HITRUST Nuances and How to Use Them to Your Advantage

The HITRUST CSF contains several attributes that differentiate it from other information security frameworks. Here are three tips on how to handle them!

The HITRUST Business Case

Many consider the HITRUST CSF to be one of the top cybersecurity frameworks for organizations to adopt.

Although it was initially designed as an answer to demonstrate HIPAA compliance, HITRUST has since established itself as an industry-agnostic solution that virtually any entity can leverage to strengthen its information security posture.

In addition to an enhanced security posture, certified entities may also receive the benefit of complying with other frameworks that have been mapped to the HITRUST CSF (previously known as the Common Security Framework). Included in these other frameworks are ISO 27001 and NIST 800-53, which the HITRUST CSF was predominately modeled after.

The HITRUST CSF contains several nuances that differentiate it from other frameworks. The tips below identify actions your organization can take to address these nuances and use them to your advantage.

Policies and Procedures

One of the distinguishing factors within the HITRUST Assurance Program is that each requirement is scored at three maturity levels, at a minimum: Policy, Process, and Implemented.

Organizations are often able to treat the Policy and Process maturity levels as the “low-hanging fruit” when trying to boost their requirement scores.

Entities can receive partial credit towards requirements by simply documenting policy and procedural statements around controls implemented to meet those requirements. These scores are completely independent of the implemented control itself, which may take significant time and effort to remediate.

90 Day Testing Window

Another nuance of the HITRUST Assurance Program is that all testing related to a validated assessment must be completed within a 90-day window. This requirement forces assessed entities to be disciplined since they have a strict deadline to demonstrate that all controls are in place.

Entities being assessed should devote ample time during their readiness and remediation phases to ensure that control owners understand the HITRUST testing methodology and their responsibilities within the process, especially as it relates to evidence collection.

This will ensure that control owners can quickly turn over relevant artifacts once validated testing begins, resulting in a more efficient assessment.

As an auxiliary benefit, if control owners understand their roles and responsibilities, they are also more likely to validate that their respective controls are operating throughout the year.

Three-Party System

Unlike most external audits that only involve the entity being assessed and the assessor, HITRUST engagements require a three-party system. In addition to involvement from the assessed entity and the assessor, the HITRUST Alliance is responsible for performing a quality assurance (QA) function on each assessment and for issuing the final report.

The primary benefit resulting from this requirement is that assessor firms can assist with remediation support without jeopardizing their independence.

For this reason, it is critical that assessed entities conduct due diligence and choose an assessor firm that is right for them.

At a minimum, assessed entities should ensure that their assessor understands their business and their control environment, has the knowledge and experience necessary to guide the assessed entity through the engagement, and can recommend practical and cost-effective solutions to remediate identified gaps while leveraging a risk-based approach.

Conclusion

Organizations that pursue HITRUST certification can realize a plethora of benefits. In order to become certified, these organizations must understand the nuances of the HITRUST CSF and how to effectively address those aspects of the framework and associated assurance program.

Assessed entities can best prepare for their HITRUST assessment by developing strong policies and procedures, ensuring control owner involvement in the readiness and remediation process, and partnering with an assessor firm that can guide them through all aspects of the certification process. For further information on the certification process, please reference the following whitepaper.

About the Author: Michael Carroll

Michael is a former Cyber Risk Manager for risk3sixty, an Atlanta-based Information Risk Management (IRM) firm helping clients implement business-first information security and compliance programs. Michael's primary responsibilities include: - HITRUST Practice Lead: Leading HITRUST gap assessments, validated assessments, and program implementations. - Assisting with the creation and maintenance of security and compliance related initiatives such as ISO 27001, SOC 1, SOC 2, HIPAA, HITRUST, NIST 800-53, and IT SOX. - Enabling sound security strategy by delivering expert level guidance on cybersecurity best practices. - Helping companies communicate their security / compliance story to partners, customers, and regulators.

HITRUST Nuances and How to Use Them to Your Advantage

The HITRUST Business Case

Policies and Procedures

90 Day Testing Window

Three-Party System

Conclusion

Share This Story, Choose Your Platform!

About the Author: Michael Carroll

Related Posts

4 Habits to Adopt for Highly Effective Compliance Audits

Managing Your Compliance Controls Activities Throughout M&A

How Asset Management Became a Top Priority

How to Provide Audit Evidence

Leave A Comment Cancel reply