Discover how HITRUST CSF aligns different compliance requirements and what the certification process entails
Protected health information is a valuable asset that is often hunted by malicious actors who then profit from its resale and reuse. Widespread data breach events prompt healthcare entities and their third-party business partners to improve their information security programs continuously. To assure the effectiveness of their security programs and implemented controls, many healthcare organizations choose to or are required to obtain a HITRUST certification.
The Healthcare Information Trust (HITRUST) Alliance is a non-profit organization that provides a common framework for maintaining data security in the healthcare industry. The HITRUST approach harmonizes information risk management and compliance requirements of several frameworks. Doing this supports organizations’ readiness in reacting and addressing complex security and compliance challenges and meeting regulatory requirements. As the security landscape is becoming more complex, organizations should constantly increase their efforts to safeguard sensitive data and maintain compliance. To assist, HITRUST developed the Common Security Framework (CSF).
HITRUST CSF was designed to help healthcare organizations comply with laws and regulations and protect sensitive data. It is often referred to as a comprehensive framework as it incorporates requirements from HIPAA, PCI, and other state and federal regulations. HITRUST CSF helps organizations assess and maintain their internal policies, procedures, and controls using a common framework.
HITRUST requirements cover 19 security domains, which involve specific control categories necessary to achieve the HITRUST certification. These categories outline the desired results and list policies, procedures, and implementation guidance necessary to meet the objective. The CSF also provides predefined organizational, regulatory, and system risk factors that establish the inherent risk:
Finally, HITRUST CSF rationalizes the way organizations manage the compliance of their business associates. It provides an opportunity to “assess once and report to many”, while covered entities benefit from such a complete assessment process.
Covered entities and business associates, as defined by HIPAA, are the most common organization types that pursue and obtain HITRUST certification. Besides strengthening the overall security program and reducing the possibility of data breaches, there are business advantages that induce organizations to get the certificate. By demonstrating compliance with HIPAA regulatory requirements, HITRUST certification:
The HITRUST certification often becomes an indicator of a mature data protection program within the healthcare environment.
The HITRUST certification process is a time- and resource-intense process. First, assessed organizations determine their scope, undergo readiness assessments, and conduct gaps remediation if necessary. Thereafter, organizations are required to have a HITRUST Validated Assessment performed by an authorized assessor. Finally, they need to submit the assessment results for HITRUST review and approval to get a formal certification. HITRUST MyCSF tool assists organizations in streamlining the assessment approach and identifying applicable implementation requirements. It provides organizations and their assessors with a web-based solution for performing assessments, managing remediation activities, and reporting and tracking compliance.
The certification process is often regarded with the deep disfavor of those who need to obtain the certification. To alleviate such inconveniences, organizations may choose a reliable third-party ally, such as Planet 9, or systematize all steps and instruments necessary to obtain certification by using internal resources. The main aspects of the HITRUST certification process are discussed below.
Identifying potential gaps and challenges before undergoing the HITRUST Validated Assessment is a good idea. In this regard, organizations can perform a readiness assessment (also known as a self-assessment) and assess their ability to comply with the certification requirements.
Utilizing the tools and methodologies of the HITRUST CSF, organizations first gather detailed information about the current state of their policies, processes, and implemented controls. Interviews, evidence collection, testing, and inspection of controls are the HITRUST assessment methods. The gathered information should satisfy all the 19 domains provided in MyCSF and be scored per the HITRUST methodology.
To score each control within the assessment scope, HITRUST’s PRISMA-based Maturity Model is used. It involves 5 general control measurement criteria (p. 13):
The first three criteria are enough to satisfy the required maturity expectations but organizations can significantly benefit if they can demonstrate that their controls are measured and managed. It often occurs that organizations have control areas that fail to meet the HITRUST’s certification requirements. Clear identification and ranking of these areas provide organizations with remediation opportunities before undergoing the Validated Assessment.
The HITRUST CSF Readiness Assessment results in a comprehensive report that outlines the current level of compliance with HITRUST CSF standards as well as remediation goals/tasks.
Gaps remediation is not a separate process but rather a critical part of the HITRUST assessment, both self- or validated. It should start with a gap analysis that identifies policies, controls, and other documentation that is necessary to meet the HITRUST CSF requirements. During this stage, the organization or assessors, depending on the type of assessment performed, identify general gaps in the organization’s controls and provide recommendations to remediate the gaps. The organization gaps are then ranked by risk level, prioritized, assigned to an owner, and tracked. All these activities are documented in a formal corrective action plan (CAP).
The next phase of the HITRUST certification involves completing a Validated Assessment. Its main difference from the self-assessment is that it is performed by authorized HITRUST assessors only and may be officially submitted to HITRUST for certification if the organization procures a CSF Validated Report with Certification. The HITRUST validation stage, just like the self-assessment, uses a testing approach that aims to assess the organization’s controls using three main methodologies: examining, interviewing, and testing.
Based on the testing, the assessors gather the working papers, test results, and interviews and submit them to HITRUST for quality review. This documentation is submitted through the MyCSF portal. At that point, the HITRUST Assurance and Compliance team reviews the assessment and determines if the organization has met the requirements to achieve certification.
QA Review is the fourth phase of the HITRUST Certification that aims to scrutinize the validated assessment and check organizations for meeting the requirements to achieve the certification. HITRUST QA review entails several activities, namely automated checks, core QA, N/A’s testing, and measured and managed control testing.
Automated Checks identify the assessment scoring, commentary errors, and omissions during the assessment process.
In case of approval, HITRUST issues a Validated Report with Certification.
QA review is a challenging procedure, and sometimes the assessment fails the QA due to the fault of both organizations and their external assessors. In this regard, organizations generally fail to:
The external assessors’ faults in failed QA generally involve:
Therefore, both organizations and their external assessors must be highly attentive to all the HITRUST requirements and illustrative guidelines provided in MyCSF.
The initial HITRUST certification process typically takes from 6 months to 1 year. Very few, if any, organizations obtain certification in under 6 months. However, cases, when the certification process takes more than a year are also common. It occurs due to multiple factors, such as the organizations’ certification scope, size, complexity, existing controls’ maturity, and competing priorities.
The HITRUST certification is valid for two years. However, to maintain the certificate, the organization’s status must be reviewed a year after the original assessment. This process is called an interim assessment. The interim assessment requires testing of only one control from each of the 19 domains as well as conducting CAP follow-up. To meet these requirements and conduct an interim assessment in time, organizations are recommended to start the process and engage the assessor at least three months in advance. Additionally, the interim assessment verifies that no breach or significant change has affected the organization’s environment since the certification was issued.
After two years, the organization must complete recertification and submit a new validated assessment for HITRUST. As the HITRUST approach promotes the concept of continual improvement, the prescriptive procedures associated with each control requirement statement provide a guideline for increasing maturity over time. Therefore, organizations should start the recertification process at least six months before the existing certification’s expiration date.
Despite the intensity of the HITRUST certification process, it provides a high degree of assurance to business partners and customers as well as increases chances for smaller companies to get business from leading healthcare organizations. Those who undergo the HITRUST certification must be attentive to managing their information security program and technical controls and prepare for a challenging and time-consuming assessment.
If you need any help with obtaining a HITRUST certification or other security and compliance services, we’ll be happy to assist: