories are Policy, Procedure, Implemented, Measured, and Managed. Scores are
weighted and evaluated by the 19 domains in MyCSF to arrive at the overall domain scores.
Scores in all domains must rise above 61.99 to “pass” with corrective action plans.
HITRUST allows an organization to accept certain risks at the time of an initial assessment and work towards corrective
action plans, which is ideal for companies who want to begin adopting a robust security framework but are unlikely to
meet all the requirements in their first assessment.
HITRUST’s scoring methodology can be a little daunting for both the initiated and uninitiated alike. The exhibit on the
following page provides a minimum set of criteria (questions) used to assess the completeness and maturity level when
evaluating a requirement statement.
Once you have scoped your assessment and engaged your External Assessor to begin testing, you will begin providing
documentation to support the implementation of your control environment. You will also engage in interviews to explain
that material, as well as provide a supporting narrative as to the organization’s implementation of the controls. At this
point, the External Assessor will begin scoring your assessment to provide to HITRUST.
Scoring is a complex task which is best performed by a HITRUST
CCSFP. Fifty percent of testing of an assessment MUST be completed
by a HITRUST CCSFP as well. Scoring is performed at the baseline
security statement level for each of the categories (Policy, Process,
Implemented, Measured, Managed). The External Assessor will
compare the requirements for implementation (defined by the control
requirement), ensure the proper illustrative procedure is conducted,
and apply the score as defined by the rubric. Policy
Process
Implemented
Measured
Managed
2 5 3
CHAPTER 3: CONTINUING THE PATH TO HITRUST CERTIFICATION
22LBMC HITRUST Guide LBMCsecurity.com
Policies & Procedures
Testing requires that each policy element, defined by the requirement statement and illustrative procedure, is
implemented. A percentage of the policy requirements are documented and compared to the overall coverage. The
scores at this level are converted to entry into MyCSF base on percentages as follows:
1 2 3 4 5
0-10%(non-
compliant)
11-32% (somewhat compliant)
33-65% (partially
compliant)
66-89%(mostly
compliant)
90-100% (fully
compliant)
Implementation
Implementation scores the same as policy and procedure, even though the degree of implementation first considers the
percentage of scope elements (number of systems, facilities, desktops, etc.) as compared to the number of policy
elements defined to be implemented.
Measured & managed
The ultimate accomplishment of organizations seeking optimized security and privacy practices is to reach the Carnegie
Melon Software Engineering Institute’s (CM-SEI’s) Capability Maturity Model Integrated (CMMI) process improvement
model for levels four and five. These levels are termed “Measured” and “Managed.”
These levels build upon the first three levels of maturity for defining policies and ensuring stakeholders receive
communications. Procedures are defined that support the control environment, and those controls can be tested to
ensure operations occur as expected.
Level four, Measurement, utilizes measurements to provide indisputable evidence that the control is in place and
operating overtime. This level introduces the concept of “monitoring” within ranges of acceptable performance metrics
for which issues can be identified and evaluated through management processes. It is the management action upon
those anomalies that allow the organization to reach level five, or “managed,” level of maturity.
CHAPTER 3: CONTINUING THE PATH TO HITRUST CERTIFICATION
23LBMC HITRUST Guide LBMCsecurity.com
HITRUST Scoring Example
Let’s explore a simplistic example related to anti-virus software implementation at an organization.
Level 1At level 1, Policy, the
organization would have defined policy
for implementing anti-virus products to
limit the spread of viruses in software.
Level 2At level 2, Process, the organization would define procedures for implementing the anti-virus product and any updates required for the software.
Level 3At level 3, Implemented,
the organization would perform tests to ensure
the anti-virus product identifies viruses in the
environment and reports those viruses to
a help desk function.
Level 5At level 5, Managed,
should an organization miss an update to the
latest signature files, a report would be produced
identifying the situation, and management would
be responsible for reviewing that report and
resolving the endpoints update issue.
