The HITRUST set of security controls and safeguards (referred to as the ‘CSF’ or ‘Common Security Framework’) was developed using a risk-based approach to address the multitude of security, privacy, and regulatory challenges facing healthcare organizations. It includes control points derived from the HIPAA, HITECH, NIST, ISO, PCI, FTC, COBIT frameworks, as well as federal and state privacy laws.
A growing number of large healthcare groups, including Anthem, Health Care Services Corp. (HCSC), Highmark, Humana, UnitedHealth Group, and others, are requiring any partner organizations handling ePHI to complete a HITRUST assessment. Some healthcare organizations are also independently opting to become HITRUST certified in order to secure their environments, reduce risk, and be prepared for future audits and inquiries related to information security.
For most organizations, the first step to becoming HITRUST certified is to perform a Self-Assessment within the MyCSF online tool, which includes answering a set of scoping questions to determine which HITRUST CSF controls will be applicable. The Self-Assessment provides an opportunity for the organization to go through a ‘trial run’ to identify any areas that may need to be improved prior to performing a Validated Assessment.
What’s Required to Perform a Self-Assessment?
Access to the MyCSF online tool provided by HITRUST is required for performance of any type of HITRUST assessment. Access options include a report-only option that ranges in price, from $2,500 - $8,500 (based on an organization’s net income range), and a subscription option that has varying levels. Current annual subscription costs for the MyCSF online tool start at $10,000/year for organizations with less than 25 employees. An enterprise subscription for large organizations including 25 user accounts, phone support, and the reporting and exporting modules currently runs at $32,500/year.
Maintaining an annual subscription to the MyCSF online tool is useful in that information entered in during a Self-Assessment is maintained and can be carried over to reduce the burden associated with going through a subsequent Validated Assessment. Use of the report-only option for MyCSF will result in a loss of all data entered into MyCSF approximately 30 days after completion of the assessment.
The HITRUST administrative and scoping questions within the MyCSF online tool are used to determine which HITRUST controls will apply to your organization’s assessments. Examples of the scoping questions include the following:
- Organization type / industry
- Number of customers, employees, users, or transactions per day
- Is the system accessible from the internet or a public location (e.g., kiosks)?
- Are mobile devices used in the environment?
- Do third parties access the system or transmit data?
- Number of active interfaces from the system to other systems
- Which regulatory factors affect the organization (FISMA, PCI, state-specific privacy regulations, etc.)?
How Much Effort is Involved in Completing a Self-Assessment?
Completing a Self-Assessment is time consuming and requires a significant commitment. Most organizations performing the minimum level Security Assessment in MyCSF have a control set including 120 – 140 controls, each of which requires maturity levels to be analyzed, a process narrative to be written, and corresponding evidence to be uploaded (policy documents, approval tickets, etc.). Many of these artifacts will come from various resources and departments across the organization and can be challenging to obtain without top-level commitment and support within the organization.
Assuming each control can take 60 minutes or more to address and document, the work commitment associated with performing a Self-Assessment can amount to an estimated 120 – 140 hours of work or more. Once the Self-Assessment has been completed and submitted within the MyCSF online tool, HITRUST will issue the organization an ‘Assessment Report’ which summarizes the information entered during the Self-Assessment, along with a ‘Letter of Self-Assessment’ confirming the completion of the self-review (not a letter of certification).
What Assistance is Available?
HITRUST-approved assessor organizations, such as Schellman, can be engaged to provide valuable assistance and significantly cut down the potential errors and missteps associated with the Self-Assessment process. Advantages to obtaining the assistance of a HITRUST approved assessor include:
- Assurance that scoping questions are answered appropriately and result in the scope of controls
- Guidance on evidence commonly used to address each specific HITRUST security control
- Assurance that areas which do not meet HITRUST requirements are identified and not overlooked
- Training on creating corrective action plans (CAPs) for areas not meeting HITRUST requirements
- Reduced cost associated with the Validated Assessment process (if also performed by Schellman)
What’s Schellman’s Approach to Ensure Organizations are Successful?
Schellman is a trusted provider to the world’s leading companies and the only company in the world capable of providing SOC, PCI, ISO, FedRAMP, and HITRUST services through a single legal entity. We offer unmatched experience and perspective on helping organizations successfully achieve security, compliance, and certification objectives.
The assistance Schellman can provide at each step of the Self-Assessment process is detailed below:
- Initial Discussions with Leadership – Schellman can attend management meetings in person or via conference call to help stakeholders clearly understand the HITRUST approach, the reasons behind a HITRUST assessment being requested (if applicable), and the effort associated with each step of the process.
- Scoping the Assessment – The scope of systems, applications, and locations included within a HITRUST assessment is determined by the organization. Schellman can provide guidance to help with determination of the appropriate scope and can ensure that the scoping questions in the MyCSF online tool are answered accordingly.
- Identify Evidence Required – Schellman can identify specific items or documents which are commonly referenced to evidence that each control is operating effectively. One of the largest challenges we see with organizations performing the Self-Assessment independently is misinterpreting what documentation is required to adequately evidence the operating effectiveness of each control.
- Streamline the Data Entry Process – Although Schellman cannot directly author the required process narratives in the MyCSF online tool, we can help ensure the data entry process is performed efficiently by providing guidance on the appropriate level of detail and control points commonly identified for each control. Schellman can also advise on how to properly define the maturity levels for control requirements.
- Full Data Entry, Maturity Level, and Evidence Review – Schellman can review all information and evidence entered into the MyCSF online tool and provide comments by item and/or by control.
- Gap Analysis / CAP Training – Schellman can identify any control areas where the process or evidence available does not meet HITRUST standards and requires a CAP in order to pass a Validated Assessment. Schellman can also provide training on creating and updating any CAPs as the processes are improved.
- Self-Assessment Submission – Schellman will ensure that all required data and evidence has been entered and that the assessment is complete prior to submitting to HITRUST.
- Preparation for a Validated Assessment – Schellman will advise and support the organization through preparation for and performing a Validated Assessment.
- Validated Assessment Discount – Schellman offers discounted pricing packages which include the Self-Assessment support described above together with the Validated Assessment review required to become HITRUST certified.