An Explanation of HITRUST, Its Benefits, & How to Get Started

HITRUST

An Explanation of HITRUST,

Its Benefits, & How to Get Started

MADE SIMPLE

®

Chapter 1: What is HITRUST?

About HITRUST

Key benefits of HITRUST

HITRUST and supply chain benefits

A note to healthcare organizations

3

Chapter 2: How to get started with HITRUST

Preparing for the first assessment

Picking a HITRUST Authorized External Assessor

Common challenges

HITRUST timeline and project flow

A few more tips before you begin

12

Chapter 3: Continuing the path to HITRUST validation

Understanding HITRUST’s scoring methodology

Measured & managed

Maintaining the certification

21

Chapter 4: Optimizing HITRUST

Combining assessments – SOC 2 and HITRUST, ISO 27001

HITRUST learning opportunities

FAQs & common misconceptions

Definitions

About HITRUST

About LBMC Information Security

30

A guide for your HITRUST journey

How to use this guide

Introduction

CONTENTS

1LBMC HITRUST Guide LBMCsecurity.com

2

This guide was designed so that you could either read it start to finish or dig into the specific topics that are most

applicable to your organization. The guide will enhance your understanding of HITRUST, the HITRUST CSF, and how to

utilize it as part of your information security risk management program. It clarifies the

certification process, allowing you to take your HITRUST CSF Certification to the next

level and optimize your HITRUST experience.

As you progress in your project, revisit this guide for tips and tricks to make

things easier, stay in the “cost-efficient zone” and make your efforts

appear effortless! Most think of “HITRUST-ing” as a

marathon, not a sprint. We also like to think of it as a

team sport where good security is everyone’s responsibility.

INTRODUCTION

A Guide For Your HITRUST Journey

2LBMC HITRUST Guide

Every organization has sensitive data it must protect. Whether that is trademark information, customer lists, health

information, employee data, or data required by a contract to be secured, it is no longer acceptable to leave data or the

systems that house it in an unprotected state. Once a competitive advantage, security functions are now commonplace,

and compliance with a standard methodology is expected.

Organizations can begin the HITRUST CSF implementation journey at various points

in their information security and privacy path. Whether you are a start-up company

just beginning to think about information security or a more established company

with defined information security and risk management programs, the journey to

HITRUST certification will be a commendation recognizing your organization’s

cybersecurity, privacy, and risk maturity.

Every organization can achieve the coveted HITRUST CSF Certification, but it will take a

little patience, a lot of executive support, and, sometimes, a helping hand. This guide will help you identify where you

are on the path, fill in the gaps, and provide insight into the benefits of achieving HITRUST CSF Certification.

LBMCsecurity.com

How To Use This Guide

®

HITRUST Origins

In 2007, representatives of the healthcare industry came together to form HITRUST with the goal of ensuring that

information security would be a pillar of the industry. Fast-forward to modern-day HITRUST, and we find a board of

directors comprised of representatives from multiple industries, multiple councils and working groups with focused

improvement mandates, and a rich user base able to submit and vote on compliance tool updates.

Building on the initial information security goals, the framework now boasts privacy controls,

alignment with AICPA SOC 2 reporting, and an increasing number of regulatory mappings that

cross the range of industry and nation.

Even with growth and change, the principle that controls are evaluated based on maturity scoring remains

the same. There are multiple reporting options, but it remains true that organizations become HITRUST CSF Certified as

part of a completed HITRUST CSF Validated Assessment with at least the minimum required score.


About HITRUST

HITRUST is a:

CHAPTER 1: WHAT IS HITRUST?

Organization Certification body of

assessments and

assessors

Collaborative community dedicated

to improving security and privacy

practices in all industries

HITRUST Organization

HITRUST, in collaboration with leaders from the private sector, government, technology, and information privacy and

security spaces, established the HITRUST CSF, a certifiable framework that can be used by any organization that

creates, accesses, stores, or exchanges sensitive information.

The HITRUST CSF Risk Management Framework

The HITRUST CSF harmonizes multiple frameworks, security

standards, state, federal and international regulations,

and leading practices into a single framework. The

HITRUST CSF’s core structure is based on ISO/IEC

27001:2005 and 27002:2005, published by the

International Organization for Standardization (ISO) and

International Electrotechnical Commission (IEC), and

incorporates more than 40 other security and privacy-

related regulations, standards, and frameworks providing

comprehensive and prescriptive coverage.

Because the HITRUST CSF is risk-based, organizations of varying risk profiles can customize the security and privacy

control baselines through a variety of factors, including organization type, size, systems, and regulatory requirements.

HITRUST CSF’s risk-based approach applies security and privacy resources commensurate with the level of risk, or as

required by applicable regulations and standards, by defining multiple levels of implementation requirements–which

increase in restrictiveness. Three to five levels of requirements are defined based on organizational, regulatory, or

system risk factors. Level 1 provides the minimum baseline control requirements; each subsequent level encompasses

the lower level and includes additional requirements, proportionate to increasing levels of risk. Note that an

organization does not pick which level to comply with but is rather automatically applied to requirements during the

scoping process.

The HITRUST CSF is structured in close alignment to ISO 27001:2005 with the 11 control clauses (or categories);

however, the HITRUST CSF adds a control category to address implementation of an Information Security Management

Program, similar to that of the ISMS of ISO 27001:2005, and a 13th category to address risk management. HITRUST also

incorporated a 14th control category to address specific privacy practices. Overall, there are 156 security and privacy-

related control specifications, with associated implementation requirements; 21 of these specifically address privacy

practices.





Key Benefits of HITRUST

The HITRUST CSF incorporates a variety of commonly accepted security frameworks (such as ISO 27001 and NIST CSF)

and regulations (such as GDPR, PCI, HIPAA) to not only assist an organization in meeting regulatory obligations, but also

to help build and manage a robust cybersecurity framework. The HITRUST CSF is regularly updated and adapted to the

changing information security landscape and regulatory environment. Organizations with HITRUST CSF experience have

reduced audit fatigue, increased confidence from security and privacy practices, and the ability to communicate from a

common “dictionary” of control language. These and other factors have driven the adoption of the HITRUST CSF. See

which benefits listed below, and on the following pages, could help your organization.

Top 6 Benefits of Using a HITRUST Assessment

Reduced effort and

increased reliance through

confidence in mapping

Automation of risk management and

maintenance of the assessment, results, and

updates through HITRUST MyCSF software

New business

opportunities

Industry adoption and

widespread acceptance

Increased confidence with the

security and privacy program

Assessment and audit efficiencies

– Assess Once, Report Many

Confidence in Mapping

Organizations often struggle in maintaining various security and compliance regulations issued by multiple governing

bodies. HITRUST has mapped its framework to different authoritative sources to make the HITRUST CSF applicable to a

wide variety of organizations. HITRUST promises to keep its framework up to date and scale based on risk factors

applicable to all organizations. HITRUST works with ANSI, EHNAC, ISACA, AICPA, ISO, NIST, and PCI to ensure that its

standards mapping is reliable. HITRUST employs industry working groups to ensure usability.

With over 44+ regulatory references currently included in the framework, an organization in any industry will find that its

needs from a security or privacy framework have been included. Additionally, HITRUST can leverage its vast working

®

™

group and council entities to gain industry-wide agreement where specific control requirements are unavailable, such

as HIPAA, which is widely known to lack specificity in its implementation requirements for security or privacy.

HITRUST MyCSF

MyCSF is the software-as-a-service platform used to manage assessments.