Level 4At level 4, Measured, the organization would have defined metrics to define update periods (every 12 hours), and maybe define some elements of acceptable ranges of performance for the metric. HITRUST has special rules about how measurements are defined before they qualify as a “measure” or “metric.” To learn more about the definitions and guidance on measurement concepts, download the HITRUST CSF Control Maturity Scoring Rubric or the HITRUST whitepaper, Evaluating Control Maturity.
[1]
[1]: https://hitrustalliance.net/content/uploads/HITRUST-CSF-Control-Maturity-Scoring-Rubrics.pdf
Forrester Consulting has shown organizations that implement a CMM-based maturity model and have the highest level
of maturity—even when limited to identity and access management—incur roughly “half the number of breaches as
the least mature ... [and save] 40% in technology costs and an average of $5 million in breach costs.” (Forester
Consulting, “Stop the Breach: Reduce the Likelihood of an Attack Through an IAM Maturity Model”)
Weighting of Scores
HITRUST assessments are scored based on the PRISMA Maturity Model and take into consideration certain weights for
each of the five (5) maturity levels when performing this scoring. Effective December 31, 2019, HITRUST updated
individual weights for each of the PRISMA maturity levels.
15%
25%
40%
10%
15%Policy
Process
Implemented
Measured
Managed
CHAPTER 3: CONTINUING THE PATH TO HITRUST CERTIFICATION
24LBMC HITRUST Guide LBMCsecurity.com
One key to understanding (or not misunderstanding) scoring is that the 1-5 scale listed above does not correlate to the
PRISMA score. PRISMA scores are derived from the computed percentages using a weighted average.
The weighting for the maturity levels is as follows:
As a practical matter, the weighting that HITRUST has
placed on the first three maturity categories means
your most rapid path to certification is achieving high
scores for Policy, Process, and Implemented. However, do
not lose sight of the additional maturity levels of Measured and
Managed. These levels will have added benefits if your organization is able to demonstrate these capabilities.
Quality Assurance
In 2019, HITRUST made several changes to improve the overall quality of assessments. Requirements were instilled to
ensure that trained resources were leading and performing assessment testing. Additionally, requirements were
adopted that defined minimum quality standards that are overseen by HITRUST trained and qualified quality assurance
professionals. These changes have increased the reliability of results in the HITRUST ecosystem as well as fueled the
overall adoption. At the current time, HITRUST requires the following of your External Assessor:
➢ A CCSFP must perform 50% of all hours spent on implementation testing.
➢ Engagement Executive, Quality Reviewer, and Engagement Lead roles must be named.
➢ The Quality Reviewer must not take part in the assessment testing.
➢ The Engagement Executive, Quality Reviewer, and Engagement Lead must all be CCSFPs.
➢ The Engagement Executive and Quality Reviewer must attend specialized training and complete an exam to become
a Certified HITRUST Quality Professional (CHQP).
➢ The HITRUST Authorized External Assessor Organization must always maintain (2) CHQPs and (5) CCSFPs to stay in
compliance with HITRUST requirements.
CHAPTER 3: CONTINUING THE PATH TO HITRUST CERTIFICATION
25LBMC HITRUST Guide LBMCsecurity.com
In 2019, HITRUST also updated their requirements for the definition of scope, requiring a “verbose” definition, better
description of systems, and full testing of all applications in the environment. The scope must clearly identify the
assessment boundaries. These definitions are reviewed, as required, by the External Assessor Organization Engagement
Executive as part of the overall quality assurance process.
As mentioned in chapter two, organizations can also benefit from having an Authorized Internal Assessor. While
Internal Assessors are not required by HITRUST, they are highly recommended. An Internal Assessor can facilitate the
HITRUST CSF Assessment process by performing in-house testing in advance of an External Assessor’s validated
assessment fieldwork. Testing performed by Authorized Internal Assessors meeting HITRUST’s requirements can – at
the discretion of their External Assessor – be relied upon by External Assessors for the HITRUST validated assessment
effort in lieu of the External Assessor’s direct testing.
