Understanding the results of a HITRUST engagement and how to use them.

During your vendor due diligence process, a vendor sends you their HITRUST report. What exactly does this report tell you? How can you use this information to properly evaluate the vendor? In this blog, we will give a brief overview of the HITRUST CSF framework and then dive into how to read the HITRUST Validated Assessment report, section by section.

What is HITRUST?

The HITRUST CSF is a security framework that aims to ease the burden of compliance by implementing a “Report-Once, Assess-Many” methodology. A company seeking HITRUST CSF Certification may define the scope of their assessment based upon the nature of their business needs and the regulatory landscape with which they must comply. Once a company has ‘implemented HITRUST,’ Validated Assessments are then conducted by an approved HITRUST External Assessor, such as risk3sixty, via HITRUST’s proprietary MyCSF platform.  Once the Validated Assessment has been completed, the External Assessor then submits the assessment to HITRUST for review, further quality assurance, and issuance of the HITRUST CSF Certification and associated report.

When initially setting up a HITRUST assessment within the MyCSF tool, the company being assessed chooses what additional regulatory requirements they wish to include in the scope of their assessment. Since HITRUST maps its CSF framework to most common security, privacy, and regulatory frameworks, a company may use an expanded scope assessment to demonstrate compliance with other frameworks.  Although HITRUST does not issue certifications against every reporting and security framework, law, or regulation, this scope selection process enables a company to demonstrate compliance with many frameworks and largely unify its compliance efforts. This, in turn, provides some assurance to the company’s customers, partners, and vendors that the assessed company is in compliance with those regulations.

The Report Structure

It is important to understand how HITRUST control categories, objectives, and references are set up prior to reading a company’s HITRUST Validated Assessment report. HITRUST CSF as 14 Control Categories, which are made up of 49 Control Objectives.  These Control Objectives, in turn, are divided into 156 Control References.  Out of the 156 Control References, only 75 are required for certification. The company-defined scope of a HITRUST assessment determines the number of control references included in the report above and beyond the baseline of 75.  Additionally, based upon the scope, each control reference can have multiple requirement statements, which correlate to the traditional definition of a control (e.g. SOC 2 control).  It is not uncommon for a Validated Assessment to have at least several hundred requirements statements in scope.  The following graphic from HITRUST demonstrates this setup:

HITRUST Control Structure

Each HITRUST Validated Assessment report begins with a brief overview of the HITRUST CSF framework (Section 1). This helps to provide context for the report. Section 2, the Letter of Certification from HITRUST immediately follows this overview (assuming the assessed entity met all requirements to achieve HITRUST CSF Certification).

After this section, you will find Management’s Assertion (Section 3), in which management asserts to the completeness and accuracy of the report. This section is similar to the assertion that you would find in a SOC 2 report.

Section 4 of the HITRUST report provides context for the organization such as number of employees, infrastructure, certified applications, and number of sensitive records held. Additionally, this section contains the list of regulatory risk factors the company has chosen to include in their assessment scope, such as HIPAA, PCI, and GDPR. The HITRUST MyCSF tool uses this information to decide which control references to include in the assessment.

Section 5 discusses the scope of the assessment. The section will list systems included in the scope, along with any exclusions, which, for business reasons, may be out of scope. It’s important to note that a HITRUST CSF Certification applies only to implemented systems and not particular “facilities, people, services, or products.” This section also includes a short description of each system in scope.

The next section, Section 6, simply gives a brief overview of the security program. It discusses personnel, deployed security tools, and any other current third-party assessments.

Results and Appendices

Section 7 contains the assessment results for the 75 control references required for certification. If any requirement statements were not met, the specific requirement statement will be listed out here. Next to the requirement is the Corrective Action Plan (CAP) reference, which you will find at the end of the report. These CAPs demonstrate management’s plan to achieve compliance with specific control requirements, which may require maturation over time.

After the assessment results, the HITRUST report details the PRISMA Control Maturity Model. This is HITRUST’s proprietary scoring model that ranges from 1 to 5. The next section, “Controls by Assessment Domain,” shows the score for each of the 19 HITRUST domains. Each domain also includes comments that explain, at a high level, how the organization meets the requirements within the domain.

Appendix A of the report provides the testing summary. This section covers the documentation reviewed, individuals interviewed, and technologies tested to develop the conclusion of the report.

Appendix B contains the Corrective Action Plans that are required for certification. Under HITRUST scoring, any requirement statement that scores less than a 3+ requires either a CAP or a gap. If the requirements statement is part of a control reference that scores less than a 3+ and is required for certification, HITRUST requires a CAP. Otherwise, it is considered a gap, and a plan is not required. The CAPs in Appendix B include the relevant control deficiency, assessed maturity rating, point of contact, scheduled completion date, and the corrective actions to be taken. Appendix C covers the gaps.

Appendix D is by far the longest portion of the report and contains the full score for each requirement statement. These scores are determined based on policy, process, implementation, measurement, and management. Comments that the assessor or assessed firm deem relevant also appear in this section. Ultimately, the previous sections cover this information in a much more succinct manner, but it is included here for full transparency.

Conclusion

For a company conducting vendor due diligence, obtaining and reviewing a vendor or potential vendor’s HITRUST Validated Assessment report provides valuable insight into the security posture of the vendor and what risks may be presented by doing business with that vendor.  As a vendor, becoming HITRUST CSF Certified and being able to communicate a HITRUST Validated Assessment report provides a great opportunity to demonstrate your information security posture, the scope of your information security program, and how you are protecting your clients’ sensitive information.

Contact

Questions about HITRUST CSF Certification and where to start? Contact us here! We’d love to chat with you and see how risk3sixty can meet your organization’s needs.