From the initial setup to the finalization and delivery of the report, here are some

key benefits of using MyCSF as part of the overall effort of an assessment:

MyCSF allows organizations to tailor the program to an organization’s size or areas of specialization, while still

providing an adequate level of protection. This means that the HITRUST CSF isn’t just for large or complex

organizations. It can scale to meet the needs of any organization, regardless of industry, complexity, or size.

The framework manages access of both the organization and the External Assessor as well as creating

assignments of controls to those closest to the control.

The framework leads the project manager through a series of questions and risk-based scaling factors such as

the number of records managed, whether wireless is used in the environment, whether e-commerce takes

place, and identification of any third parties having access to the environment. Within minutes, the risk-based

assessment can be generated! These factors can be changed easily as business needs change.

IT, compliance, security and privacy professionals can build “net-change” profiles to communicate changes

needed in their organizations based on strategic plan scenarios, new business territory changes, or other

changes to the business.

Companies can leverage MyCSF to maintain corrective action plan results as well as to manage assessments

on a go-forward basis.

MyCSF can inherit controls from other internal assessments and business partners (when those organizations

allow access to their testing).

Advanced analytics and benchmarking allow an organization access to custom and analytic dashboards,

benchmarks, and other information.



1

2

3

4

5

6

7

New Business Opportunities

Many organizations that achieve HITRUST certification also experience a rise in revenue, either from a new business

relationship that required the certification or an increase in opportunities with a current partner where competitors

were unable to achieve the certification.

That said, it is easy to see why security and privacy practices are a common focus in beginning business relationships:



$3.86M is the average cost of a

data breach. (IBM Security,

“Cost of a Data Breach Report

2020”)

In a 2019 Verizon study, 69% of survey

respondents would avoid a company

that had suffered a data breach, and

29% of those surveyed would never

visit that business again. (Verizon,

“What Customer Experience Do

Consumers Really Want?”)

Companies experienced an

average stock price decline of

5% immediately following the

disclosure of their breach.

(Ponemon Institute report,

“The Impact of Data Breaches

on Reputation & Share Value")

Industry Adoption and Widespread Acceptance

Security and privacy are no longer restricted to just the financial or healthcare industries. All industries are

experiencing the inherent risks of being linked to the internet. With expansion of the “walls” of the business to cloud

locations – customer devices, employees’ homes or hotspots – and the ability to connect everything from anywhere, all

organizations seek to enhance security practices and protect the privacy of their customers and business intelligence.

As HITRUST continues to increase report options and expand mappings of the HITRUST CSF framework to state-specific

Invest in your security and privacy practices from the beginning, as they can pay off exponentially. Some insurance

companies even provide discounts on their cyber-policies when HITRUST certification is achieved.

If you are a relatively new organization, check into HITRUST’s RightStart Program which is meant to help an

organization avoid resource constraints associated with risk, compliance, security, and privacy practices during the

start-up phases of business.

https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/

https://www.verizon.com/about/news/what-customer-experience-do-consumers-really-want

https://www.centrify.com/resources/the-impact-of-data-breaches-on-reputation-and-share-value/download/?type=ANR&tot=uo_CX8TXFzZcbHvJt7iU-SfFmmT8y7GSClpXVUojDbN_Z4GRMfVmtcdggOsATkHB6DqxyovNH2ikQJzBsn6sZrSZfg7SJ8WdjuuNfXyW4w0HxKqp9BIXNqdFrjD27MTSTV4XBZZmbGNVuog-ZbcWSlxBwDRZMGk7eW3EGUBNDrAeUZbiyg7h5FqMXoSSAlFYI9piMZdmUHBll8h0MG7hcWQcPVpGMReX9FzTX8dSn5wJcwqYWcxPq1xlf6YQQ76TnDsKUJZWu_kg6suSCwCj0u4c10BUOV6_qh9_l3hJkTKxWRysxiLFkUJ3g0WlYxGFr86PlfB6W9NJj08SGIzeNg5zyUw2Y6uZbT6Rqjs-yzNYqLnF8xjpf5L8_ZFvHv-A5FtLCMtXH0qq5SPT_mI6wQ5CcrrW1zJzqxORnzNL0SoSHCXI6dOghWj_o4wgYIXXvmVdi9tBtaLlGQdVdPR05e0JbYaZrsLZ0GcYpYR5R8I

and international security and privacy laws, organizations – regardless of industry – want to utilize HITRUST’s

framework to guide compliance efforts and convey to business partners and customers that a recognized system of IT

security controls tailored to the organization’s risk profile is in place.



Regardless of industry, every organization has data that is important. As organizations increasingly expand their

boundaries to working with cross-industry partners, move to the cloud, or allow more workers to work from anywhere,

industry-wide adoption will continue to rise and expand to even more industries. As more organizations learn the

benefits of using the HITRUST, the adoption rate is likely to increase even more.

Banking &

Finance

➢ HITRUST has mapped the FFIEC IT Information Security Booklet to its framework.

➢ Banking and financial industry vendors are showing participation.

➢ 75% of Fortune 20 companies participate (based on internal HITRUST subscription and download data).

Healthcare

➢ Healthcare organizations were earliest adopters of HITRUST CSF methodologies due to lack of HIPAA prescriptiveness.

➢ Healthcare organizations are key contributors to risk factor data based on flexibility and adaptability needs.

Entertainment

& Travel

➢ Recent breaches have demonstrated the need to protect customer data.

➢ The 2020 pandemic has increased need to protect health information of customers.

Cloud

Providers

➢ Interaction with every industry allows organizations to leverage control testing and save cost in the audit chain.

➢ Large amounts of risk are averted through ongoing risk management.

➢ 8/10 top cloud service providers are users of the HITRUST CSF.

Increased Confidence with the Security and Privacy Program

HITRUST has incorporated multiple features into the process to increase the confidence with the overall program,

reliability of the testing, and reporting process. Here are a few benefits:



➢ Testing is performed by an authorized External Assessor organization that has

been pre-certified by HITRUST.

➢ The External Assessor must abide by certain criteria such as maintaining at least

five Certified CSF Practitioners (CCSFPs) on staff.

➢ The External Assessor must maintain minimum training standards for its CCSFPs.

➢ Testing must be performed within 90 days so that all testing is completed timely,

and issues such as “remediating in place” are not incurred.

➢ Strict quality standards are defined for the External Assessor to follow during

testing, such as adhering to test sample criteria, testing to a defined base

standard of illustrative procedures, and review by a certified quality assurance

member of the External Assessor’s firm. These Certified HITRUST Quality

Professionals, known as CHQPs, must also maintain minimum ongoing education

requirements.

➢ HITRUST performs its quality assurance review of all External Assessor

validation testing submitted to HITRUST for an organization’s pursuit of HITRUST

certification.

➢ Standard reporting is produced by HITRUST, inclusive of a verbose scope

description, scoring, and corrective action plan results.

Additionally, we have seen organizations adopt the HITRUST CSF to ensure they have covered the controls for security

and privacy considered “best practice” for their industry.

Audit Once, Report Many



HITRUST has aligned its framework with multiple mappings and

risk-based implementation levels to provide a comprehensive set

of controls, per assessment, that can be tested, inclusive of all

authoritative source requirements.

This has many benefits to organizations experiencing “audit

fatigue,” including the ability to:

➢ Identify all controls necessary for the organization to meet the

entirety of its regulatory, standard, compliance, and privacy obligations.

➢ Define sample sets and test periods that cover these same requirements.

➢ Pre-plan with the assessor or audit organization to cover all testing procedures.

➢ Undergo testing during a single period, utilizing test materials and results as a basis for reporting for multiple

entities, formats, or needs.

➢ Assure the NIST Cybersecurity Framework and the AICPA Trust Services Criteria for security, confidentiality, and

availability, as well as other authoritative sources.

HITRUST and Supply Chain Benefits

Are you a third party to a business partner? Do you employ third parties as part of your overall business model? Chances

are, you may be both. Various industries and regulations refer to these relationships by different names such as covered

entity, business associate, controller, processor, third-party, etc.

Your organization probably outsources work, performs outsourced work, and takes advantage of expertise or cost

savings in your business or supply chain. You likely have a compliance officer and legal counsel who provide some

oversight to make sure you are meeting the baseline regulatory requirements and include these requirements in your

contract terms. Security requirements formerly glossed over in contracts are becoming enforced through formal terms

that require you to either provide some independent audit report or answer a questionnaire about your information

security practices. Poor security or privacy practices left unchecked can lead to a breach, with the penalty incurred

either financial or personal. The level of effort to assess each relationship can be resource-intensive and overwhelming

for everyone in the supply chain. This is where the HITRUST CSF framework provides multiple benefits, including:



Consolidating requirements into a single period of

testing, assessing once, and providing the resulting

report to numerous business partners

Reduced need to answer

various questionnaires from

multiple business partners

Redirecting resources to

securing the business and

more value-added activities

Increased business partner satisfaction

using an industry-standard assessment

and report format

Utilization of an industry-standard set

of expectations regarding security

and privacy practices

A Note to Healthcare Organizations

Initially built for healthcare organizations—and business associates or service organizations working in the healthcare

industry— the HITRUST CSF provides a standardized guide for organizations to assess their information security risks,

take corrective action, document the process, and maintain best practices.

While originally built using ISO 27001, the framework initially included HIPAA as a built-in authoritative source. Now,

you will need to select “HIPAA” as a regulatory factor to continue to incorporate HIPAA-specific control requirements.

It’s important to note that, while no regulatory bodies require HITRUST certification, the U.S. Department of Health and

Human Services and the Office for Civil Rights consider mitigating factors, such as an organization’s use of a

certification process, like HITRUST, in the event of a security breach.

While there is no officially recognized HIPAA certification, HITRUST is mapped to the HIPAA security, privacy and breach

notification (if selected) rules and can assist an organization in HIPAA compliance. However, it is equally important to

note that HITRUST CSF Certification does not—in and of itself—guarantee HIPAA compliance.


Preparing for the first assessment

CHAPTER 2:HOW TO GETSTARTED WITH HITRUST

Many organizations that adopt HITRUST begin their journey by learning as much as possible about the HITRUST

program, downloading the HITRUST CSF, and then obtaining access to the MyCSF software-as-a-service tool. An

essential early step is also preparing to communicate their compliance goal to various internal and external

stakeholders. Sometimes the goal is set by stakeholders predicated by new business relationships or promise of new

business. In other cases, the goal is to improve security or privacy practices. Whatever the reason, it is beneficial to

know the purpose and approximate timelines to meet it.

For organizations that are starting their first HITRUST CSF assessment journey, we suggest the following:

Purchase a MyCSF License

MyCSF is HITRUST’s SaaS tool used to verify compliance with the framework. In addition to creating many efficiencies

throughout the entire assessment process, MyCSF helps auditors and their clients manage the extensive HITRUST

assessment process and provides valuable analytics to track both compliance and assessment completion.

There are various subscription levels for MyCSF available through HITRUST. To learn more or to obtain a license, visit

the HITRUST website at https://hitrustalliance.net/mycsf/.

Determine the Assessment and Report Type Needed

Deciding which assessment type to pursue requires some self-analysis.

➢ Is your organization experienced with security and privacy audits?

➢ Have you obtained other security and privacy certifications?

➢ Are you confident that your organization has incorporated all controls necessary to

support authoritative sources to be included in the assessment?

https://hitrustalliance.net/mycsf/

Where answers to the above cannot be confidently answered, it is best to start with a self-assessment, or readiness

assessment, to identify and resolve any gaps. Additionally, it is our experience that even the most experienced

organization identifies gaps, so a self-assessment is a prudent first choice.

An essential component of the goal is identifying whether a report from HITRUST is needed. There are currently three

types of reports:

CHAPTER 2: HOW TO GET STARTED WITH HITRUST


An assessment performed by a

HITRUST Approved External

Assessor, with achievement of

“certified” where minimum

scores are achieved.

Validated Assessment

The targeted assessment is

generated from the library of

authoritative sources. Reporting is

generated through scorecards. A

proper subscription level is required

to have access to a target

assessment.

Target Assessment

The outcome of an

organization self-reporting

their own assessment of the

control requirements.

Readiness Assessment

Helpful Tip: Reports are purchased separately from HITRUST, depending on your subscription level. A

report purchase is required at the time of the assessment. Give careful consideration to your expected

return on your investment in this purchase!

Establish and Narrow Your Scope

To create an assessment, the organization will identify the in-scope business units, locations, and systems, along with

several organizational, geographic, and regulatory factors. Based on that input (particularly, system and regulatory

factors), the MyCSF software will build a customized assessment.

Project Planning

At the outset of an assessment, the External Assessor must confirm the scope of the project, generate a test plan, and

have these steps reviewed by their internal quality assurance process. Once complete, the “testing” phase can

commence.



Identify Your Level of Readiness

Readiness Assessments are a prudent step in the process meant to identify any “gaps” and work out any issues. The

tests during readiness can identify scoping issues and hidden security flaws and allow time to resolve “long lead

time” issues. Typical “finds” at this stage are:

➢ Policies have not been approved 90 days prior to the assessment.

➢ Process documentation is missing.

➢ Independent security reviews have not been performed.

➢ A risk register has not been built.

➢ Business continuity plans have not been tested.

➢ Log files are not retained according to retention requirements or are overwritten due to space limitations.

Readiness Assessments are usually worth the investment to ensure the validated assessment goes off without a

hitch. Assessments must be completed within a 90-day test window and cannot be “remediated in place.” The extra

time spent can be great insurance. Remediation of “gaps” can take time depending on the type of issues identified

and the lead time needed to resolve the issue. A key component to issue resolution is the culture of the organization

and how the organization responds to these challenges.

Add time to your overall timeline if the organization has a significant vendor review process, requires an RFP

process, has a complex technical environment, or is known to resist change. You will also want to add time to your

project timeline if issues require an extended budget review process.

A self-assessment will be a requirement for any organization looking for a validated assessment using a third-party

assessor. However, some organizations that don’t already have a robust IT security program in place may be

overwhelmed due to the number of controls, and the amount of documentation required, to accurately provide

scoring against the framework.

HITRUST was designed to be customizable for an organization’s unique set of needs. That, too, can be a challenge for

internal teams that may not have the requisite knowledge to scope and score their internal assessment. We recommend

that organizations encourage a team member to obtain the HITRUST CCSFP Certification and leverage this credential to

become a HITRUST Authorized Internal Assessor. The individual should be part of a team that allows them to be

competent and objective (usually an audit or compliance group but not required if competence and objectivity

requirements are met). This certification can be further leveraged to lower your External Assessor costs.


