Posted and filed under Compliance, Cybersecurity, Healthcare.

Q: Just what is HITRUST anyway?

A: HITRUST is a common security framework (CSF) created and governed by the HITRUST Alliance, a privately held U.S. company made up of leaders from healthcare, technology, and information security. The framework is comprised of several prescriptive security controls that can be assessed to determine the level of information security maturity within an organization. Two primary assessment options are available depending on the organizational needs, self-assessment and – for those that wish to achieve HITRUST certification – validated assessment. HITRUST assessment can help organizations gain greater awareness of their cybersecurity posture and certification can add credibility in the eyes of third-parties. Advize offers self-assessment and remediation services to firms around the nation.

Q: What types of HITRUST assessments are there?

A: There are two high level assessments available from HITRUST: 1) self-assessment and 2) validated assessment. The self-assessment is ideal low-cost solution for organizations seeking to gain awareness of their cybersecurity posture, achieve low level (non-certified) accreditation, and can even be a first step towards HITRUST certification. Validated assessments allow for a pathway towards certification and include four assessment types: 1) CSF Security Assessment – which utilizes only the CSF security controls required for certification, 2) CSF Security & Privacy Assessment – the same as previous but includes privacy controls, 3) CSF Comprehensive Assessment – which uses ALL the CSF security controls, and 4) CSF Comprehensive & Privacy Assessment – which  uses ALL the CSF security and privacy controls.

Q: How long does a HITRUST assessment take?

A: It varies depending on the size and scope of the engagement. Multiple systems, departments, and physical locations can be included in the scope but it is up to the organization to determine what is included in the scope; as you do not need to include everything. A self-assessment typically takes under three months to complete while a fully validated assessment, towards certification in a larger organization, can take up to two years.

Q: How do we get HITRUST certified?

A: The HITRUST certification process begins with a recommendation from the HITRUST Alliance, which is that the organization first conduct a low cost self-assessment to prepare for certification. Advize Health can assist the organization throughout the self-assessment process to ensure completion and the best chance of certification. A “Roadmap To HITRUST” can be provided to firms who take the initial route of self-assessment. This will ensure future success. Next a firm that provides HITRUST validation services will need to be selected to validate the assessment maturity ratings. Once selected, purchase a validated assessment from HITRUST and go through the assessment. Once the assessment is completed, the results are submitted to HITRUST for review. If a score of 3 or better is achieved across the 19 assessment domains, the organization will receive a distinguished letter of certification. Should any of the domains be rated below 3, all is not lost. Rather, a “validated report” together with a corrective action plan (CAP) is issued, showing the organization is working through the areas rated below 3 and mediating those issues to gain 3 or higher to achieve certification.

Q: What is the value of a self-assessment?

A: Although HITRUST certification cannot be achieved through a self-assessment, it can be very valuable in gaining a better understanding of your organization’s security posture and a huge step towards validated certification. By conducting a self-assessment, the organization will input control audit findings into HITRUST’s MyCSF tool, which will give a very insightful picture of where the organization’s cybersecurity is situated. These same control findings can be leveraged during a validated assessment, so having it can be an extremely valuable and low cost approach towards certification. If certification is not desired, the results of the self-assessment are stand alone as a low-level accreditation that can be provided to 3rd parties as-needed.

Q: Is HITRUST certification required for healthcare organizations?

A: Many larger healthcare entities are requiring HITRUST certification for many business associates. In 2015 major healthcare organizations announced will now be requiring their business associates to obtain HITRUST certification to demonstrate effective security and privacy practices. It will require roughly 7,500 entities that do not currently have HITRUST certification to do so within 24 months. Failure to acquire HITRUST certification may result in the stagnation of many contracts until the proper steps are taken to rectify the entity’s position.