866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

The Five Hurdles to HITRUST Blog Feature
JULIE YANG

By: JULIE YANG

Print/Save as PDF

The Five Hurdles to HITRUST

Healthcare Assessments

As larger players in the healthcare industry like Anthem, Humana, and UnitedHealth Group begin to embrace the HITRUST Common Security Framework (CSF) in an attempt to manage the ever-evolving compliance landscape, the desire for HITRUST certification has increased exponentially. However, for many organizations the road to certification is a long one.

Below are some of the common challenges encountered along the way, and the necessary considerations you should take before embarking on your journey.

Choosing the right assessment

Choosing between a Self-Assessment and Validated Assessment is relatively straight forward. Self-Assessments are a more cost-effective option for your organization to assess their current compliance level. Validated Assessments by a third party is the rigorous option for your organization. However, it is the only path to achieving certification. There are two different types of certification, which is one source of confusion for many organizations. HITRUST Alliance allows you to be certified with either a Security Assessment (assessed against 64 controls) or Comprehensive Assessment (assessed against all 149 controls). The major difference between the two? Level of assurance. For many organizations using HITRUST to evidence HIPAA Security Rule compliance, the Security Assessment may be all you need. 

Getting the right buy-in

Compliance is an organizational effort and a full-time job. All too often compliance is a shared effort across several departments that frequently results in finger-pointing and confusion during the assessment process. Is it Information Technology’s responsibility? Legal’s? Or is it Privacy’s? One of your first steps should be sitting down with key stakeholders to determine who is responsible for compliance in your organization. Next you should ensure that an appropriate budget and amount of resources are allocated to compliance efforts.

Finding balance between patient care and compliance

Healthcare is a unique industry where a trump card exists. The desire to help improve patient care frequently causes a ripple effect across the organization therefore security and other initiatives take a backseat because they are viewed as a road block to productivity. Examples of this include purchasing applications that don’t support audit functionality, or turning off security events to improve system performance. However, with the rise in data breaches, it has become not so much a question of how but when a breach will occur. That is why it is essential for every organization to make security and compliance a significant part of their culture.

Evaluating your high risk controls

The HITRUST framework includes over 20 standards including, but not limited to, HIPAA, NIST, PCI DSS, SOC 2, ISO 27001, and COBIT. This makes HITRUST highly comprehensive and prescriptive. As such, some of the controls included within the framework are very specific and may be applicable to standards that your organization has not previously considered. There may also be instances when the risk assigned to a control requirement by HITRUST misaligns with your organization’s own risk designation. It is important to appropriately evaluate the risk, impact, and cost effectiveness of implementing each control in order to achieve the overall maturity of 3 required in each domain for Certification.

Managing your policies and procedures

One of the most frequently missed pieces (and often times the cheapest to implement) is strong policy and procedural documentation management. Policies and procedures are typically the first thing requested to evidence the existence of a control. Robust documentation helps organizations avoid redundancy in effort, decrease knowledge loss, provide consistency, and establish process ownership. Even if you have everything else in place, missing policy and procedural documentation can be the difference between a Certified Assessment and a Validated Assessment.

For many business associates in the industry, the race is on to achieve certification by the looming 2017 deadline. While HITRUST certification can undoubtedly be challenging and costly to achieve, careful planning and evaluation of your organization’s current environment will help make the certification process as efficient as possible.

About JULIE YANG

Julie Yang is the HITRUST technical lead at Schellman. Prior to joining the company, Julie worked at a multinational professional services firm where she specialized in technology compliance and HITRUST assessments. Julie has provided services for private healthcare organizations and Fortune 500 companies throughout the course of her career.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.