As many organizations are new to the HITRUST CSF, we receive a lot of questions regarding HITRUST CSF compliance. Certified HITRUST CSF Practitioner, Jessie Skibbe, has presented to us the top five frequently asked questions about HITRUST. Here are her answers:

Top 5 Frequently Asked Questions about HITRUST

I was just told that I need to be HITRUST certified by December 31, 2017. What should I do?

First, don’t panic, because KirkpatrickPrice is going to help you get through it. It’s important to keep in mind that on average, a Self-Assessment and Validated Assessment for certification will take you about four and a half months complete. It does require planning, and although there are certain things that can be shortened, there are a lot of time frames that you cannot shorten. For example, the Self-Assessment itself will likely only take 30-60 days, but after that you must allow time to remediate. The Validated Assessment takes 90 days, allowing a couple of weeks for Quality Assurance, and then four to six weeks for HITRUST to develop and complete the certification report. Be sure to keep those time frames in mind when working backwards to meet a deadline.

If I have a SOC 2 utilizing the HITRUST framework, is that the same thing as being HITRUST certified?

Not necessarily. There are three options when it comes to incorporating the HITRUST CSF into your SOC 2 report. The first option is just a SOC 2 using the Trust Services Principles. In this instance, we will list the mapping from HITRUST to the TSPs under Section 5 of the report. The second option is a SOC 2 +. In this option, the HITRUST CSF controls are incorporated into the body of the report. In this case, the CPA firm is issuing an opinion on overall HITRUST CSF compliance. This option does not include certification. The third, and final, option is a SOC 2 + HITRUST in which the SOC 2 incorporates the HITRUST CSF framework in addition to HITRUST certification. This is both a SOC 2 report and HITRUST CSF certification all in one. In this instance, certification is involved so the use of the MyCSF tool and HITRUST issuing the certification is required.

How many hours should I expect to invest on my end?

Keep in mind it takes about four and a half months to get through the Validated Assessment process, beginning with the Self-Assessment. To answer how many hours, it depends on where you are as far as your overall maturity. Do you have policies and procedures documented and in place? Do you need to implement any new controls? Starting with the Self-Assessment will give you a good idea of where your organization currently stands and where it needs to be.

How much should I expect this assessment to cost?

Depending on the type of assessment and report, fees will vary. A Self-Assessment (which you go through yourself using the MyCSF tool) will cost you about $2,500. A Validated Assessment requires you to engage with HITRUST as well as the assessor firm that is going to perform the assessment work. In this case, you will have fees coming from two different organizations. HITRUST fees start at $3,750. Fees are based on the number of users you want to have access to the MyCSF tool as well as things like your company’s annual revenue. As far as fees owed to the assessor, if you are a level 1 from an organizational and risk standpoint (service provider IT/non-IT), you can expect to pay around $10,000-$20,000. There are several varying factors that go into the amount of work that the assessor firm will need to accomplish. As we’ve mentioned before, the CSF is scalable, so you’ll need to work with your assessor firm to determine your scope and your true assessment cost.

I’m already compliant with PCI DSS. Do I still need to do the Self-Assessment? Or can I avoid doing the Self-Assessment?

No, you can’t avoid doing the Self-Assessment. There is a difference between PCI DSS and HITRUST CSF because HITRUST is a risk management framework and PCI DSS is a compliance framework. Whereas HITRUST is scalable and based on risk factors, PCI DSS is very compliance-focused and black and white. Although there may be a crossover between controls, the requirements are different and not all of the HITRUST CSF controls are covered in something like PCI DSS.

Hopefully our video series on Navigating HITRUST CSF Compliance has been helpful in preparing for your HITRUST compliance journey. If you need help getting started or have any further questions regarding HITRUST CSF Certification or building your relationship with HITRUST, contact KirkpatrickPrice today!

We get a lot of questions on HITRUST CSF compliance. That is why this last video, video #6 in our navigating HITRUST CSF compliance series, is all about those frequently asked questions. I’m Jessie Skibbe, Chief Compliance Officer with KirkpatrickPrice and Certified HITRUST CSF Practitioner. Let’s get started with those questions.

We commonly hear this: I was just told that I need to be HITRUST certified by December 31, 2017. What should I do? Well, first of all, you may want to panic just a little bit and then get over it, because we’re here to help you through this. The reason for a little bit of the panic is the time frame involved. Something to keep in mind is that on average, it’s going to take you at least four and a half months to get through the Self-Assessment and the Validated Assessment in order to get certified. It’s something that does require a little bit of planning. There are certain things that can be shortened, but there are some time frames that cannot be shortened. For example, you could probably get through the assessment in about 30-60 days (the Self-Assessment), but beyond that there is time to remediate, 90 days in total to complete the Validated Assessment, a couple of weeks in there for the Quality Assurance work, and then there’s four to six weeks for HITRUST to actually develop and complete the certification report (if certification is granted). Keep those time frames in mind when you’re working backwards towards a deadline.

The second question we most commonly receive is: If I have a SOC 2 utilizing the HITRUST framework, is that the same thing as being HITRUST certified? The answer to that is: not necessarily. There’s three options when it comes to incorporating the HITRUST CSF in your SOC 2 report. The first option is just a SOC 2 in itself, using the Trust Services Principles. In this situation, under Section 5 of the report which is an attested section, we can simply list the mapping from HITRUST over to the TSPs. This just serves to be informational to the people reading the report. Option number two is referred to as a SOC 2+. In this situation, the HITRUST CSF controls are brought into the body of the report. In this case, the CPA firm is issuing an opinion on overall HITRUST CSF compliance. This is again not certification. Only option #3 that I’m going to describe to you, which is a SOC 2 incorporating the HITRUST framework in addition to the HITRUST certification being attached or appended to the report. This is both a SOC 2 report and HITRUST certification all in one. In this situation, as I mentioned before, certification is involved, therefore use of the MyCSF tool and HITRUST issuing that certification is required. So only the last option would be considered HITRUST certification.

Another question we commonly get is: How many hours should I expect to invest on my end? Keeping in mind what we answered previously, if it takes about four and a half to five months to get through the Validated Assessment process (beginning with the Self-Assessment), it depends on where you are as far as your overall maturity. Do you have policies and procedures, or do you need to write those? Do you need to implement new controls? It really starts with that Self-Assessment to get a good idea of where you are and where you need to go. Until that Self-Assessment is performed, it’s tough to estimate exactly how many hours will be required.

The fourth question that I want to talk to you about today, and something that I would also be wondering if I was on your side, is: How much should I expect for the assessment to cost? Keep in mind that depending on the type of assessment report, fees are going to vary. A Self-Assessment report, which is something that you go through on your own using the MyCSF tool and really only maintain a relationship with HITRUST at that point unless you require or would like to have the assistance of an assessment firm, can be completed on your own using the MyCSF tool. That’s going to cost you about $2,500. In that situation, you get access to the MyCSF tool for 90 days and you also get a Self-Assessment report that helps you focus on where the gaps that you need to remediate are. Beyond that, you have the Validated Assessment. In the case of a Validated Assessment, you’re going to need to engage with HITRUST to receive a Validated Assessment report and you’re also going to need to engage with the Assessor firm that’s going to perform the assessment work; so, you have fees for the Validated Assessment report coming from 2 different companies. In that case, HITRUST fees start at $3,750. Fees range based on the number of users you want to have access to the MyCSF tool, as well as things such as your annual company revenue. You will want to contact HITRUST directly to get the fees associated with the Validated Assessment report. I can tell you from the Assessor point of view, giving you just a ballpark of what that would cost you; if you are basically a level 1 from an organizational and risk standpoint for a service provider IT/non-IT, you can expect to pay around $10,000-$20,000. I’m giving you a wide range because that are a lot of different varying factors that go into the amount of work that the Assessor firm will need to do. There are up to 845 requirement statements and that really varies based on the overall scalability of the CSF. You want to work with your Assessor firm, hopefully it’s KirkpatrickPrice, to get that scope nailed down to get the true assessment cost.

The last question that I commonly get is: I’m already compliant with PCI DSS. Do I still need to do the Self-Assessment? Can I avoid doing the Self-Assessment? I would say no. There’s a difference between PCI and the HITRUST CSF because HITRUST is a risk management framework, versus something like PCI DSS which is a compliance framework. Very different. HITRUST is scalable and based on risk factors. PCI is very black and white and very compliance-focused. Although there may be crossover between the controls, there’s very different requirements. Policy, Process (Procedure), Implemented, Measured, and Managed – the controls in place are very different. Not all of the HITRUST CSF controls are covered in something such as PCI.