At the completion of the assessment, the HITRUST Authorized External Assessor Organization must provide HITRUST
with the following documentation related to the assessment:
100% of all work papers HITRUST Authorized External
Assessor Quality Checklist signed
by the Engagement Executive and
External Assessor QA Resource
Test plan, fully filled out,
demonstrating documented test
procedures and results
Things to Expect During a Validated Assessment
Here are some things to expect during a validated assessment:
➢ Even with a facilitated self-assessment or readiness assessment, the organization will need to complete the self-
assessment portion in MyCSF, self-identified score, and attach any evidentiary documentation (e.g. policies,
procedures, reports).
➢ Testing requires the Assessor to identify correct inventories of systems, applications, users, wireless
implementation components, and other bodies of evidence. Once the number of items to test is identified and
calculated, sampling techniques are determined.
CHAPTER 3: CONTINUING THE PATH TO HITRUST CERTIFICATION
26LBMC HITRUST Guide LBMCsecurity.com
➢ Assessors gather and examine documentation (e.g., policies, procedures, employee training records, logs,
vulnerability assessment reports, and risk assessment reports).
➢ An Assessor examines configuration settings, physical surroundings, processes, and other observable information
protection practices.
➢ Assessors conduct interviews with business unit stakeholders, where applicable.
➢ Assessors perform system tests to validate the implementation of controls, as needed.
➢ Organizations update the External Assessor portion of the MyCSF assessment instance with the appropriate scoring
information and assessment documents.
➢ The External Assessor organization performs a quality assurance review, as required by HITRUST.
➢ The organization’s Representation Letter is completed.
➢ The External Assessor will submit the assessment to HITRUST for their quality assurance review and approval for
either HITRUST validation or certification.
➢ The organization and External Assessor will answer any questions from HITRUST.
➢ The organization will complete any corrective action plans.
➢ HITRUST delivers the report approximately eight weeks after
CHAPTER 3: CONTINUING THE PATH TO HITRUST CERTIFICATION
27LBMC HITRUST Guide LBMCsecurity.com
If you are being assessed for the first time, be aware of consultants who claim they can “get you certified” in a few
weeks. It’s just not possible. The extensive amount of work that goes into sample testing, scoring, and quality
assurance processes is time consuming in and of itself. Then, HITRUST’s review period after submission for adjudication
can take 6-8 weeks (but not guaranteed) before report issuance.
Corrective Action Plans & Reporting
What happens if you have some areas with gaps? Don’t expect HITRUST to look favorably upon repeated instances of 0
scores in any category. If you can receive the required minimum score of 61.99% across each domain’s control
requirements, you can still achieve certification with corrective action plans. These corrective action plans will require
definition on your part, as well as continued progress toward their resolution. Some acceptance of risk is allowed in
some cases.
Corrective action plans are evaluated at the Interim Assessment. Once your
assessment is complete, you can expect your report within about 6-8 weeks.
Reports are provided by HITRUST after the External Assessor’s testing results have been
qualified to meet their rigorous expectations.
Contents of the report include:
➢ HITRUST background
➢ Letter of Certification, if achieved
➢ Representation Letter
➢ Assessment context (factors and
other information used to set up
your assessment scope)
➢ Scope of assessment
➢ Security program analysis
➢ Assessment results
➢ Overall program summary
➢ Breakdown of control areas (scoring)
➢ Test summary
➢ Corrective action plans
➢ Questionnaire results
➢ NIST cybersecurity scorecard
CHAPTER 3: CONTINUING THE PATH TO HITRUST CERTIFICATION
28LBMC HITRUST Guide LBMCsecurity.com
HITRUST Project Flow & Timeline
The chart above depicts a generalized timeline we see most often associated with “the journey to becoming HITRUST
Certified.” Once certification is complete, it lasts for two years, with a less intense assessment occurring at the end of
the first year, called the Interim Assessment.
