866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

What to Know About HITRUST Self-Assessments Blog Feature

By: Schellman

Print/Save as PDF

What to Know About HITRUST Self-Assessments

Healthcare Assessments

HITRUST Basics

The HITRUST set of security controls and safeguards (referred to as the ‘CSF’ or ‘Common Security Framework’) was developed using a risk-based approach to address the multitude of security, privacy, and regulatory challenges facing healthcare organizations. It includes control points derived from the HIPAA, HITECH, NIST, ISO, PCI, FTC, COBIT frameworks, as well as federal and state privacy laws.

A growing number of large healthcare groups, including Anthem, Health Care Services Corp. (HCSC), Highmark, Humana, UnitedHealth Group, and others, are requiring any partner organizations handling ePHI to complete a HITRUST assessment.  Some healthcare organizations are also independently opting to become HITRUST certified in order to secure their environments, reduce risk, and be prepared for future audits and inquiries related to information security.

For most organizations, the first step to becoming HITRUST certified is to perform a Self-Assessment within the MyCSF online tool, which includes answering a set of scoping questions to determine which HITRUST CSF controls will be applicable.  The Self-Assessment provides an opportunity for the organization to go through a ‘trial run’ to identify any areas that may need to be improved prior to performing a Validated Assessment.

What’s Required to Perform a Self-Assessment?

Access to the MyCSF online tool provided by HITRUST is required for performance of any type of HITRUST assessment.  Access options include a report-only option that ranges in price, from $2,500 - $8,500 (based on an organization’s net income range), and a subscription option that has varying levels.  Current annual subscription costs for the MyCSF online tool start at $10,000/year for organizations with less than 25 employees.  An enterprise subscription for large organizations including 25 user accounts, phone support, and the reporting and exporting modules currently runs at $32,500/year.

Maintaining an annual subscription to the MyCSF online tool is useful in that information entered in during a Self-Assessment is maintained and can be carried over to reduce the burden associated with going through a subsequent Validated Assessment.  Use of the report-only option for MyCSF will result in a loss of all data entered into MyCSF approximately 30 days after completion of the assessment.

Scoping Questions

The HITRUST administrative and scoping questions within the MyCSF online tool are used to determine which HITRUST controls will apply to your organization’s assessments.  Examples of the scoping questions include the following:

  • Organization type / industry
  • Number of customers, employees, users, or transactions per day
  • Is the system accessible from the internet or a public location (e.g., kiosks)?
  • Are mobile devices used in the environment?
  • Do third parties access the system or transmit data?
  • Number of active interfaces from the system to other systems
  • Which regulatory factors affect the organization (FISMA, PCI, state-specific privacy regulations, etc.)?

How Much Effort is Involved in Completing a Self-Assessment?

Completing a Self-Assessment is time consuming and requires a significant commitment.  Most organizations performing the minimum level Security Assessment in MyCSF have a control set including 120 – 140 controls, each of which requires maturity levels to be analyzed, a process narrative to be written, and corresponding evidence to be uploaded (policy documents, approval tickets, etc.).  Many of these artifacts will come from various resources and departments across the organization and can be challenging to obtain without top-level commitment and support within the organization.

Assuming each control can take 60 minutes or more to address and document, the work commitment associated with performing a Self-Assessment can amount to an estimated 120 – 140 hours of work or more.  Once the Self-Assessment has been completed and submitted within the MyCSF online tool, HITRUST will issue the organization an ‘Assessment Report’ which summarizes the information entered during the Self-Assessment, along with a ‘Letter of Self-Assessment’ confirming the completion of the self-review (not a letter of certification).

What Assistance is Available?

HITRUST-approved assessor organizations, such as Schellman, can be engaged to provide valuable assistance and significantly cut down the potential errors and missteps associated with the Self-Assessment process.  Advantages to obtaining the assistance of a HITRUST approved assessor include:

  • Assurance that scoping questions are answered appropriately and result in the scope of controls
  • Guidance on evidence commonly used to address each specific HITRUST security control
  • Assurance that areas which do not meet HITRUST requirements are identified and not overlooked
  • Training on creating corrective action plans (CAPs) for areas not meeting HITRUST requirements
  • Reduced cost associated with the Validated Assessment process (if also performed by Schellman)

What’s Schellman’s Approach to Ensure Organizations are Successful?

Schellman is a trusted provider to the world’s leading companies and the only company in the world capable of providing SOC, PCI, ISO, FedRAMP, and HITRUST services through a single legal entity.  We offer unmatched experience and perspective on helping organizations successfully achieve security, compliance, and certification objectives.

The assistance Schellman can provide at each step of the Self-Assessment process is detailed below:

  1. Initial Discussions with LeadershipSchellman can attend management meetings in person or via conference call to help stakeholders clearly understand the HITRUST approach, the reasons behind a HITRUST assessment being requested (if applicable), and the effort associated with each step of the process.
  1. Scoping the Assessment – The scope of systems, applications, and locations included within a HITRUST assessment is determined by the organization. Schellman can provide guidance to help with determination of the appropriate scope and can ensure that the scoping questions in the MyCSF online tool are answered accordingly.
  1. Identify Evidence RequiredSchellman can identify specific items or documents which are commonly referenced to evidence that each control is operating effectively. One of the largest challenges we see with organizations performing the Self-Assessment independently is misinterpreting what documentation is required to adequately evidence the operating effectiveness of each control.
  1. Streamline the Data Entry Process – Although Schellman cannot directly author the required process narratives in the MyCSF online tool, we can help ensure the data entry process is performed efficiently by providing guidance on the appropriate level of detail and control points commonly identified for each control. Schellman can also advise on how to properly define the maturity levels for control requirements.
  1. Full Data Entry, Maturity Level, and Evidence Review – Schellman can review all information and evidence entered into the MyCSF online tool and provide comments by item and/or by control.
  1. Gap Analysis / CAP Training – Schellman can identify any control areas where the process or evidence available does not meet HITRUST standards and requires a CAP in order to pass a Validated Assessment. Schellman can also provide training on creating and updating any CAPs as the processes are improved.
  1. Self-Assessment Submission – Schellman will ensure that all required data and evidence has been entered and that the assessment is complete prior to submitting to HITRUST.
  1. Preparation for a Validated Assessment – Schellman will advise and support the organization through preparation for and performing a Validated Assessment.
  1. Validated Assessment Discount – Schellman offers discounted pricing packages which include the Self-Assessment support described above together with the Validated Assessment review required to become HITRUST certified.

About Schellman

Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.