866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

Do Different Platforms Mean Different HITRUST Certifications? Blog Feature

By: Schellman

Print/Save as PDF

Do Different Platforms Mean Different HITRUST Certifications?

Healthcare Assessments

Determining the scope of an assessment against the HITRUST Common Security Framework (CSF) is one of the first and most important tasks of the entire HITRUST assessment process.  The assessment scope is a major factor in the level of effort required to complete an assessment, and is important to relying entities in determining if the services they use are assessed against the HITRUST CSF.  However, for organizations with large or complex IT environments, the task of determining the scope of their HITRUST assessment(s) may seem daunting.

A commonly asked question relates to organizations with multiple platforms or environments:

"If I have multiple platforms that house PHI, all with different processes, do I need multiple certifications?"

The key word in that question is “need”.  According to HITRUST standards, there is no stated requirement for organizations to segregate different platforms, services, locations, etc. into separate CSF Certification reports.  The HITRUST CSF is a very flexible framework, allowing the scope of an assessment to be as narrow as a single application or as broad as an entire organization.  Perhaps a more appropriate question that these organizations need to ask is "If I have multiple platforms that house PHI, all with different processes, do I WANT multiple certifications?"  The short answer: it depends.  The longer answer is that organizations must consider several factors when determining the scope of their HITRUST assessment(s).

The very first factor is determining the purpose of the assessment (answering the question "why am I doing this?").  Is it to meet internal or external compliance requirements?  Is it to support individual business associate requirements?  Is it to generally improve the security posture of the organization?  All of the above?  Determining the purpose of the assessment work is the foundational first step in the scoping process, and without this information, scoping an assessment becomes extremely difficult and more complex.

Once the purpose for the assessment has been established, organizations can identify the systems (and/or facilities) to be assessed.  Organizations should then identify the common controls and processes in place across those systems, differentiating the centralized controls that map to each system from the controls that are independently managed for each system.  This differentiation will give the organization a clearer picture of how their systems can be grouped together, and subsequently, of how to best structure their HITRUST assessment(s).

Given the flexibility of the HITRUST CSF framework, it may be advantageous for organizations to perform multiple assessments in line with the grouping of their systems, as discussed above.  This will allow each individual assessment to be more focused, and will reduce the level of effort required to complete an individual system’s assessment as compared to a single assessment covering disparate systems and processes.

A common example of the multiple assessment approach is an organization that provides IT infrastructure and support as a shared service to various business units.  The organization can perform a HITRUST assessment over its shared IT services (leveraging the common controls in place across the shared systems), and perform individual assessments over each applicable business unit or application (segregating the controls that are independently managed to reduce the overall effort in completing each assessment).

Another common example is an organization that completely segregates all of its platforms / environments, hosting each environment on its own infrastructure that is managed by its own team using their own processes.  In this instance, the lines of demarcation are very clear, and the organization is likely best served by performing a separate HITRUST assessment for each environment.

Ultimately, the scope of an organization's HITRUST assessment(s) depends on the requirements of the organization, their IT landscape, and the requirements of their relying entities.  One organization may be best served by a single assessment that is broad in scope, while another organization's needs are best met with multiple assessments that are narrower in scope.  Further, organizations can choose to perform their assessment(s) as a self-assessment or CSF Validated assessment, the latter being required if the organization wishes to achieve HITRUST certification.  An authorized CSF Assessor can provide organizations with further guidance on the scope and assessment type that helps them best meet their compliance objectives and requirements.

About Schellman

Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.