Important Pending Changes to Consider
Based on HITRUST’s analysis of assessment data collected over 10 years, HITRUST has concluded that when an
organization’s controls within scope of a HITRUST CSF Assessment are operated at or above an aggregated HITRUST
CSF maturity score of 79, there is a very high likelihood these controls will continue to operate in a similar manner going
forward. And organizations that have mature information security continuous monitoring (ISCM) programs in place can
also help ensure that any deficiencies that may arise in their protection programs are quickly identified and addressed.
These organizations may qualify for the HITRUST CSF Ongoing Certification (OC) Program, which will allow them to
reduce the frequency of full, time-based recertification assessments.
Organizations that qualify for the ISCM-based HITRUST CSF Ongoing Certification (OC) program (generally a score of 79
or higher) conduct recertification assessments less frequently, in general, as according to criteria yet to be defined by
the HITRUST ISCM Working Group. The timeframe for this new concept is yet to be determined but it is worth noting so
that organizations can begin preparing for these changes as part of their overall ISCM plans. Building out your
organization’s strategy for these advanced levels of maturity can save time, money, and provide focus on the highest
risk control points.
CHAPTER 3: CONTINUING THE PATH TO HITRUST CERTIFICATION
29LBMC HITRUST Guide LBMCsecurity.com
Maintaining the Certification
Once an organization achieves the coveted achievement of HITRUST Certification, there is a celebration that usually
takes place. After all, it is a milestone to be recognized! New business may be on the horizon; there is a feeling of
confidence in the security and program, and likely even personal goals achieved by team members. Once you are rested
and rejuvenated, review the following list and set some reminders:
Monitor your corrective action plan commitments that were
defined to improve a control’s effectiveness. It is best to
track these as risk areas in a risk register, as well as
projects in the organization’s project tracking processes.
Sign up to attend the
HITRUST’s annual
Conference, HITRUST
Collaborate.
Schedule updates to your policies
and procedures, conduct your risk
assessments, schedule a review of
access rights, and schedule incident
and business continuity testing.
Mark your calendar for the “Interim
Assessment.” It will occur nine to 11
months after your certification date.
Sign up for webinars and review
whitepapers produced by HITRUST;
these may provide helpful
information on upcoming changes.
Continue to monitor the HITRUST website for
new releases, updates to any HITRUST
processes and requirement changes. Sign up for
e-mail alerts from HITRUST.
Monitor for changes to the assessment
scope and alert your External Assessor
(e.g., new office, new application,
merger/acquisitions).
30LBMC HITRUST Guide LBMCsecurity.com
Combining Assessments: SOC 2 and HITRUST, ISO 27001
CHAPTER 4:OPTIMIZINGHITRUST
Combining assessments is an efficient way to assess once and report many. When embarking on a combined audit
approach, it’s important to understand that the HITRUST CSF security and privacy framework was initially built on ISO
27001. Over time, the HITRUST CSF has evolved to include a significant number of standards, regulations, and business
requirements, and is broken down into 14 high-level control categories, 49 control objectives, and 156 control
specifications.
The AICPA SOC 2 Trust Services Criteria is a reporting framework assessed against one or more of five categories
including security, availability, confidentiality, processing, integrity, and privacy. HITRUST maintains a mapping between
the AICPA TSC and the HITRUST CSF to identify how they align. Understanding that SOC reports are based on a
framework of reporting, and HITRUST CSF is based on a security and privacy control framework, the decision-maker can
navigate toward selecting a report and control framework for their organization.
The bottom line is that the decision between SOC 2 and
HITRUST is driven by contract requirements. So why not do
them together rather than separately?
What Are Your Options for Consolidated Assessments?
SOC 2 Report A report issued by a CPA firm expressing an opinion on the fairness of the
presentation of management’s description of controls and the suitability of the
design of controls (type 1) or the fairness of presentation of management’s
description of controls and the suitability of design and operating effectiveness of
controls (type 2) relevant to security, availability, confidentiality, processing integrity,
and/or privacy.
HITRUST CSF Validated
Assessment Report
A certified or validated report issued by HITRUST based on the work of an
independent HITRUST Authorized External Assessor.
