HITRUST CSF Compliance Resources

7 Deadly Sins of a HITRUST CSF Assessment

At KirkpatrickPrice, we’ve worked with clients of all sizes – from startups to enterprise-level organizations. By working with so many organizations of varying sizes and industries, we’ve been able to identify seven primary pitfalls that make for a challenging audit environment, all of which represent initial difficulties that often lead to a failed or very drawn out HITRUST validated assessment attempts.

In recognizing how significant these pitfalls are, our firm has designed our engagements to address these early and often over the course of the assessment, raising red flags whenever one is discovered. The following seven deadly sins of HITRUST, while in no particular order, are all of primary significance to the audit as a whole and occur with roughly the same frequency. To begin, let’s look at one of the biggest misconceptions about HITRUST.

Preparing for a HITRUST CSF Assessment

If you’re managing healthcare data, it’s critical from a business and reputational standpoint to protect yourself from risk and maintain a strong relationship with your clients who are also trying to mitigate their risks. HITRUST certification is a great way to ensure this is happening.

As a HITRUST Authorized CSF Assessor, we recommend following six steps to prepare for a HITRUST CSF assessment.

Defining HITRUST CSF Compliance

Have you just received “the letter” from a top client indicating you must become HITRUST CSF Certified within “X” months? Did your boss just you for a project timeline on how long it would take to become HITRUST CSF Certified? Do you need to know how to become HITRUST CSF Certified in order to stay competitive in the healthcare market? Are you are looking for a way to demonstrate compliance with the HIPAA Security Rule? Are you a business associate in the healthcare industry that keeps hearing about HITRUST CSF, but you’re not sure what it is or what it means to be compliant? If any of these apply to you, then this is the webinar for you! Download the full webinar to hear Jessie Skibbe’s expertise on HITRUST CSF requirements.

HITRUST Scoping 101

Are you in the process of preparing for a HITRUST CSF assessment? Do you need more information about how to properly scope your engagement? In this webinar, Shannon Lane, an Information Security Specialist at KirkpatrickPrice, will cover all things related to HITRUST CSF scoping, such as how HITRUST expects you to scope your engagement, what boundaries you should set, and how to determine your scoping demographics.

Management’s Responsibilities During a HITRUST CSF Assessment

When your organization begins preparing to undergo a HITRUST CSF assessment, management needs to review what their own responsibilities are, regardless of how seemingly small some of them might seem. For example, does your organization have an executive charter in place that delegates the responsibilities of the CISO? What level of involvement do your C-level executives have in your information security program?

In this webinar, Shannon Lane dives into one of the most commonly missed components of a HITRUST CSF assessment, the executive charter, and provides guidance on how your organization should go about ensuring that one is in place.

The HITRUST CSF Assessment Process and Beyond

So far in this webinar series, you’ve learned who HITRUST is, what the HITRUST CSF is, how to scope your environment, and which risk factors affect your defined scope. In this webinar, Jessie Skibbe outlines HITRUST’s Maturity Model for control scoring, the assessment process, report options and timeline projections, and some strategies for maintaining compliance.

Using the HITRUST CSF Maturity Model

Organizations are often overwhelmed by the technical terminology and the number of requirements in the HITRUST CSF. However, while the HITRUST CSF may be daunting at first glance, the HITRUST CSF is not like any other framework. Achieving HITRUST CSF certification goes beyond showing whether or not you’re doing something, but instead it shows how well you’re doing it. In order to do this,  organizations are scored on how well they perform on each requirement statement. In this webinar, KirkpatrickPrice Lead Practitioner, Shannon Lane, discusses requirement statements, using the HITRUST CSF Maturity Model, and scoring.

What to Expect from Your First HITRUST CSF Assessment

Have you been thinking about engaging in a HITRUST CSF assessment? Have you been approached about getting HITRUST CSF certified? Are you wondering what the timeframe for a HITRUST CSF assessment looks like? Do you want to learn about the responsibilities and expectations that you, your assessor, and HITRUST will face during an assessment?

In this webinar, Jessie Skibbe, Chief Compliance Officer with KirkpatrickPrice, and Shannon Lane, Information Security Specialist with KirkpatrickPrice, will answer these questions and more to give you the steps needed to start your HITRUST CSF compliance journey.

