Collecting HITRUST Evidence: Leave No Room for Doubt Part 1

Gathering HITRUST Requirements

Organizations need to collect solid evidence of their compliance efforts. In this blog, we’ll delve into how to collect HITRUST evidence that leaves no doubt about what it looks like, providing a roadmap for organizations aiming to meet HITRUST’s stringent requirements. HITRUST evidence may take many forms, including policies, procedures, system configuration screenshots, network diagrams, audit logs, vulnerability scan reports, and other pertinent documentation. Such artifacts offer transparency and demonstrate the organization’s adherence to HITRUST requirements.

Always work closely with your HITRUST External Assessor Organization to determine which source of truth is best for the evidence. This evidence-collection process applies to all HITRUST-validated assessments. To demonstrate compliance with requirement statements, the organization must clearly show how they have implemented specific HITRUST requirements. The evidence should address the requirement statement, the measures taken to meet those objectives, and the ongoing monitoring and review processes.

Screenshots from the system of record are typical for configurations and versions of the technology, such as encryption level, but also to demonstrate how a report was configured for an exported list. I prefer to see a series of screenshots answering a particular requirement statement pasted into a single document with searchable descriptions written for the images. This document should feature the system or application’s name, the configuration screenshot’s time and date, or the report generation window with report criteria (e.g., date range: July 1^st, 1900 – June 30^th, 1901). Please think about what the screenshot will look like, pasted into a document and on a standard-sized monitor. The information security and security operations center team may work on a 36” or larger monitor, but your External Assessor may not. The active window of the system of record could be resized into the quadrant featuring the time and date of the host system. Please confirm the elements are legible after capturing and pasting the screenshot into a document. Accuracy here is important, as any inconsistencies or inaccuracies could undermine the credibility of the evidence. Double-check the documentation and conduct internal reviews with subject matter experts.

Report output lists are typically generated as a comma-separated value (CSV) file that the External Assessor will export to an interactive spreadsheet (e.g., Excel, Google Sheets, etc.) to make random sample selections, sort categories, or filter for content. A report output list in a screenshot is useless and will cause more work for the External Assessor and your team to recreate the report. Confirm the assessment period (start and end date) for report output lists with your External Assessor.

If you have a challenge collecting evidence from a system, exporting a report, or selecting a screenshot to demonstrate compliance in a system, contact the vendor. Your vendors know the top two reasons your organization employs their system are to protect the asset and provide evidence in a security assessment.

Timeliness is a crucial aspect of good HITRUST evidence. HITRUST requirements must be timely and representative of the current and recent operation of the control during the assessment period. Regular updates and reviews of evidence ensure it remains relevant and accurately reflects the organization’s security practices.

Improving the detail and clarity of HITRUST requirements may take a little longer but will likely streamline other compliance efforts with clear evidence for PCI-DSS, ISO 27001, and SOC 2 reporting. Once a configuration document with screenshots is completed, it can serve as the basis for a standard operating procedure and training material for new team members.

Providing HITRUST evidence is not merely about ticking boxes; it requires compelling evidence of compliance. Good HITRUST evidence includes comprehensive documentation, consistency, accuracy, detailed control implementation, supporting artifacts, industry best practices, ongoing monitoring, third-party validation, and timeliness.

Would you like to learn more about how to collect quality evidence for your HITRUST-validated assessments? If you need assistance, please reach out to risk3sixty.

By Gary Holverson|2023-08-10T14:48:37+00:00August 2nd, 2023|HITRUST|0 Comments

About the Author: Gary Holverson

Gary is a Cyber Risk Consultant for risk3sixty, an Atlanta-based Information Risk Management (IRM) firm helping clients implement business-first information security and compliance programs. Gary brings experience in healthcare IT operations and information security frameworks to help organizations build, manage, and assess data security and privacy programs with a risk-based approach. Gary’s primary responsibilities include: -HITRUST Practitioner: Leading HITRUST gap assessments, validated assessments, and program implementations. - Assisting with the creation and maintenance of security and compliance related initiatives such as ISO 27001, HIPAA, HITRUST, and NIST 800-53. - Enabling sound security strategy by delivering expert level guidance on cybersecurity best practices. - Helping companies communicate their security / compliance story to partners, customers, and regulators.

Collecting HITRUST Evidence: Leave No Room for Doubt Part 1

Gathering HITRUST Requirements

Share This Story, Choose Your Platform!

About the Author: Gary Holverson

Related Posts

How to Provide HITRUST Evidence That Leaves No Doubt – Part Two

Is HITRUST i1 the right fit for my organization?

What Evidence Does Your HITRUST Assessor Expect When a Control Does Not Operate

Do HITRUST e1 and i1 assessments require policy documents?

Leave A Comment Cancel reply