CHAPTER 4: OPTIMIZING HITRUST
31LBMC HITRUST Guide LBMCsecurity.com
SOC 2 + HITRUST CSF A report issued by a CPA firm expressing an opinion on the fairness of the presentation
of management’s description of controls and the suitability of design and operating
effectiveness of controls relevant to the security, availability, and confidentiality trust
services criteria, as well as the HITRUST CSF. If the CPA firm is not also an External
Assessor, they must license the HITRUST CSF framework for use. The HITRUST CSF
control work is not submitted to HITRUST, and a separate HITRUST CSF report is not
generated. The organization does not receive an opinion from HITRUST regarding
validation or certification status. Because the report doesn’t contain HITRUST
certification but does contain a CPA firm’s opinion, consumers should be aware of the
possibility that scope and assessment procedures may not exactly align with what
would occur during a HITRUST assessment. However, the CPA firm is attesting that the
controls, including those identified from the HITRUST framework, were appropriately
designed and operating effectively. Additionally, the work is subject to AICPA standard,
as any SOC report is required to be.
SOC 2 + HITRUST CSF +
CSF Certification
Organizations that have engaged a CPA firm to express a SOC 2 + HITRUST CSF opinion
and have achieved HITRUST CSF Certification can obtain one combined report.
Essentially, the report will include the details described above in option 3, and
additionally include the HITRUST CSF Validated Assessment Report with Certification.
How do you Know Which Option to Use?
The key to knowing what report to use is knowing what your customer wants and what your organization requires from
its audit process.
Customer contracts, timing, and scope needs can answer the question of which
assessment is needed. The organization’s decision should be made with full
management support. If your organization is lucky enough to only need a segment
of your network or a single application tested, the scope of that project may lend
well to a HITRUST assessment.
32LBMC HITRUST Guide LBMCsecurity.com
Organizations that desire both SOC 2 reporting and HITRUST CSF Certification can realize significant time efficiencies
and cost savings with the joint assessment, which leverages the synergies between the HITRUST CSF and AICPA TSC.
Finally, if your organization is adding the HITRUST assessment onto a long list of compliance and audit types, an
External Assessor partner who can consolidate that work efficiently can be paramount to all other decisions.
CHAPTER 4: OPTIMIZING HITRUST
HITRUST Learning Opportunities
HITRUST offers programs to address common security and privacy challenges. No matter where you’re located, you can
learn and connect with others through best-in-class events, conferences, and virtual and live training courses.
HITRUST Community
Extension Program (CEP)
The CEP promotes education and collaboration for organizations adopting HITRUST
programs. These town hall events are held across the U.S. and coordinated by HITRUST,
hosted by organizations within the community, and facilitated by External Assessors. The
CEP provides a way for the community to access HITRUST management and executives to
discuss education around shared challenges and thought leadership. To view a calendar of
upcoming CEP events, visit the HITRUST website at
https://hitrustalliance.net/community-extension-program/
HITRUST Annual
Conference
HITRUST holds an annual conference for privacy, security, and compliance professionals.
The event includes keynotes, panels, and training sessions, highlighting best practices for
safeguarding sensitive information and data breaches. Over the past few years, the three-
day conference has hosted more than 40,000 attendees attending
more than 40 sessions. To learn more about the annual
conference, visit the HITRUST website at
https://hitrustalliance.net/hitrust-annual-conference/
33LBMC HITRUST Guide LBMCsecurity.com
CHAPTER 4: OPTIMIZING HITRUST
HITRUST Academy HITRUST offers training courses designed to educate security professionals about
information protection and the utilization of the HITRUST CSF to manage risk. These courses
prepare security professionals for assessing against the evolving compliance landscape
shaped by HITECH, HIPAA, CMS, and various other federal, state, and business
requirements. For more information or to enroll in a live or virtual course, visit
https://hitrustalliance.net/hitrust-academy/
FAQs & Common Misconceptions
Question Answer
Why choose the
HITRUST CSF over
other frameworks?
(NIST, ISO, etc.)