That concludes our 6-part series on navigating HITRUST CSF compliance. I want to thank you for watching these videos. I really hope it was a valuable use of your time. We at KirkpatrickPrice really strive at educating, empowering, and inspiring our clients and we hope you enjoyed the content that we presented here. If you did enjoy the content, I strongly encourage you to subscribe to our channel. Also check out our website because it’s full of very useful content – blog posts that you can subscribe to, white papers that you can download – it’s all there and free for you. Please feel free to reach out to us directly at the contact information below. Again, thank you for joining us and I hope to see you again soon!

HITRUST is becoming a buzzword around the healthcare industry. Many business associates are being asked by clients to obtain HITRUST CSF certification. Many business associates are looking for a way to demonstrate compliance with HIPAA laws and maintain a competitive advantage in the industry. If you are brand new to HITRUST CSF and aren’t quite sure where to start, take a look at these five things your organization should do first on the path to compliance.

Get Started with HITRUST Compliance

Step 1 – Familiarize yourself with HITRUST CSF

The first thing your organization should do when considering HITRUST CSF certification is to familiarize yourself with the CSF. The HITRUST CSF can be downloaded directly from HITRUST’s website. Navigating the CSF controls may feel a bit overwhelming in this 586-page document, so we advise organizations to refer back to our video on understanding the controls. The CSF can be helpful whether you’re going through a Self-Assessment or a Validated Assessment because it lays out all of the controls, each implementation requirement, as well as how each control maps to other frameworks.

Step 2 – Define the Scope of your Assessment

The second step your organization must take in the process is defining the scope of your assessment. Scoping is important for any type of assessment as it helps you set your objectives by answering some important questions: What are the systems in your network that contain sensitive data? Where are these systems located? Knowing the boundaries and limitations of your scope will help you determine who needs to be involved from those respective business units. Using things like network diagrams and data flow diagrams can be helpful when narrowing your scope in preparation for your HITRUST CSF engagement.

Step 3 – Determine Assessment Type and Report

Next, your organization must determine which assessment type and report option are right for you. The most common assessment is the Security Assessment. This assessment requires the evaluation of 66 controls. There is also an option to add a Privacy element to the assessment, if applicable. Another assessment option is the Comprehensive Assessment, which includes all 149 controls within the CSF. Selecting this option will depend on our internal requirements, client requirements, and whether or not certification is required. This assessment also has an optional Privacy element. Lastly, there is the NIST Cybersecurity Framework. This assessment option is the least common, but is available if it is something that is applicable to your organization. Once you’ve decided which assessment to pursue, you must determine which report type is right for your organization. There are currently five HITRUST report options: SOC 2, SOC 2 +, SOC 2 + HITRUST, HITRUST CSF Self-Assessment, and HITRUST CSF Validated Assessment. More information on these options can be found here.

Step 4 – Assemble a Project Team and Develop a Plan

Step four in the process is to assemble a project team and develop a plan. This means that you need to assign responsibility to make sure you have the right players involved in the HITRUST process. Depending on your scope, it is possible you may have various business units and geographical locations to include. The HITRUST risk management framework incorporates policies, procedures, administrative, and technical controls. This is why it is important to have the right people involved in order to address each requirement implementation.

Step 5 – Build Relationships

You’ve downloaded the HITRUST CSF, established your scope, selected an assessment type and report option, and assembled your team to begin working on your HITRUST CSF compliance. Lastly, you must build relationships. If you’re pursuing a Validated Assessment or working towards achieving certification, you must first develop a relationship with HITRUST directly. You also must develop a relationship with an assessor firm, such as KirkpatrickPrice. The assessor firm must be an approved firm by HITRUST. This three-way relationship will be the key to your HITRUST CSF compliance journey.

If you have any questions regarding which steps you need to be taking to pursue your HITRUST CSF compliance objectives, contact us today!

Hi, this is Jessie Skibbe, Chief Compliance Officer with KirkpatrickPrice. This is our 5th video in our series for navigating HITRUST CSF compliance. This video today is for those of you who are brand new to HITRUST. We get a lot of calls, people really don’t know where to start, and that’s totally understandable. This may be another framework, one that’s new to you, or something that was just requested based on a client demand. I want to give you the first 5 things that you should do to get yourself on the path to compliance.

We’re starting with step 1. Step 1 is to familiarize yourself with the HITRUST CSF. How you do that is you go to their website and download it. Some of you may not know that it’s free to download as long as you’re a qualified organization. Reading it and understanding it can be tedious; it’s about a 586-page document. If you have any trouble navigating the controls themselves, please refer back to a previous video that I’ve recorded that breaks that down for you and hopefully helps you figure that out. The reason that you should have it is because whether you’re going through a Self-Assessment or whether you’re going through a Validated Assessment, it’s just a great resource to have on hand. All of the controls are laid out, every single implementation requirement is listed, as well as how it maps to other frameworks. As I mentioned, it’s a lengthy document, it’s full of great information, it’s definitely the very first thing you should have when you start working on your HITRUST CSF compliance.

Step 2 in the process is defining the scope of your assessment. Whether you’re doing a Self-Assessment or a Validated Assessment, or whether you’re having this in a SOC 2 report, you need to know what defines the scope. Where are the systems in your network that contain the data that needs to be protected? In some organizations, this may be a business unit; you may be able to separate that based on geographical location. In fact, if you’re a smaller organization, it may be your entire network or your entire organization. Knowing where that scope is and where those boundaries are will help you determine which people you need to involve from those respective business units into your project as you head down this path. Using things like network diagrams, like business units, and geographical locations can help you narrow down the scope. The systems containing the ePHI are what you want to focus on. Where are those systems located? How can you define scope around that to know where you’re starting for your assessment?

Step 3 in the process is knowing which assessment type and report option are right for you. The report options that HITRUST has in place right now, there’s 5 of them. The most common, which is what we see most often, is the Security Assessment. The Security Assessment requires the evaluation of 66 controls, as of version 8.1. There’s also the option to add Privacy to that assessment, if that applies to you. Also something to consider is what’s called the Comprehensive Assessment, and that includes all 149 controls within the framework. That may or may not be used based on your internal requirements versus those going for certification to satisfy a client requirement. Another type of assessment available to you is the NIST Cybersecurity Framework. That’s less common, but it is available to you if that’s something you want to pursue. Once you’ve decided the assessment option, you have to determine which report is right for you. The report options that you have available to you are listed here, starting with the SOC 2. The SOC 2, because of the relationship/agreement that is in place between the ACIPA and HITRUST, allows you to utilize the HITRUST framework within the SOC 2 report. What that really means is that as a third party, as a CPA firm, we are attesting to your compliance against the framework. That’s much different than actual certification, so that’s important to understand. A SOC 2+ using HITRUST without certification is not certification. Your next option on the list here is a SOC+ HITRUST certification. Now that may be used, for example, if you already have a SOC 2 to satisfy some of your clients and you want to add HITRUST certification to satisfy the others. It combines both into one process. Keep in mind in this situation, whenever certification is involved, HITRUST and the MyCSF tool are always involved, as HITRUST is the only one that can issue that certification. This is a way of combining those 2 reports into 1. You also have, as a report option, the HITRUST CSF Self-Assessment. Going through the MyCSF tool, answering and responding to all the requirement statements, you do have the ability to get a Self-Assessment report from HITRUST in that scenario. This is the minimal level of providing assurance to your clients, but it is a really good way and the fastest way to get a report that demonstrates to someone what your compliance is. The other, the most popular, is getting a HITRUST CSF Validated Assessment. This is what’s actually required for certification. If certification is a requirement, you have 2 options here: using the SOC 2 and HITRUST combined effort, or pursuing the Validated Assessment to get your certification. By now, you’ve downloaded the CSF, you understand the meaning and the intent behind the risk management framework, you’ve effectively scoped your environment, you know which systems and which business units are in that scope, you’ve decided which assessment type and which report option you’re going to go forward with.

The very next thing to do is step 4. Assemble a project team and develop a plan. What that means is you’re going to assign responsibility and you’re going to make sure you have the right players involved in the process. Depending on your scope, you may have various business units, various geographical locations to pull in. The reason why you need this team is because the HITRUST risk management framework incorporates policies, procedures, administrative, and technical controls. Having the right people to address the requirement implementations is key. Assemble that team of people, make sure policies and procedures are addressed, as well as the technical implementation of the controls, and divide and conquer that so you have help when you are facilitating your plan.