Picking an External Assessor

HITRUST has a rigorous selection process for designating approved External

Assessors. External Assessors must demonstrate expertise in information security,

have sufficient resources to carry out assessments, document their assessment

processes and quality controls, and participate in initial HITRUST training and

continuing education. With so many professional service firms embracing the

HITRUST methodology, how do you choose from the many approved External

Assessors to lead you through the process or conduct your assessment? If you are at

this point, let’s explore some lessons learned about choosing your External Assessor

and some ideas about how to prepare for HITRUST CSF Certification during this

phase.

To start evaluating External Assessors, ask yourself the following questions:


How many assessments has the

External Assessor performed, and

what’s the quality?

Some External Assessors have performed countless assessments but may

have burned out their staff, and that experience is no longer in-house. Others

can count on one hand how many they have performed, but they did them

well. Experience matters, but it is just as important as the quality of the work.

What benefit will they bring to your

organization?

Is HITRUST the only offering, or do they provide other services that will add

value? Understanding the full scope of solutions will help you determine

whether a true partnership is realistic.


Common challenges


Are they a CPA firm, a security firm,

or a compliance organization?

Are your goals for the assessment to be more secure, to answer a business

partner requirement, or build discipline in your organization? Make sure you

seek a partner that can help improve your business, consolidate assessment

work, be efficient in their work, and not waste your time.

What are their credentials? Everyone will tell you they have been doing this a long time, have the best

External Assessors, and can get you across the finish line. But what do their

references say? What positions do they hold, if any, on HITRUST councils?

What evidence of External Assessor credentials can they give you? How

many CCSFP or CHQP employees do they have (on their team, not

contractors), and how long have they been there? Are their customers

happy? Did they have trouble representing and supporting their work to

HITRUST? Checking references on the front end will pay off in dividends in

the long run.

What is the culture of the

organization?

Do you like them? Do they return your phone calls promptly? Can you call

them, or are you directed to a website to ask questions? Do they offer to

adapt to your business needs? Do they seem to oversell their capabilities or

services? Finding a culture and personality fit is a crucial part of choosing

your External Assessor. After all, you will be working with them.

Scoping

Scoping an assessment is easily the biggest challenge organizations face when embarking on their HITRUST journey.

Several factors make this a complex hurdle:

➢ As the first step in the process, scoping the assessment requires the organization and its personnel to use new

HITRUST skills.



➢ The organization must know its network, applications, and users well enough to understand where any dividing or

segmenting can occur. This can be particularly challenging if not explored before scoping begins.

➢ Some organizations realize through the testing phases that their assumptions about segmentation or control

implementation may be wrong.

The implications of a poorly scoped environment can also present challenges:

➢ Effort expended impacts the timeline to HITRUST certification which may be

critical depending on any contractual requirements or agreements.

➢ Resources spent cannot be reused or recovered.

➢ Teams are frustrated with “wasting effort” or having to start over.

➢ Timeframe impacts the project service level agreements to perform the assessment with

boundaries set by HITRUST, causing the project to start over.

Companies also often struggle with regulatory factors. Here are some data points to collect

when deciding which regulatory factors to incorporate into your scope:

Identify which regulatory factors apply to the business or scoped environment.

Identify any requirements by business partners that may be requiring a regulatory factor to be included in the

HITRUST assessment.

Identify any business needs or requirements for the regulatory requirement.

Regulatory factors increase the effort associated with the compliance assessment.

1

2

3

4

The organization should evaluate its “needs” against those requirements that are “nice to haves” as well as the

resources they have available to demonstrate compliance. Many organizations find that this level of analysis is

beneficial to conduct during the scoping phase to define an achievable scope of work during their first assessment.

Organizations report that adding regulatory factors into later assessments are a way of phasing in the additional effort

that comes with demonstrating regulatory factor compliance.


HITRUST timeline and project flow

The timeline for HITRUST CSF Validation Assessments can vary depending on an

organization’s initial readiness level, and the amount of remediation

needed, to fully implement all the requirements in the assessment scope.

Most organizations will perform at least one self-assessment to gauge

their readiness for certification and, once an organization is comfortable

that they will meet the certification requirements, they will hire an External

Assessor to perform a validated assessment. These independent assessments can

take anywhere from 4-12 weeks on average, depending on the size and complexity of the

organization and the scoped environment, and it can take a minimum of 8 weeks for the validated

assessment to be processed and certification awarded by HITRUST. In general, it can take up to 3-6 months to

complete the assessment and obtain certification once an organization is ready.

HITRUST Certification vs. Validation

It can be a challenge to estimate the attainability of a HITRUST certification in the first assessment. The rigor of testing

combined with the burden of interviews and documentation required is usually a significant project for an organization,

and not achieving “certification” can be a disappointing experience at best. More importantly, it should be a budgeted

project expense.

Many organizations that undergo other types of assessments are sometimes overconfident without fully realizing the

intricacies of the HITRUST assessment. While some organizations do achieve HITRUST certification, it is our experience

that organizations benefit from a readiness assessment. Keep in mind that a minimum score of 61.99 must be attained

in all 19 domains of the HITRUST CSF Validated Assessment to achieve certification.




Implementation of Controls

HITRUST scoring of controls is another area where organizations struggle. HITRUST utilizes a scoring rubric that

combines elements defined within “illustrative procedures” associated with a control requirement’s expected

implementation. These illustrative procedures are further broken down and implemented to the fullest degree. It is not

“the spirit of the control” that is assessed, rather the exact elements. This is one of the key differences of the

HITRUST exam.

A few more tips before you begin

Here are some other recommendations as you begin your HITRUST journey:

➢ Learn all you can by watching the HITRUST website videos, talking to their sales and support teams, and reading the

white papers. These resources will help you identify External Assessors that know their material.

➢ Leverage your relationships and ask about their experience with their HITRUST External Assessor. Those that are

certified would be happy to share their experience – good or bad.

➢ Conduct a gap assessment, but not just “a” gap assessment. Conduct a deliberate, framework or standard-based,

security-focused gap assessment. HITRUST will allow you to download their HITRUST CSF framework for free, and

External Assessor firms can assist you in this process as well.

➢ Define your “why.” You need a baseline statement for why HITRUST CSF Certification is necessary to focus your

effort. HITRUST is a dynamic program that can scale to many different business needs. At this time, there are 44+

authoritative sources (mostly laws and standards) upon which the HITRUST CSF is mapped. It is easy to lose sight of

the goal if it is not defined.

➢ Define your “when.” It is important to know what your critical milestones will be. Achieving HITRUST CSF

compliance is a reward on top of demonstrating good risk, compliance, security, and privacy principles as processes

ingrained in your organization. Having a defined plan to achieve that goal is imperative to communicate to your

External Assessor to determine the optimal time to test your organization. Define your timeline and whether it is

flexible.



➢ Carefully consider the scope of your assessment. With all the rigor involved with an assessment, defining its scope is

of critical importance. If you plan to share a certification report with third parties, consider the systems they care

about and ensure the scope of your assessment is relevant to those systems.

➢ Avoid the temptation (as nice as it sounds) to come out of the gate with an “enterprise” certification assessment,

unless it is necessary. Be sure to work with an External Assessor organization with experience working with

companies on a collaborative basis to get them over the HITRUST goal line.


CHAPTER 3:CONTINUING THE PATHTO HITRUST CERTIFICATION

Understanding HITRUST’s scoring methodology

Assessment is Not Pass/Fail

One common misconception about becoming HITRUST CSF Certified is that it is a binary, pass/fail endeavor. Rather,

each baseline statement is evaluated using a complex 5-level scoring rubric that equates to a percentage of compliance

in five maturity categories. Those categories are Policy, Procedure, Implemented, Measured, and Managed. Scores are

weighted and evaluated by the 19 domains in MyCSF to arrive at the overall domain scores.