The HITRUST CSF integrates and harmonizes data protection requirements from many
authoritative sources–such as ISO, NIST, PCI, HIPAA–and tailors the requirements to
an organization based on specific organizational, system, and regulatory risk factors.
The level of integration and prescription provided by the framework, along with the
quality and rigor of the HITRUST CSF Assurance Program and supporting HITRUST
products and services, makes the HITRUST CSF the easy choice for organizations in all
sectors.
Can you be certified to
HIPAA?
Unfortunately, no. The HIPAA Security Rule’s numerous standards and implementation
specifications for administrative, technical and physical safeguards, despite what the
terms imply, lack the prescription necessary for actual implementation by a healthcare
organization. The HITRUST CSF is mapped to HIPAA Security, Privacy, and Breach
Notification Rules which will provide reasonable assurance that your organization is
satisfying the rule’s requirements. However, “certification” to HIPAA is not implied
through HITRUST readiness, validation, or certification achievement. There is an ability
to produce a targeted assessment against any authoritative source, but this will not
result in a HITRUST CSF Assessment Report.
34LBMC HITRUST Guide LBMCsecurity.com
CHAPTER 4: OPTIMIZING HITRUST
Question Answer
If I am not a
healthcare entity, can I
still be HITRUST
certified?
Absolutely! HITRUST, in collaboration with privacy, information security and risk
management leaders from the public and private sectors, develops, maintains, and
provides broad access to its widely adopted common risk and compliance
management framework. It now includes 44+ mapped authoritative sources which
have strong adoption rates across a broad spectrum of industries including
manufacturing, banking, airline/entertainment, and telecommunications. Indeed, if
you fall into any of these industries, you likely are hearing about HITRUST as a way
to communicate your organization’s security and privacy practices using the
HITRUST CSF.
We’re a start-up and
have a small budget.
How can we afford
HITRUST?
In 2018, HITRUST introduced the RightStart Program, designed for start-up
businesses with a productive service line (or close to it) that are less than three
years old, have fewer than 50 full-time employees, and generate less than $10
million per year in revenue. The program incorporates the HITRUST CSF, the MyCSF
platform, HITRUST Academy, and the HITRUST CSF Assurance Methodology to help
organizations implement strong cybersecurity practices as a foundational part of
their businesses. If you meet the criteria, this could be an effective way to
incorporate HITRUST into your business processes early on.
A popular misconception
is that HITRUST came
about as a result of
failed OCR HIPAA audits;
is this true?
The OCR HIPAA audits did not begin until 2011. HITRUST was founded in 2007. LBMC
has remained a steadfast supporter of the HITRUST CSF since February 2010.
35LBMC HITRUST Guide LBMCsecurity.com
CHAPTER 4: OPTIMIZING HITRUST
Question Answer
Can an organization certify
to NIST Cybersecurity
Framework?
The NIST Cybersecurity Framework Scorecard is included in HITRUST CSF Validated
Reports. It is not one of the regulations you select to include in your assessment; it is
already included in the assessment. While a “NIST Cybersecurity Framework
Certification” does not exist, the scorecard is HITRUST’s certification of your
organization’s compliance with the NIST Cybersecurity Framework.
Is the HITRUST
program a true Assess
Once, Report Many
audit program?
Yes. Experienced audit firms have developed processes to enable their staff to
combine the criteria for multiple audit needs and apply those savings to your
organization through increased efficiency, decreased audit fatigue, and higher
quality, consistency and reliability of results. If you hear an audit firm dissuade you
from this approach, they may not have the staff, skill or tools to execute properly.
HITRUST has absolutely designed their framework and methodology to allow for
an “audit once, report many” platform and strongly encourages External Assessors
to combine assessments where possible.
Is the HITRUST CSF
framework designed to
allow me to become
ISO 27001 certified?
LBMC Information Security supports the use of the HITRUST CSF within ISO 27001
certifications, if applicable. As with any assessment, be sure to do your homework on
your service provider’s skills and knowledge performing any assessment or readiness
exam. There are many benefits that can be derived from combining security and/or
privacy assessment testing when multiple reporting options are needed. When
combining assessments, the intent and specific requirements of the certification must
be considered – beginning at the planning stage of the project.