As this point, you’ve downloaded the CSF, you’ve established your scope, you’ve chosen an assessment type and a report option, you’ve assembled your internal team to begin working on your compliance. Step 5 in this process that I want you to be aware of, is the relationships that you must build. If your end result is a Validated Assessment, or if you’re working towards achieving CSF certification, you need to understand that you have to have a relationship with HITRUST directly. In our diagram here, you as the client must also retain a relationship with HITRUST. You also have to retain a relationship with an Assessor firm, such as KirkpatrickPrice. There’s a 3-way relationship going on. The Assessor firm has to be an approved Assessor firm by HITRUST, so the relationship there must already exist. Establishing a relationship directly with HITRUST to get you on track with your Self-Assessment, or get signed up for your Validated Assessment is something you want to plan to do ahead of time to make sure you’re going to meet your deadline. Also, involve your Assessor firm when that’s reasonable for you. If you need help with any of steps 1-4, you may want to consider involving your Assessor firm early. Some of the things – such as the Self-Assessment process that you go through – may be done on your own, but it may also involve an Assessor firm to act as a guide. You may need some help along the way with policies, procedures, or general guidance. Feel free to involve your Assessor firm earlier on in the process to make sure you’re on the right track. Definitely, when you put your project plan together, make sure that your Assessor firm can meet your deadline, as far as when you want to have your report done.

That concludes our 5-step process. Keep in mind that these are not the only 5 things you have to do, just the first 5 things that we’re recommending you start with. If you need help along the way, please consider involving your Assessor firm, such as KirkpatrickPrice. You can contact us directly at the link below. We hope you found this information useful and we thank you for your time today.

Whether you are doing a HITRUST CSF Self-Assessment or Validated Assessment, you will be required to score your organization’s compliance with the controls according to the HITRUST Maturity Model. For organizations familiar with the Plan, Do, Check, Act model – a cycle which starts with direction and tone from the top and used as a template for continuous improvement – you will find similarities within the HITRUST Maturity Model and scoring system. This model acts as assurance that each control in the HITRUST CSF has been properly implemented.

The HITRUST CSF Maturity Model

The Maturity Model used by the HITRUST CSF is categorized into 5 steps. This model is to be a continuous improvement cycle, implemented by all organizations seeking to comply with the HITRUST CSF. These steps are as follows:

1. Policy – Does an organization know what it is supposed to do? Are the requirements stated in the policy understood by the organization? Are the appropriate implementation requirements listed in the policy? Is the policy communicated to all employees who need to know?
2. Process – Also known as procedure. Does the organization know how to do what it is supposed to do? Does the process follow the policy, assign responsibility, and give further instruction for carrying out the policy? Keeping the implementation requirements in mind, are they documented within the process? Is the process understood by those who it applies to?
3. Implemented – Has the control been implemented? Does the organization implement all elements of a specified control and is it implemented everywhere it should be implemented? Is the intent of each control being met and followed? Can it be tested?
4. Measured – Are you able to measure the performance of the control? How is that control being measured for success? Can you provide a statistical analysis? Are threats being continuously re-evaluated?
5. Managed – Does the organization correct any problems that are identified while monitoring the effectiveness of the control? Do you understand and are you managing security vulnerabilities? Are controls being adapted to emerging threats and the changing landscape?

While 75% of your score comes from Policy, Process, and Implemented, assurance that the control with continue to be effective is indicated by Measured and Managed. This model should be a cycle of continuous improvement and the core functionality of a successful information security management system. This model is used by HITRUST and by CSF Assessors to assess your overall compliance with each objective in the HITRUST CSF. To obtain certification, you must receive a 3+ or a 3 with a corrective action plan in each of the assessment categories.

How are HITRUST Controls Scored?

During the assessment process, how do you select the right score? It is important to understand how the controls are scored and how the calculation works. The HITRUST scoring process uses a compliance scale consisting of the following:

• Non-Compliant (NC)
• Somewhat Compliant (SC)
• Partially Compliant (PC)
• Mostly Compliant (MC)
• Fully Compliant (FC)

As you work through the many implementation requirements, you will ask yourself, “Am I somewhat compliant with this control based on the calculation?” “Am I fully compliant?” Your scores will determine whether you are compliant with the HITRUST CSF. For help with your HITRUST CSF compliance journey or information security management system, contact me today at s.morris@3.95.165.71.

