If you are providing services to healthcare organizations, you may often be asked, “Do you have a HITRUST Certification?” followed by “Well, if we use your product or service, you will need to get certified by HITRUST”.
But before you jump in and promise to achieve that goal quickly, you might want to assess your organizational readiness for HITRUST. In this blog post we will provide some guidance to help you meet the standard. If you’re considering HITRUST compliance as one of your organization’s cybersecurity frameworks, here is a list of the top 8 points you should consider before moving ahead.
Organizational Commitment – HITRUST is a major commitment for an organization. It will require significant heavy lifting from the IT Security Team and may require that others within the organization make changes to their operations to meet the significant demands. For HITRUST to be successful, you will need executive support and a commitment to providing the required resources.
Policies – The HITRUST Control framework (CSF) incorporates numerous regulations and standards, including ISO, NIST and HIPAA. One of the HITRUST requirements is that your organization has documented policies that clearly communicate management’s expectation of the required control operation for each of your HITRUST requirements. If your policies are not based on NIST or ISO requirements, they will need to be upgraded prior to beginning your certification process.
Procedures – Each of your policies must be supported by detailed procedures outlining the following:
How you are implementing the policy;
When the procedures should be performed;
Who is performing each procedure; and
Details on timing and documentation of the procedures.
Risk Assessment – HITRUST requires that your organization has performed a comprehensive risk assessment of your security operation based on a formal methodology that evaluates multiple factors that could impact the security of your covered information.
Business Continuity – HITRUST will require that you have a formal business continuity plan that evaluates potential events that could impact your critical operations and a formal strategy to address those risks.
Technical Testing – HITRUST will require that you have implemented technical controls to help validate the security of your system. These may include quarterly or annual vulnerability testing, penetration testing, and annual checks on the technical security configuration of your systems.
Documentation – HITRUST will require you can provide evidence of your control implementation. For example, if your current change management procedures are ad hoc and based on discussions with your team you will need to implement a formal change management procedure outlining your testing and approval process to meet the HITRUST requirements.
Timing – HITRUST requires that all your policies, procedures and control implementation be in place for 90 days prior to testing by your external assessor. When you think about how long it will take you to accomplish all the requirements, remember to add 90 days to your timeline to allow for the required evidence of implementation required by HITRUST.
Also keep in mind getting this right up front can save time and money. Additionally, if you do fail a control keep in mind that a Corrective Action Plan (CAP) will be need.
Corrective Action Plans
If any of the controls in your assessment scored less than 62.5%, you will be requested to prepare a CAP before you receive your Validated Certification. The CAP requires that you indicate how you will address the identified gap along with who is responsible and when you will have the CAP completed.
The HITRUST MyCSF provides you with a tool to help manage your CAPs, which can be used to document the progress on the CAP, provide documentation supporting the implementation of the CAP, and ultimately close the CAP once it’s completed. While use of the tool is not required, you will need to update the CAP within MyCSF prior to your Interim Assessment as your External Assessor will need to validate your CAP status.
One year after you submitted your assessment to HITRUST, you and your External Assessor will be required to submit your Interim Assessment. Remember that your Interim Assessment is due based on your submission to HITRUST, not the date you received your Validated Certification Report.
You can request HITRUST to create your Interim Assessment 90 days prior to your due date by contacting HITRUST. Sixty days before your due date, HITRUST will automatically create your Interim Assessment and notify you it is ready.
What’s involved in your Interim Assessment? The Interim Assessment has three components: (1) validation of your overall environment; (2) verification of your CAP status; and (3) testing of 19 controls selected by HITRUST. Let’s look at all three components:
1. Validation of your overall environment.
Your External Assessor will confirm that you have not a data security breach reportable to either State or Federal agencies. If you have had a data breach, you and your assessor will need to contact HITRUST. HITRUST will perform an evaluation to determine if your breach was deemed to be material. If HITRUST deems the breach material, the certification will be suspended, and you will be required to perform a new Validated Certification. The breach could be deemed to be material due to a failure of a required control.
Your assessor will also confirm that no significant changes in the business or security practices, controls, and processes have occurred that might impact your HITRUST Certification criteria. For example, if you migrate from a server-based environment to a cloud-based environment, that would be a significant change that would require you to complete a new Validated Assessments instead of an Interim Assessment. Other changes that are not as significant may require that your assessor validate the controls are still functioning. For example, you implemented a new mobile device encryption tool that would require the assessor to validate the new tool meets the control requirements related to mobile device encryption.
2. Corrective Action Plan Status
Your External Assessor will evaluate the status of each of your CAPs. This includes verification that the CAP is either completed or on track. The Assessor will also validate the overall control status. For example, if your CAP was related to incomplete procedures, the Assessor will validate your policy still addresses the control and that the implementation evidence supports the implementation of the control. The assessor will confirm that the updated procedures addressing the CAP have either been developed or are in the process of development.
The status of the CAP in MyCSF must agree with the status your Assessor reports to HITRUST. HITRUST also expects that you will demonstrate forward progress on all CAPs and that you have met the timelines you established. If you have not met the timelines, you and your External Assessor will need to document what progress has been made and your updated timeline.
3. Testing of 19 Controls
HITRUST will select 19 controls, one from each Domain, that must be retested using the same testing requirements as for the Validated Assessment. Your External Assessor will evaluate your Policy, Process, Implementation, Measured and Managed evidence to ensure the control is still functioning as assessed in the Validated Assessment.
In order to maintain your HITRUST Certification, you will need to perform the periodic monitoring required by the controls in your assessment. You need to be documenting the results of your monitoring to provide evidence to your External Assessor in order to gain full maturity on your next assessment. The table below indicates some of the most common monitoring that is required. You should review your assessment to develop a detailed listing of what your monitoring requirements are. Once you have that listing, be sure to assign the monitoring activities to the responsible person and perform follow-up to verify that the monitoring was done and documented as required.
HITRUST compliance and becoming certified is sensible to consider for any healthcare organization as it is extremely comprehensive. Do your homework in advance, though. Does certification make sense for your size and operations? If so, take steps to prepare a roadmap that will ensure certification and maximize your investment.
If you are interested in discussing this or any other security concern, please feel to Contact Us!