ISO 27001 FAQ
Here are a couple of points to consider from HITRUST’s FAQ on the subject, if you are seeking a firm that can support
you in your pursuit of multiple certifications:
The focus of an ISO 27001 certification is on the information security management system (ISMS), which includes an
evaluation of the information security risk assessment and treatment processes. However, “organizations can design
controls as required, or identify them from any source” (ISO 27001, § 6.1.3.b, p. 4). Further, although ISO 27001 Annex A
contains a list of control objectives and controls, they are not exhaustive and additional control objectives and controls
may be needed” (Ibid., § 6.1.3.c, p. 4). And although the ISO assessor must produce
a “Statement of Applicability that contains the necessary controls (see
6.1.3 b and c) and justification for inclusions, whether they are
implemented or not, and the justification for exclusions of
controls from Annex A” (Ibid., § 6.1.3.d, p. 4), it doesn’t
extend beyond what’s required in Annex A. Subsequently,
organizations have wide latitude in the controls they specify
to address the risks they identify at a level suitable to their risk
appetite. ISO certification assessors also have some latitude in
how they assess the effectiveness of the controls, and there is no
quality control of the assessments other than a general requirement that
consultants that help organizations prepare for ISO certification do not perform the certification assessment.
The HITRUST CSF provides a baseline of comprehensive, prescriptive control requirements tailored to specific
organizational, system and regulatory risk factors. Detailed testing procedures prescribed by these baseline
requirements focus on the maturity of this control baseline’s implementation using a specific, rigorous assessment
approach and scoring model to gauge the level of excessive residual risk to ePHI in the organization. Like ISO, the
testing must be performed by an approved assessor, referred to by HITRUST as an Authorized External Assessor
Organization. Quality assurance is provided by HITRUST.
36LBMC HITRUST Guide LBMCsecurity.com
CHAPTER 4: OPTIMIZING HITRUST
37LBMC HITRUST Guide LBMCsecurity.com
CHAPTER 4: OPTIMIZING HITRUST
Definitions
Automated Controls
CHQP
CCSFP
External Assessor
HITRUST
HITRUST Authorized
External Assessor
Organization
HITRUST CSF Certified
Independent
Internal Assessor
Controls that have been programmed, configured, and/or embedded within a system.
Certified HITRUST Quality Professional
Certified CSF Practitioner
An individual performing a validated assessment as part of a HITRUST Authorized External
Assessor Organization.
HITRUST is a privately held company located in Frisco, Texas, United States that, in
collaboration with healthcare, technology and information security organizations, established
the HITRUST CSF.
Designation granted to organizations approved by HITRUST to perform validated assessment
engagements for clients seeking a HITRUST CSF Validated Assessment or a HITRUST CSF
Validated Assessment with Certification. HITRUST Authorized External Assessor
Organizations may also assist clients with the adoption of the HITRUST CSF framework,
implementation and remediation efforts following adoption. HITRUST Authorized External
Assessor Organizations employ CCSFPs to perform assessment testing.
Designation received by an organization following a completed HITRUST CSF Validated
Assessment with at least the minimum required score.
With respect to an Assessor or measure, one that is not influenced by the person or entity
that is responsible for the requirement/control being evaluated or measured.
Personnel who facilitate the HITRUST CSF Assessment process by performing in-house
testing in advance of an External Assessor’s validated assessment fieldwork.
38LBMC HITRUST Guide LBMCsecurity.com
CHAPTER 4: OPTIMIZING HITRUST
ISO 27001
MyCSF
NIST
NIST 800-53
Operational
Policy
Procedure
Specification for an information security management system (ISMS). An ISMS is a
framework of policies and procedures that includes all legal, physical, and technical
controls involved in an organization’s information risk management processes.
A SaaS-based information risk management platform developed by HITRUST to assess
and report risk and compliance information concerning privacy and security.
