Healthcare service providers are being told that they must begin their HITRUST Validated Assessment process soon, especially to meet the 2017 deadline for HITRUST Certification. The looming deadline and the lack of familiarity with the validation process are causing some fear. But have no fear! This article will provide guidance on the process and the necessary information needed to navigate the Validated Assessment process and obtain certification.
A Validated Assessment demonstrates compliance with the HITRUST Common Security Framework (CSF) assurance program. The CSF Assurance program is governed by the HITRUST Alliance (“the Alliance”) in the same manner as governing bodies such as the PCI Standards Council, the American Institute of CPAs (AICPA) and the Cloud Security Alliance (CSA). In fact, the CSF Assurance program is a collection of existing frameworks like HIPAA/HITECH, PCI DSS, NIST 800-53, ISO 27001, SOC 2, etc. If you have already undergone any of these types of assessments, you are more prepared for HITRUST than you think.
Unlike other assessments, the assessments for HITRUST (Self or Validated) must be performed utilizing a special, proprietary tool administered by the Alliance, called the MyCSF Portal. An organization must pay for either one-time use (90-day access) or an annual subscription for portal access. The MyCSF Portal provides a central repository for the organization to perform the Validated Assessment process, from the initial scoping to validation and then reporting. The MyCSF Portal has similar attributes to other governance, risk and compliance (GRC) tools that help manage ongoing risk and compliance efforts, including the remediation process and subsequent Validated Assessments.
Scoping and Assessment:
Once access to the MyCSF portal is in place, the next step is to identify the scope. The scope is determined by a multitude of factors such as type of business, systems and infrastructure, locations, facilities, systems, transactions and regularity factors of the business. The scoping process and the outcome will assistwith determining the type of assessment which will be performed. The baseline assessment is the CSF Security Assessment, which can have between 120-328 possible requirements, and the CSF Comprehensive Security and Privacy Assessment, which can have between 357-845 possible requirements. When selecting the assessment type, the organization’s environment, control maturity, and experience and familiarity with the HITRUST requirements should all be taken into consideration. If an organization has any uncertainty regarding how to scope an assessment, the services of an approved CSF Assessor can and should be employed to help the organization have a full understanding of scope determination and required efforts.
Selecting an Assessor:
Once the scope factors have been finalized, either with or without the help of a CSF Assessor, and the MyCSF Portal has determined the number of requirements in scope for the Validated Assessment, the Portal will prompt you to select an independent CSF Assessor to perform the validation component of the Validated Assessment. The CSF Assessor must be an organization that has been approved by the Alliance for performing the Independent Validations. There are organizations that can assist with HITRUST consulting and readiness, but they may not always be approved CSF Assessors.
Documentation and CSF Assessor Review:
The MyCSF Portal provides guidance on the scope requirements and allows organizations to document their controls in place to meet each requirement. It also serves as a repository for storing the required evidence to support the controls in place for the CSF assessment. The controls documentation and supporting evidence will be evaluated and tested by the CSF Assessor, who also documents their testing in the same MyCSF Portal. Once the CSF Assessor completes testing, the assessment results and any necessary Corrective Action Plans (CAPs) are submitted to the Alliance for review.
After the Alliance completes their review, they will post the final HITRUST Validated Assessment report in the MyCSF Portal. Organizations that pass the Validated Assessment and also meet the necessary control maturity rating requirements for HITRUST Certification will received a HITRUST Certified Report. Organizations that complete the Validated Assessment process but have material control maturity rating gaps required for certification purposes will receive a HITRUST Validated Report, which indicates an independent Validated Assessment is complete. Even if an organization does not achieve HITRUST Certification, a Validated Assessment report can still be obtained to illustrate that the current sets of controls in scope were independently validated by a CSF Assessor.
If HITRUST Certification is achieved, the HITRUST Certification is valid for 24 months from the initial certification date. As part of the requirement to maintain an active certification, the organization must undergo an annual review performed by the CSF Assessor within 12 months of the initial certification date. After 24 months, the organization must repeat the process and undergo another full HITRUST Validated Assessment.
For many business associates in the healthcare industry, the race is on to achieve certification by the looming 2017 deadline. While HITRUST Certification can undoubtedly be challenging and costly to achieve, careful planning and evaluation of your organization’s current environment will help make the certification process as efficient as possible.
About the AuthorMore Content by Greg Miller