Cybersecurity in healthcare is paramount to everyone: patients, providers and payers. The rate of cybercrimes is increasing and once healthcare information is breached, it often results in catastrophic losses to all parties.
HITRUST is an organization comprised with the specific intent to serve all healthcare industry leaders who recognize that information security is a fundamental component to data systems and exchanges. The HITRUST organization, in collaboration with other technology and information security leaders, created and maintains the Common Security Framework (CSF). Organizations can gauge their compliance to the HITRUST CSF by performing assessments.
What is a HITRUST Self-Assessment?
- HITRUST CSF Self-Assessment is simply an organization completing the CSF on its own. It is valuable, typically as an internal tool to learn from as it is done with a standardized framework.
- External parties don’t verify any aspects of this type of assessment. The assessment results in a HITRUST issues CSF Self-Assessment report.
- The start of every HITRUST assessment begins with gathering information on the healthcare entity being assessed. This information is then used to gauge the organization, its systems and regulatory requirements for the assessment to determine the risk and scope.
- Most healthcare organizations utilize a third party to help facilitate the self-assessment.
Why are HITRUST Self-Assessments so challenging?
Completing a self-assessment is both time consuming and requires a commitment from leadership. Most organizations performing the minimum level security assessment in MyCSF have a control set including 120-140 controls. Each of these will be analyzed, a process narrative written and corresponding evidence uploaded. These items come from various resources across an organization which is why leadership commitment is key. Plan on each of these controls taking up to 60 minutes or more and the scope of work becomes clear.
Why does HITRUST matter?
We all understand that cyber security breaches create fear, headlines and real problems for all individuals involved. It is front line news daily. As a healthcare evolves and becomes more dependent on technologies to store and transmit data, cybersecurity and compliance matter. Add to all the federally mandated rules and regulations surrounding healthcare technology and now add in another complexity – ensuring that healthcare organizations and its vendors can prove their compliance and guarantee they are a trustworthy business partner.
This is exactly what HITRUST is. It ensures that the provider/vendor has systems that are clear, standard and secure. It puts the trust into data security. Nothing could be more important. It is not easy but HITRUST CSF Certification helps organizations prove their applications and data are secure and increasing security around all HIPAA compliance and audits.
Why Advize Health for Facilitated Self-Assessments?
Advize Health LLC is a healthcare firm with a full team of technology professionals who are dedicated to using their expertise and experience to help your organization become HITRUST certified. Advize Health’s team will help your firm comply and normalize the framework of HITRUST security organizations, while also meeting the requirements put into place by state (e.g., MA 201 CMR 17.00), federal (e.g., HITECH Act and HIPAA), and third party controllers (e.g., COBIT).
Advize Health Facilitated Self-Assessments are led by a Certified Common Security Framework Practitioner (CCSFP). The objective of the HITRUST certification team is to assist your firm in providing assurance that your security controls will limit the probability of a breach, and that new solutions are implemented and operating effectively. Our team will also measure compliance and risk to identify any Corrective Action Plans necessary to reduce the remaining risks.
What can you expect from us?
We will work with you to complete the following:
- Initial discussions with leadership as to size, scope and services of the organization.
- Identify and review the specific evidence that is required. This is similar to any audit where controls are being tested.
- Ensure that your team properly handles the data entry process for your online self-assessment.
- Provide gap analysis training where the evidence available does not meet HITRUST standards.
- Ensure that you successfully complete your self-assessment submission.