NIST is the National Institute of Standards and Technology, a unit of the U.S. Commerce
Department. Formerly known as the National Bureau of Standards, NIST promotes and
maintains measurement standards.
NIST SP 800-53 is shorthand for the National Institute of Standards and Technology
Special Publication 800-53, Security and Privacy Controls for Federal Information Systems
and Organization. NIST SP 800-53 is a set of standards and guidelines to help federal
agencies and contractors meet the requirements set by the Federal Information Security
Management Act (FISMA).
With respect to a measure or metric, one that is produced by, or otherwise influenced by,
the person or entity responsible for the requirement/control being tracked by the measure
or metric.
Overall intention and direction as formally expressed by management, most often
articulated in documents that record high-level principles or course of actions; the
intended purpose is to influence and guide both present and future decision making to be
in line with philosophy, objectives, and strategic plans established by the enterprise’s
management teams.
A detailed description of the steps necessary to perform specific operations in
conformance with applicable standards. Procedures are defined as part of processes.
39LBMC HITRUST Guide LBMCsecurity.com
CHAPTER 4: OPTIMIZING HITRUST
Risk Treatment
Undocumented
Selecting and implementing mechanisms to modify risk. Risk treatment options can
include avoiding, optimizing, transferring, or retaining (accepting) risk.
Not supported by written proof.
About HITRUST
Since it was founded in 2007, HITRUST has championed programs that safeguard sensitive information and manage
information risk for global organizations across all industries and throughout the third-party supply chain. In
collaboration with privacy, information security, and risk management
leaders from the public and private sectors, HITRUST develops,
maintains and provides broad access to its widely adopted common
risk and compliance management frameworks, related assessment,
and assurance methodologies.
HITRUST understands the challenges of assembling and maintaining the many and varied programs needed to manage
information risk and compliance. The HITRUST approach provides organizations a comprehensive information risk
management and compliance program to provide an integrated approach that ensures all programs are aligned,
maintained and comprehensive to support an organization’s information risk management and compliance objectives.
About LBMC Information Security
HITRUST Services
As one of a select group of Authorized HITRUST External Assessors, LBMC Information Security participates in many of
the working groups sponsored by HITRUST. Known for our work throughout the industry, LBMC personnel have assisted
HITRUST with integration efforts for various standards such as GDPR, Centers for Medicare and Medicaid Services, and
NIST. Team members are also active in HITRUST forums and regularly provide positive contributions to the HITRUST
community. Based on our deep security and compliance expertise, we are exceptionally well-qualified to assist
organizations with HITRUST Certification and assist companies in the implementation of the HITRUST CSF. As one of the
longest-serving External Assessors in the industry, since 2010, we have many stories to tell where HITRUST has
benefited organizations dimensionally.
40LBMC HITRUST Guide LBMCsecurity.com
CHAPTER 4: OPTIMIZING HITRUST
Why Choose LBMC Information Security?
Knoxville
2095 Lakeside Centre Way, Suite 220
Knoxville, TN 37922
865.691.9000
Chattanooga
605 Chestnut Street, Suite 1100
Chattanooga, TN 37450
423.756.6585
Nashville
201 Franklin Road, PO Box 1869
Brentwood, TN 37024-1869
615.377.4600
10+ years’ experience in performing validated
assessment engagements for clients seeking a
HITRUST CSF Validated Assessment or a HITRUST
CSF Validated Assessment with Certification.
Hundreds of assessments performed for clients in
various industries. We offer SOC2 + HITRUST,
Readiness, and Validation Services – all while
maintaining HITRUST’s separation of duty requirements.
One of the largest in the HITRUST teams in the
ecosystem. CCSFP team members bring
experience with helping many organizations
achieve HITRUST certification.
Our HITRUST service line leaders are members of the
Assessor Council, the Quality Subcommittee, and
numerous other committees and workgroup members
who contribute to the HITRUST program. Their leadership
within HITRUST benefits our clients every day.
DEVELOPED BY
Ready to discuss your HITRUST Assessment Needs?
Contact us for a free consultation at LBMCsecurity.com