Scores in all domains must rise above 61.99 to “pass” with corrective action plans.

HITRUST allows an organization to accept certain risks at the time of an initial assessment and work towards corrective

action plans, which is ideal for companies who want to begin adopting a robust security framework but are unlikely to

meet all the requirements in their first assessment.

HITRUST’s scoring methodology can be a little daunting for both the initiated and uninitiated alike. The exhibit on the

following page provides a minimum set of criteria (questions) used to assess the completeness and maturity level when

evaluating a requirement statement.

Once you have scoped your assessment and engaged your External Assessor to begin testing, you will begin providing

documentation to support the implementation of your control environment. You will also engage in interviews to explain

that material, as well as provide a supporting narrative as to the organization’s implementation of the controls. At this

point, the External Assessor will begin scoring your assessment to provide to HITRUST.

Scoring is a complex task which is best performed by a HITRUST

CCSFP. Fifty percent of testing of an assessment MUST be completed

by a HITRUST CCSFP as well. Scoring is performed at the baseline

security statement level for each of the categories (Policy, Process,

Implemented, Measured, Managed). The External Assessor will

compare the requirements for implementation (defined by the control

requirement), ensure the proper illustrative procedure is conducted,

and apply the score as defined by the rubric. Policy

Process

Implemented

Measured

Managed

2 5 3

CHAPTER 3: CONTINUING THE PATH TO HITRUST CERTIFICATION


Policies & Procedures

Testing requires that each policy element, defined by the requirement statement and illustrative procedure, is

implemented. A percentage of the policy requirements are documented and compared to the overall coverage. The

scores at this level are converted to entry into MyCSF base on percentages as follows:

1 2 3 4 5

0-10%(non-

compliant)

11-32% (somewhat compliant)

33-65% (partially

compliant)

66-89%(mostly

compliant)

90-100% (fully

compliant)

Implementation

Implementation scores the same as policy and procedure, even though the degree of implementation first considers the

percentage of scope elements (number of systems, facilities, desktops, etc.) as compared to the number of policy

elements defined to be implemented.

Measured & managed

The ultimate accomplishment of organizations seeking optimized security and privacy practices is to reach the Carnegie

Melon Software Engineering Institute’s (CM-SEI’s) Capability Maturity Model Integrated (CMMI) process improvement

model for levels four and five. These levels are termed “Measured” and “Managed.”

These levels build upon the first three levels of maturity for defining policies and ensuring stakeholders receive

communications. Procedures are defined that support the control environment, and those controls can be tested to

ensure operations occur as expected.

Level four, Measurement, utilizes measurements to provide indisputable evidence that the control is in place and

operating overtime. This level introduces the concept of “monitoring” within ranges of acceptable performance metrics

for which issues can be identified and evaluated through management processes. It is the management action upon

those anomalies that allow the organization to reach level five, or “managed,” level of maturity.



HITRUST Scoring Example

Let’s explore a simplistic example related to anti-virus software implementation at an organization.

Level 1At level 1, Policy, the

organization would have defined policy

for implementing anti-virus products to

limit the spread of viruses in software.

Level 2At level 2, Process, the organization would define procedures for implementing the anti-virus product and any updates required for the software.

Level 3At level 3, Implemented,

the organization would perform tests to ensure

the anti-virus product identifies viruses in the

environment and reports those viruses to

a help desk function.

Level 5At level 5, Managed,

should an organization miss an update to the

latest signature files, a report would be produced

identifying the situation, and management would

be responsible for reviewing that report and

resolving the endpoints update issue.

Level 4At level 4, Measured, the organization would have defined metrics to define update periods (every 12 hours), and maybe define some elements of acceptable ranges of performance for the metric. HITRUST has special rules about how measurements are defined before they qualify as a “measure” or “metric.” To learn more about the definitions and guidance on measurement concepts, download the HITRUST CSF Control Maturity Scoring Rubric or the HITRUST whitepaper, Evaluating Control Maturity.

[1]

[1]: https://hitrustalliance.net/content/uploads/HITRUST-CSF-Control-Maturity-Scoring-Rubrics.pdf

Forrester Consulting has shown organizations that implement a CMM-based maturity model and have the highest level

of maturity—even when limited to identity and access management—incur roughly “half the number of breaches as

the least mature ... [and save] 40% in technology costs and an average of $5 million in breach costs.” (Forester

Consulting, “Stop the Breach: Reduce the Likelihood of an Attack Through an IAM Maturity Model”)

Weighting of Scores

HITRUST assessments are scored based on the PRISMA Maturity Model and take into consideration certain weights for

each of the five (5) maturity levels when performing this scoring. Effective December 31, 2019, HITRUST updated

individual weights for each of the PRISMA maturity levels.

https://hitrustalliance.net/content/uploads/HITRUST-CSF-Control-Maturity-Scoring-Rubrics.pdf

https://www.centrify.com/media/4594046/stop-the-breach.pdf

15%

25%

40%

10%

15%Policy

Process

Implemented

Measured

Managed



One key to understanding (or not misunderstanding) scoring is that the 1-5 scale listed above does not correlate to the

PRISMA score. PRISMA scores are derived from the computed percentages using a weighted average.

The weighting for the maturity levels is as follows:

As a practical matter, the weighting that HITRUST has

placed on the first three maturity categories means

your most rapid path to certification is achieving high

scores for Policy, Process, and Implemented. However, do

not lose sight of the additional maturity levels of Measured and

Managed. These levels will have added benefits if your organization is able to demonstrate these capabilities.

Quality Assurance

In 2019, HITRUST made several changes to improve the overall quality of assessments. Requirements were instilled to

ensure that trained resources were leading and performing assessment testing. Additionally, requirements were

adopted that defined minimum quality standards that are overseen by HITRUST trained and qualified quality assurance

professionals. These changes have increased the reliability of results in the HITRUST ecosystem as well as fueled the

overall adoption. At the current time, HITRUST requires the following of your External Assessor:

➢ A CCSFP must perform 50% of all hours spent on implementation testing.

➢ Engagement Executive, Quality Reviewer, and Engagement Lead roles must be named.

➢ The Quality Reviewer must not take part in the assessment testing.

➢ The Engagement Executive, Quality Reviewer, and Engagement Lead must all be CCSFPs.

➢ The Engagement Executive and Quality Reviewer must attend specialized training and complete an exam to become

a Certified HITRUST Quality Professional (CHQP).

➢ The HITRUST Authorized External Assessor Organization must always maintain (2) CHQPs and (5) CCSFPs to stay in

compliance with HITRUST requirements.



In 2019, HITRUST also updated their requirements for the definition of scope, requiring a “verbose” definition, better

description of systems, and full testing of all applications in the environment. The scope must clearly identify the

assessment boundaries. These definitions are reviewed, as required, by the External Assessor Organization Engagement

Executive as part of the overall quality assurance process.

As mentioned in chapter two, organizations can also benefit from having an Authorized Internal Assessor. While

Internal Assessors are not required by HITRUST, they are highly recommended. An Internal Assessor can facilitate the

HITRUST CSF Assessment process by performing in-house testing in advance of an External Assessor’s validated

assessment fieldwork. Testing performed by Authorized Internal Assessors meeting HITRUST’s requirements can – at

the discretion of their External Assessor – be relied upon by External Assessors for the HITRUST validated assessment

effort in lieu of the External Assessor’s direct testing.

At the completion of the assessment, the HITRUST Authorized External Assessor Organization must provide HITRUST

with the following documentation related to the assessment:

100% of all work papers HITRUST Authorized External

Assessor Quality Checklist signed

by the Engagement Executive and

External Assessor QA Resource

Test plan, fully filled out,

demonstrating documented test

procedures and results

Things to Expect During a Validated Assessment

Here are some things to expect during a validated assessment:

➢ Even with a facilitated self-assessment or readiness assessment, the organization will need to complete the self-

assessment portion in MyCSF, self-identified score, and attach any evidentiary documentation (e.g. policies,

procedures, reports).

➢ Testing requires the Assessor to identify correct inventories of systems, applications, users, wireless

implementation components, and other bodies of evidence. Once the number of items to test is identified and

calculated, sampling techniques are determined.



➢ Assessors gather and examine documentation (e.g., policies, procedures, employee training records, logs,

vulnerability assessment reports, and risk assessment reports).

➢ An Assessor examines configuration settings, physical surroundings, processes, and other observable information

protection practices.

➢ Assessors conduct interviews with business unit stakeholders, where applicable.

➢ Assessors perform system tests to validate the implementation of controls, as needed.

➢ Organizations update the External Assessor portion of the MyCSF assessment instance with the appropriate scoring

information and assessment documents.

➢ The External Assessor organization performs a quality assurance review, as required by HITRUST.

➢ The organization’s Representation Letter is completed.

➢ The External Assessor will submit the assessment to HITRUST for their quality assurance review and approval for

either HITRUST validation or certification.

➢ The organization and External Assessor will answer any questions from HITRUST.

➢ The organization will complete any corrective action plans.

➢ HITRUST delivers the report approximately eight weeks after



If you are being assessed for the first time, be aware of consultants who claim they can “get you certified” in a few

weeks. It’s just not possible. The extensive amount of work that goes into sample testing, scoring, and quality

assurance processes is time consuming in and of itself. Then, HITRUST’s review period after submission for adjudication

can take 6-8 weeks (but not guaranteed) before report issuance.

Corrective Action Plans & Reporting

What happens if you have some areas with gaps? Don’t expect HITRUST to look favorably upon repeated instances of 0

scores in any category. If you can receive the required minimum score of 61.99% across each domain’s control

requirements, you can still achieve certification with corrective action plans. These corrective action plans will require

definition on your part, as well as continued progress toward their resolution. Some acceptance of risk is allowed in

some cases.

Corrective action plans are evaluated at the Interim Assessment. Once your

assessment is complete, you can expect your report within about 6-8 weeks.

Reports are provided by HITRUST after the External Assessor’s testing results have been

qualified to meet their rigorous expectations.

Contents of the report include:

➢ HITRUST background

➢ Letter of Certification, if achieved

➢ Representation Letter

➢ Assessment context (factors and

other information used to set up

your assessment scope)

➢ Scope of assessment

➢ Security program analysis

➢ Assessment results

➢ Overall program summary

➢ Breakdown of control areas (scoring)

➢ Test summary

➢ Corrective action plans

➢ Questionnaire results

➢ NIST cybersecurity scorecard



HITRUST Project Flow & Timeline

The chart above depicts a generalized timeline we see most often associated with “the journey to becoming HITRUST

Certified.” Once certification is complete, it lasts for two years, with a less intense assessment occurring at the end of

the first year, called the Interim Assessment.

Important Pending Changes to Consider

Based on HITRUST’s analysis of assessment data collected over 10 years, HITRUST has concluded that when an

organization’s controls within scope of a HITRUST CSF Assessment are operated at or above an aggregated HITRUST

CSF maturity score of 79, there is a very high likelihood these controls will continue to operate in a similar manner going

forward. And organizations that have mature information security continuous monitoring (ISCM) programs in place can

also help ensure that any deficiencies that may arise in their protection programs are quickly identified and addressed.

These organizations may qualify for the HITRUST CSF Ongoing Certification (OC) Program, which will allow them to

reduce the frequency of full, time-based recertification assessments.

Organizations that qualify for the ISCM-based HITRUST CSF Ongoing Certification (OC) program (generally a score of 79

or higher) conduct recertification assessments less frequently, in general, as according to criteria yet to be defined by

the HITRUST ISCM Working Group. The timeframe for this new concept is yet to be determined but it is worth noting so

that organizations can begin preparing for these changes as part of their overall ISCM plans. Building out your

organization’s strategy for these advanced levels of maturity can save time, money, and provide focus on the highest

risk control points.



Maintaining the Certification

Once an organization achieves the coveted achievement of HITRUST Certification, there is a celebration that usually

takes place. After all, it is a milestone to be recognized! New business may be on the horizon; there is a feeling of

confidence in the security and program, and likely even personal goals achieved by team members. Once you are rested

and rejuvenated, review the following list and set some reminders:

Monitor your corrective action plan commitments that were

defined to improve a control’s effectiveness. It is best to

track these as risk areas in a risk register, as well as

projects in the organization’s project tracking processes.

Sign up to attend the

HITRUST’s annual

Conference, HITRUST

Collaborate.

Schedule updates to your policies

and procedures, conduct your risk

assessments, schedule a review of

access rights, and schedule incident

and business continuity testing.

Mark your calendar for the “Interim

Assessment.” It will occur nine to 11

months after your certification date.

Sign up for webinars and review

whitepapers produced by HITRUST;

these may provide helpful

information on upcoming changes.

Continue to monitor the HITRUST website for

new releases, updates to any HITRUST

processes and requirement changes. Sign up for

e-mail alerts from HITRUST.

Monitor for changes to the assessment

scope and alert your External Assessor

(e.g., new office, new application,

merger/acquisitions).

https://hitrustalliance.net/newsroom/sign-up/


Combining Assessments: SOC 2 and HITRUST, ISO 27001

CHAPTER 4:OPTIMIZINGHITRUST

Combining assessments is an efficient way to assess once and report many. When embarking on a combined audit

approach, it’s important to understand that the HITRUST CSF security and privacy framework was initially built on ISO

27001. Over time, the HITRUST CSF has evolved to include a significant number of standards, regulations, and business

requirements, and is broken down into 14 high-level control categories, 49 control objectives, and 156 control

specifications.

The AICPA SOC 2 Trust Services Criteria is a reporting framework assessed against one or more of five categories

including security, availability, confidentiality, processing, integrity, and privacy. HITRUST maintains a mapping between

the AICPA TSC and the HITRUST CSF to identify how they align. Understanding that SOC reports are based on a

framework of reporting, and HITRUST CSF is based on a security and privacy control framework, the decision-maker can

navigate toward selecting a report and control framework for their organization.

The bottom line is that the decision between SOC 2 and

HITRUST is driven by contract requirements. So why not do

them together rather than separately?

What Are Your Options for Consolidated Assessments?

SOC 2 Report A report issued by a CPA firm expressing an opinion on the fairness of the

presentation of management’s description of controls and the suitability of the

design of controls (type 1) or the fairness of presentation of management’s

description of controls and the suitability of design and operating effectiveness of

controls (type 2) relevant to security, availability, confidentiality, processing integrity,

and/or privacy.

HITRUST CSF Validated

Assessment Report

A certified or validated report issued by HITRUST based on the work of an

independent HITRUST Authorized External Assessor.