Episode 1 – Who is HITRUST & What is the HITRUST CSF?

Have you been asked by a top client to become HITRUST CSF certified? Are you looking for a better way to demonstrate compliance with HIPAA laws? What exactly is HITRUST and how does it apply to your organization? KirkpatrickPrice is an approved HITRUST CSF Assessor, prepared to help Business Associates understand who HITRUST is, what the HITRUST CSF is, and how you can apply HITRUST CSF certification to your organization.

Episode 2 – How to Navigate HITRUST CSF Controls

Getting started with your HITRUST certification journey can be overwhelming; the CSF is a lengthy framework containing 845 requirement statements spread over three implementation levels. Here is a step-by-step guide for understanding how to navigate the makeup of each control by determining the scope of the assessment, determining your unique risk factors, and knowing which level applies to your organization.

Episode 3 – HITRUST CSF Assessment & Report Options

When navigating your HITRUST CSF compliance journey, there are a few different assessment and reporting options to consider. But before you start the process of which HITRUST CSF assessment and report is right for you, it’s important to fully understand what your client is requesting. Have you received a letter from a client in the mail? Are you reviewing an RFP? The first question you must know the answer to is whether certification is required or not. Once you know what your client is asking for, you can determine your level of engagement with the HITRUST CSF and which assessment type makes sense based on your business objectives.

Episode 4 – How are HITRUST Controls Scored? The HITRUST CSF Maturity Model

Whether you are doing a HITRUST CSF Self-Assessment or Validated Assessment, you will be required to score your organization’s compliance with the controls according to the HITRUST Maturity Model. For organizations familiar with the Plan, Do, Check, Act model – a cycle which starts with direction and tone from the top and used as a template for continuous improvement – you will find similarities within the HITRUST Maturity Model and scoring system. This model acts as assurance that each control in the HITRUST CSF has been properly implemented.

Episode 5 – 5 Things You Need to Get Started with HITRUST Compliance

HITRUST is becoming a buzzword around the healthcare industry. Many business associates are being asked by clients to obtain HITRUST CSF certification. Many business associates are looking for a way to demonstrate compliance with HIPAA laws and maintain a competitive advantage in the industry. If you are brand new to HITRUST CSF and aren’t quite sure where to start, take a look at these five things your organization should do first on the path to compliance.

Episode 6 – Understanding HITRUST – Top 5 HITRUST FAQs

As many organizations are new to the HITRUST CSF, we receive a lot of questions regarding HITRUST CSF compliance. Certified HITRUST CSF Practitioner, Jessie Skibbe, has presented to us the top five frequently asked questions about HITRUST. Here are her answers:

HITRUST Update: HITRUST CSF® v9.3 Release

HITRUST®, a the leader in information security and privacy risk management and compliance programs, has announced a much-anticipated update to the HITRUST CSF in an effort to remain one of the leading data protection standards. HITRUST CSF v9.3 adds new privacy and security standards and updates six others existing within the certifiable framework. These changes were made in response to the ever-shifting information security landscape that is consistently updated with new laws and regulations.

How to Scope a HITRUST Engagement

One of the most frequent questions that our Information Security Specialists are asked when engaging in a HITRUST CSF assessment with a client for the first time is, “What is the purpose of narrowing the scope of the engagement?” This is a great question and the answer is simple: everything that you do in a HITRUST CSF assessment is about your scope. The larger your scope is, the more complex your audit will be.

What is a HITRUST Interim Assessment?

If you’re new to the HITRUST CSF® assessment process, you might be wondering just how different the audit process is from other audits. The requirement of the interim assessment is one of the main ways that HITRUST® certification is unique. What happens during this interim review? Let’s take a look at what you can expect during a HITRUST interim assessment.

HITRUST® Across Industries: Where the HITRUST CSF® v9.2 is Headed

Today, HITRUST released the much-anticipated HITRUST CSF v9.2. The changes reflect HITRUST’s effort to leverage international standards and expand adoption into new industries, such as financial services, travel and hospitality, media and entertainment, telecommunications, and startups.