HITRUST, through the HITRUST Common Security Framework (CSF) Assurance program, offers two types of assessments against the CSF: a self-assessment and a validated assessment. While both types of assessments evaluate an organization's compliance with the CSF, there are significant differences between the two, both in the level of effort required to complete the assessment and in the level of assurance provided to relying entities.
A HITRUST self-assessment allows organizations to assess themselves using the standard methodology, requirements, and tools provided by HITRUST under the CSF Assurance Program. Through the self-assessment process, organizations can understand their current level of compliance with the CSF as well as their areas of general risk. Organizations performing a self-assessment use HITRUST's MyCSF tool to respond to the baseline requirements statements, as generated by the MyCSF tool, based on the organization's documented risk factors (organizational, system, and regulatory) for the in-scope systems and locations. Once the organization has responded to all required statements, the completed questionnaire is submitted to HITRUST. HITRUST personnel then review the results of the self-assessment, perform limited validation on the results, and generate the final self-assessment report. The validation procedures performed by HITRUST provide a limited level of assurance to relying entities.
Advantages of performing a self-assessment include a relatively low level of effort required to complete the assessment and the ability to provide relying entities with a report on CSF compliance in an expedited manner. Additionally, a self-assessment can be used as a stepping stone to a validated assessment. The self-assessment report provides the lowest level of assurance to relying entities without undue burden on the assessed organization.
HITRUST Validated Assessment
For higher levels of assurance, organizations can choose to perform a HITRUST validated assessment. The validated assessment requires organizations to perform a self-assessment by responding to the baseline requirement statements within the MyCSF tool, as described above, but also requires the organization to engage an authorized HITRUST Assessor to perform validation and testing of the organization's self-assessment responses.
Once the organization's self-assessment responses are submitted, the engaged Assessor performs validation and testing procedures, as per the CSF Assurance methodology, and either concurs with the organization's responses or returns the responses to the organization for additional details and evidence artifacts. After the Assessor agrees with the organization's responses, the validation portion of the assessment is complete, and the assessment is submitted to HITRUST for review.
HITRUST personnel review the assessment, perform limited quality assurance procedures around the Assessor's validation work, and generate the final HITRUST report. Assessments that meet or exceed the current CSF Assurance scoring requirements for certification will be indicated as CSF Certified on the generated report. Per the most recent version of the CSF (2015 CSF v7), certification will be granted if the 64 controls specified as required for certification are fully implemented within the scoped environment. If all requirements for certification are not met, the report is generated as a CSF Validated report, indicating that the organization performed a validated assessment, but did not fully meet all the requirements for certification. A CSF Certified report is valid for two years but requires an interim assessment to be performed by the CSF Assessor at the one year testing completion in order to remain valid for the full two years.
A validated assessment requires a higher level of effort to complete as compared to the self-assessment, primarily due to the more rigorous on-site validation testing that must be performed by the CSF Assessor. However, this higher level of effort has the benefit of producing a report that provides a higher level of assurance to relying entities. Regardless of the outcome of the validated assessment (either a CSF Validated or CSF Certified Report), relying entities are still provided a greater level of assurance over a self-assessment thanks to the independent validation procedures performed by the CSF Assessor.
Organizations considering a HITRUST assessment need to determine their specific compliance requirements, as well as the requirements of their clients and other entities that rely on the services provided by the organization, when determining whether to perform a self- or validated assessment. Both assessments scale to organizations of any size and they allow organizations to determine their current level of compliance with the CSF. Self-assessments have the advantage of relatively quick completion without undue burden on the organization, but organizations may receive greater benefit from the higher level of assurance provided by a validated assessment. An authorized CSF Assessor can provide organizations with further guidance on the assessment type that helps them best meet their healthcare compliance objectives.