CHAPTER 4: OPTIMIZING HITRUST


SOC 2 + HITRUST CSF A report issued by a CPA firm expressing an opinion on the fairness of the presentation

of management’s description of controls and the suitability of design and operating

effectiveness of controls relevant to the security, availability, and confidentiality trust

services criteria, as well as the HITRUST CSF. If the CPA firm is not also an External

Assessor, they must license the HITRUST CSF framework for use. The HITRUST CSF

control work is not submitted to HITRUST, and a separate HITRUST CSF report is not

generated. The organization does not receive an opinion from HITRUST regarding

validation or certification status. Because the report doesn’t contain HITRUST

certification but does contain a CPA firm’s opinion, consumers should be aware of the

possibility that scope and assessment procedures may not exactly align with what

would occur during a HITRUST assessment. However, the CPA firm is attesting that the

controls, including those identified from the HITRUST framework, were appropriately

designed and operating effectively. Additionally, the work is subject to AICPA standard,

as any SOC report is required to be.

SOC 2 + HITRUST CSF +

CSF Certification

Organizations that have engaged a CPA firm to express a SOC 2 + HITRUST CSF opinion

and have achieved HITRUST CSF Certification can obtain one combined report.

Essentially, the report will include the details described above in option 3, and

additionally include the HITRUST CSF Validated Assessment Report with Certification.

How do you Know Which Option to Use?

The key to knowing what report to use is knowing what your customer wants and what your organization requires from

its audit process.

Customer contracts, timing, and scope needs can answer the question of which

assessment is needed. The organization’s decision should be made with full

management support. If your organization is lucky enough to only need a segment

of your network or a single application tested, the scope of that project may lend

well to a HITRUST assessment.


Organizations that desire both SOC 2 reporting and HITRUST CSF Certification can realize significant time efficiencies

and cost savings with the joint assessment, which leverages the synergies between the HITRUST CSF and AICPA TSC.

Finally, if your organization is adding the HITRUST assessment onto a long list of compliance and audit types, an

External Assessor partner who can consolidate that work efficiently can be paramount to all other decisions.


HITRUST Learning Opportunities

HITRUST offers programs to address common security and privacy challenges. No matter where you’re located, you can

learn and connect with others through best-in-class events, conferences, and virtual and live training courses.

HITRUST Community

Extension Program (CEP)

The CEP promotes education and collaboration for organizations adopting HITRUST

programs. These town hall events are held across the U.S. and coordinated by HITRUST,

hosted by organizations within the community, and facilitated by External Assessors. The

CEP provides a way for the community to access HITRUST management and executives to

discuss education around shared challenges and thought leadership. To view a calendar of

upcoming CEP events, visit the HITRUST website at

https://hitrustalliance.net/community-extension-program/

HITRUST Annual

Conference

HITRUST holds an annual conference for privacy, security, and compliance professionals.

The event includes keynotes, panels, and training sessions, highlighting best practices for

safeguarding sensitive information and data breaches. Over the past few years, the three-

day conference has hosted more than 40,000 attendees attending

more than 40 sessions. To learn more about the annual

conference, visit the HITRUST website at

https://hitrustalliance.net/hitrust-annual-conference/

https://hitrustalliance.net/community-extension-program/

https://hitrustalliance.net/hitrust-annual-conference/



HITRUST Academy HITRUST offers training courses designed to educate security professionals about

information protection and the utilization of the HITRUST CSF to manage risk. These courses

prepare security professionals for assessing against the evolving compliance landscape

shaped by HITECH, HIPAA, CMS, and various other federal, state, and business

requirements. For more information or to enroll in a live or virtual course, visit

https://hitrustalliance.net/hitrust-academy/

FAQs & Common Misconceptions

Question Answer

Why choose the

HITRUST CSF over

other frameworks?

(NIST, ISO, etc.)

The HITRUST CSF integrates and harmonizes data protection requirements from many

authoritative sources–such as ISO, NIST, PCI, HIPAA–and tailors the requirements to

an organization based on specific organizational, system, and regulatory risk factors.

The level of integration and prescription provided by the framework, along with the

quality and rigor of the HITRUST CSF Assurance Program and supporting HITRUST

products and services, makes the HITRUST CSF the easy choice for organizations in all

sectors.

Can you be certified to

HIPAA?

Unfortunately, no. The HIPAA Security Rule’s numerous standards and implementation

specifications for administrative, technical and physical safeguards, despite what the

terms imply, lack the prescription necessary for actual implementation by a healthcare

organization. The HITRUST CSF is mapped to HIPAA Security, Privacy, and Breach

Notification Rules which will provide reasonable assurance that your organization is

satisfying the rule’s requirements. However, “certification” to HIPAA is not implied

through HITRUST readiness, validation, or certification achievement. There is an ability

to produce a targeted assessment against any authoritative source, but this will not

result in a HITRUST CSF Assessment Report.

https://hitrustalliance.net/hitrust-academy/



Question Answer

If I am not a

healthcare entity, can I

still be HITRUST

certified?

Absolutely! HITRUST, in collaboration with privacy, information security and risk

management leaders from the public and private sectors, develops, maintains, and

provides broad access to its widely adopted common risk and compliance

management framework. It now includes 44+ mapped authoritative sources which

have strong adoption rates across a broad spectrum of industries including

manufacturing, banking, airline/entertainment, and telecommunications. Indeed, if

you fall into any of these industries, you likely are hearing about HITRUST as a way

to communicate your organization’s security and privacy practices using the

HITRUST CSF.

We’re a start-up and

have a small budget.

How can we afford

HITRUST?

In 2018, HITRUST introduced the RightStart Program, designed for start-up

businesses with a productive service line (or close to it) that are less than three

years old, have fewer than 50 full-time employees, and generate less than $10

million per year in revenue. The program incorporates the HITRUST CSF, the MyCSF

platform, HITRUST Academy, and the HITRUST CSF Assurance Methodology to help

organizations implement strong cybersecurity practices as a foundational part of

their businesses. If you meet the criteria, this could be an effective way to

incorporate HITRUST into your business processes early on.

A popular misconception

is that HITRUST came

about as a result of

failed OCR HIPAA audits;

is this true?

The OCR HIPAA audits did not begin until 2011. HITRUST was founded in 2007. LBMC

has remained a steadfast supporter of the HITRUST CSF since February 2010.



Question Answer

Can an organization certify

to NIST Cybersecurity

Framework?

The NIST Cybersecurity Framework Scorecard is included in HITRUST CSF Validated

Reports. It is not one of the regulations you select to include in your assessment; it is

already included in the assessment. While a “NIST Cybersecurity Framework

Certification” does not exist, the scorecard is HITRUST’s certification of your

organization’s compliance with the NIST Cybersecurity Framework.

Is the HITRUST

program a true Assess

Once, Report Many

audit program?

Yes. Experienced audit firms have developed processes to enable their staff to

combine the criteria for multiple audit needs and apply those savings to your

organization through increased efficiency, decreased audit fatigue, and higher

quality, consistency and reliability of results. If you hear an audit firm dissuade you

from this approach, they may not have the staff, skill or tools to execute properly.

HITRUST has absolutely designed their framework and methodology to allow for

an “audit once, report many” platform and strongly encourages External Assessors

to combine assessments where possible.

Is the HITRUST CSF

framework designed to

allow me to become

ISO 27001 certified?

LBMC Information Security supports the use of the HITRUST CSF within ISO 27001

certifications, if applicable. As with any assessment, be sure to do your homework on

your service provider’s skills and knowledge performing any assessment or readiness

exam. There are many benefits that can be derived from combining security and/or

privacy assessment testing when multiple reporting options are needed. When

combining assessments, the intent and specific requirements of the certification must

be considered – beginning at the planning stage of the project.

