Many healthcare service providers are being told that they must begin their HITRUST Validated Assessment process. But have no fear! This article will provide guidance on the process and the necessary information needed to navigate the Validated Assessment process and obtain HITRUST CSF Certification.
A HITRUST CSF Validated Assessment demonstrates compliance with the HITRUST CSF framework. The CSF Assurance program is governed by HITRUST in the same manner as governing bodies such as the PCI Standards Council, the American Institute of CPAs (AICPA), and the Cloud Security Alliance (CSA). In fact, the CSF Assurance program is a collection of existing frameworks like HIPAA/HITECH, PCI DSS, NIST 800-53, ISO 27001, AICPA Trust Services Criteria, etc. If you have already undergone any of these types of assessments, you are more prepared for HITRUST CSF Certification than you think.
HITRUST MyCSF Portal:
Unlike other assessments, the assessments for HITRUST (Readiness or Validated) must be performed utilizing a special, proprietary tool administered by HITRUST, called the MyCSF Portal. An organization must pay for either one-time use (Report only access) or an annual subscription for portal access. The MyCSF Portal provides a central repository for the organization to perform the Readiness or Validated Assessment process, from the initial scoping to validation and then reporting. The MyCSF Portal has similar attributes to other governance, risk, and compliance (GRC) tools that help manage ongoing risk and compliance efforts, including the remediation process and subsequent Validated Assessments.
Scoping and Assessment:
Once access to the MyCSF portal is in place, the next step is to identify the scope. The scope is determined by a multitude of factors such as type of business, systems and infrastructure, locations, facilities, number of transactions processed, and regulatory factors that are applicable to the business. The scoping process and the outcome will determine the number of implementation requirements in scope for the assessment. When selecting the assessment type, the organization’s environment, control maturity, experience, and familiarity with the HITRUST requirements should all be taken into consideration. If an organization has any uncertainty regarding how to scope an assessment, the services of an Authorized HITRUST External Assessor can and should be employed to help the organization have a full understanding of scope determination and required efforts.
Selecting an Authorized HITRUST External Assessor:
Once the scope and factors have been finalized, either with or without the help of an Authorized HITRUST External Assessor, and the MyCSF Portal has determined the number of implementation requirements in scope for the Assessment, a next step would be to select an Authorized External Assessor to perform the validation component of the Validated Assessment. For a Readiness Assessment, an External Assessor is not required but may be helpful when determining how to score each implementation requirement. The Authorized HITRUST External Assessor must be an organization that has been approved by HITRUST for performing the Validated Assessment. There are organizations that can assist with HITRUST consulting and readiness, but they may not always be Authorized HITRUST External Assessors.
Documentation and External Assessor Review:
The MyCSF Portal provides guidance on the in-scope requirements and allows organizations to document their controls in place to meet each requirement. It also serves as a repository for storing the required evidence to support the controls in place for the assessment. The controls documentation and supporting evidence will be evaluated and tested by the Authorized HITRUST External Assessor, who also documents their testing in the same MyCSF Portal. Once the Authorized HITRUST External Assessor completes testing, the assessment results and any necessary Corrective Action Plans (CAPs) are submitted to HITRUST for review.
After the HITRUST Assurance Team completes their QA review, they will post the draft HITRUST Validated Assessment report in the MyCSF Portal. Organizations that meet the necessary control maturity rating requirements for HITRUST Certification will receive a HITRUST Validated Assessment Report with Certification. Organizations that complete the Validated Assessment process but have material control maturity rating gaps required for certification purposes will receive a HITRUST Validated Report, which indicates an independent Validated Assessment is complete. Even if an organization does not achieve HITRUST Certification, a Validated Assessment report can still be obtained to illustrate that the current sets of controls in scope were independently validated by an External Assessor.
If HITRUST CSF Certification is achieved, the HITRUST CSF Certification is valid for 24 months from the initial certification date. As part of the requirement to maintain an active certification, the organization must complete an Interim Assessment performed by the External Assessor within 12 months of the initial certification date. After 24 months, the organization must repeat the process and undergo another full HITRUST Validated Assessment.
For many business associates in the healthcare industry, the race is on to achieve certification due to its rapid adoption in the industry. While HITRUST CSF Certification can undoubtedly be challenging and costly to achieve, careful planning and evaluation of your organization’s current environment will help make the certification process as efficient as possible.
About the AuthorMore Content by Greg Miller