ISO 27001 FAQ

Here are a couple of points to consider from HITRUST’s FAQ on the subject, if you are seeking a firm that can support

you in your pursuit of multiple certifications:

The focus of an ISO 27001 certification is on the information security management system (ISMS), which includes an

evaluation of the information security risk assessment and treatment processes. However, “organizations can design

controls as required, or identify them from any source” (ISO 27001, § 6.1.3.b, p. 4). Further, although ISO 27001 Annex A

contains a list of control objectives and controls, they are not exhaustive and additional control objectives and controls

may be needed” (Ibid., § 6.1.3.c, p. 4). And although the ISO assessor must produce

a “Statement of Applicability that contains the necessary controls (see

6.1.3 b and c) and justification for inclusions, whether they are

implemented or not, and the justification for exclusions of

controls from Annex A” (Ibid., § 6.1.3.d, p. 4), it doesn’t

extend beyond what’s required in Annex A. Subsequently,

organizations have wide latitude in the controls they specify

to address the risks they identify at a level suitable to their risk

appetite. ISO certification assessors also have some latitude in

how they assess the effectiveness of the controls, and there is no

quality control of the assessments other than a general requirement that

consultants that help organizations prepare for ISO certification do not perform the certification assessment.

The HITRUST CSF provides a baseline of comprehensive, prescriptive control requirements tailored to specific

organizational, system and regulatory risk factors. Detailed testing procedures prescribed by these baseline

requirements focus on the maturity of this control baseline’s implementation using a specific, rigorous assessment

approach and scoring model to gauge the level of excessive residual risk to ePHI in the organization. Like ISO, the

testing must be performed by an approved assessor, referred to by HITRUST as an Authorized External Assessor

Organization. Quality assurance is provided by HITRUST.





Definitions

Automated Controls

CHQP

CCSFP

External Assessor

HITRUST

HITRUST Authorized

External Assessor

Organization

HITRUST CSF Certified

Independent

Internal Assessor

Controls that have been programmed, configured, and/or embedded within a system.

Certified HITRUST Quality Professional

Certified CSF Practitioner

An individual performing a validated assessment as part of a HITRUST Authorized External

Assessor Organization.

HITRUST is a privately held company located in Frisco, Texas, United States that, in

collaboration with healthcare, technology and information security organizations, established

the HITRUST CSF.

Designation granted to organizations approved by HITRUST to perform validated assessment

engagements for clients seeking a HITRUST CSF Validated Assessment or a HITRUST CSF

Validated Assessment with Certification. HITRUST Authorized External Assessor

Organizations may also assist clients with the adoption of the HITRUST CSF framework,

implementation and remediation efforts following adoption. HITRUST Authorized External

Assessor Organizations employ CCSFPs to perform assessment testing.

Designation received by an organization following a completed HITRUST CSF Validated

Assessment with at least the minimum required score.

With respect to an Assessor or measure, one that is not influenced by the person or entity

that is responsible for the requirement/control being evaluated or measured.

Personnel who facilitate the HITRUST CSF Assessment process by performing in-house

testing in advance of an External Assessor’s validated assessment fieldwork.



ISO 27001

MyCSF

NIST

NIST 800-53

Operational

Policy

Procedure

Specification for an information security management system (ISMS). An ISMS is a

framework of policies and procedures that includes all legal, physical, and technical

controls involved in an organization’s information risk management processes.

A SaaS-based information risk management platform developed by HITRUST to assess

and report risk and compliance information concerning privacy and security.

NIST is the National Institute of Standards and Technology, a unit of the U.S. Commerce

Department. Formerly known as the National Bureau of Standards, NIST promotes and

maintains measurement standards.

NIST SP 800-53 is shorthand for the National Institute of Standards and Technology

Special Publication 800-53, Security and Privacy Controls for Federal Information Systems

and Organization. NIST SP 800-53 is a set of standards and guidelines to help federal

agencies and contractors meet the requirements set by the Federal Information Security

Management Act (FISMA).

With respect to a measure or metric, one that is produced by, or otherwise influenced by,

the person or entity responsible for the requirement/control being tracked by the measure

or metric.

Overall intention and direction as formally expressed by management, most often

articulated in documents that record high-level principles or course of actions; the

intended purpose is to influence and guide both present and future decision making to be

in line with philosophy, objectives, and strategic plans established by the enterprise’s

management teams.

A detailed description of the steps necessary to perform specific operations in

conformance with applicable standards. Procedures are defined as part of processes.



Risk Treatment

Undocumented

Selecting and implementing mechanisms to modify risk. Risk treatment options can

include avoiding, optimizing, transferring, or retaining (accepting) risk.

Not supported by written proof.

About HITRUST

Since it was founded in 2007, HITRUST has championed programs that safeguard sensitive information and manage

information risk for global organizations across all industries and throughout the third-party supply chain. In

collaboration with privacy, information security, and risk management

leaders from the public and private sectors, HITRUST develops,

maintains and provides broad access to its widely adopted common

risk and compliance management frameworks, related assessment,

and assurance methodologies.

HITRUST understands the challenges of assembling and maintaining the many and varied programs needed to manage

information risk and compliance. The HITRUST approach provides organizations a comprehensive information risk

management and compliance program to provide an integrated approach that ensures all programs are aligned,

maintained and comprehensive to support an organization’s information risk management and compliance objectives.

About LBMC Information Security

HITRUST Services

As one of a select group of Authorized HITRUST External Assessors, LBMC Information Security participates in many of

the working groups sponsored by HITRUST. Known for our work throughout the industry, LBMC personnel have assisted

HITRUST with integration efforts for various standards such as GDPR, Centers for Medicare and Medicaid Services, and

NIST. Team members are also active in HITRUST forums and regularly provide positive contributions to the HITRUST

community. Based on our deep security and compliance expertise, we are exceptionally well-qualified to assist

organizations with HITRUST Certification and assist companies in the implementation of the HITRUST CSF. As one of the

longest-serving External Assessors in the industry, since 2010, we have many stories to tell where HITRUST has

benefited organizations dimensionally.



Why Choose LBMC Information Security?

Knoxville

2095 Lakeside Centre Way, Suite 220

Knoxville, TN 37922

865.691.9000

Chattanooga

605 Chestnut Street, Suite 1100

Chattanooga, TN 37450

423.756.6585

Nashville

201 Franklin Road, PO Box 1869

Brentwood, TN 37024-1869

615.377.4600

10+ years’ experience in performing validated

assessment engagements for clients seeking a

HITRUST CSF Validated Assessment or a HITRUST

CSF Validated Assessment with Certification.

Hundreds of assessments performed for clients in

various industries. We offer SOC2 + HITRUST,

Readiness, and Validation Services – all while

maintaining HITRUST’s separation of duty requirements.

One of the largest in the HITRUST teams in the

ecosystem. CCSFP team members bring

experience with helping many organizations

achieve HITRUST certification.

Our HITRUST service line leaders are members of the

Assessor Council, the Quality Subcommittee, and

numerous other committees and workgroup members

who contribute to the HITRUST program. Their leadership

within HITRUST benefits our clients every day.

DEVELOPED BY

Ready to discuss your HITRUST Assessment Needs?

Contact us for a free consultation at LBMCsecurity.com

https://www.lbmc.com/information-security/

Documents

An Explanation of HITRUST, Its Benefits, & How to Get Started