Hi, this is Jessie Skibbe, Chief Compliance Officer with KirkpatrickPrice. Thank you for joining us today! We’re continuing on in our video series for navigating HITRUST CSF compliance. This is video #4 in our series. Just to take you back very briefly on where we’ve been so far – we’ve talked about who HITRUST is and a high-level overview of what the CSF is and why it was developed. We’ve also talked about the controls, how they’re made up, and how to apply them to your organization based on the risk factors involved, and how to apply the levels. We also talked about, in our last video, the assessment types and the report options. That’s all leading you to where we are today. Today’s discussion is going to be about the scoring mechanism and how the controls are scored.

Whether you’re doing a Self-Assessment or a Validated Assessment, you must score your compliance with the controls according to the Maturity Model. This makes sense knowing that the CSF was developed based on ISO principles. If you’re familiar with the “Plan, Do, Check, Act” model, which starts with direction and tone at the top, what’s implemented, and then continuing that cycle of improvement by monitoring and acting on those controls in motion. In the Maturity Model scoring that’s used by HITRUST and the CSF for either a Self-Assessment or a Validated Assessment, there are 5 areas, beginning with policy. Policies, Process (Procedures), Implemented, Measured, and Managed – those are the 5 different areas.

We’re all pretty familiar with policies. “Are there requirements stated in the policy or standard that are understood by the organization?” In this situation, what you’re doing is you’re looking through the CSF and you’re looking for those implementation requirements. As an assessor, we’re looking for if it’s listed in a policy and if it’s communicated with employees who need to know. The second area, which involves process/procedures, follows those policies. They assign responsibility and they give further instruction on carrying out that overall policy. Taking those implementation requirements in mind, you’re going to want to know if they’re documented within the procedures, or if that procedure is understood by those that are responsible for following that procedure.

We’re also testing to see if that control has been implemented. Taking into consideration, again, those implementation requirements, part of our testing as an assessor or part of your internal testing during a Self-Assessment is measuring out: is that implemented? Is this control and the intent of the control being followed? Can it be tested? Can it be tested for operational effectiveness? Again – Policy, Procedures, Implemented. These 3 areas make up about 75% of the overall score. HITRUST realizes it’s very much a “walk before you run” scenario. In the Maturity Model, as far as achieving certification goes, these are the 3 most important areas to make sure are in place for every control. The other 2 that make up the other 25% of the 100% of the score are Measured and Managed. Measured meaning can you put some sort of statistical analysis, can you use a calculation to measure the performance of that control. Again, taking into consideration the implementation requirements, how is that control measured? How is it being measured for success? You obviously can’t really manage something unless you have a measurement system to tell how it’s reacting, so Measured and Managed very must go together. Managed meaning are you taking that feedback from your measurement, are you actually acting upon it, are you making improvements. Again, this very much follows along the lines of the “Plan, Do, Check, Act” model. It’s a cycle of continuous improvement. It’s the core functionality of an effective security management system. This is the model that HITRUST utilizes and we as assessors use to manage your overall compliance with that control objective.

One of the most important things to understand, and I think this is missed when you first download the CSF initially and it’s your first take at looking at it, is that you really don’t know or have an understanding of how controls are scored. I want to walk you through that today because if you’re going for the Validated Assessment, this is what the assessor is going to be assessing you against. This is what will dictate whether or not you are certified. In order to achieve certification, you must have a 3+ or a 3 with a Corrective Action Plan in each of the 19 assessment categories. This is something that you initially start, you evaluate yourself using the tool, and I’m going to walk you through that. The assessor comes and either agrees or disagrees with your evaluation after some testing. Then HITRUST gathers all of that information and decides whether or not you are meeting compliance and can achieve certification. That, from a high-level, is how that works.

To dig in deeper to how the controls are actually scored, I’ve presented you with this graphic. This happens behind the scenes when you’re working in the MyCSF tool, but I think it’s important to understand how the calculation works. If you’re reading through all of the implementation requirements, you have to understand if you’re somewhat compliant with X control based on the calculation, or if you’re fully compliant with X control. There’s a lot of different categories and areas in which you’re scored. Just stepping through this, we have across the top: Policy, Procedures, Implemented, Measured, and Managed. It’s really important to understand that 75% of your overall score, meaning 75% of that total that goes towards that 1-3 rating, comes from Policy, Procedure, and Implemented. That’s because the most important thing in this “walk before you run” scenario that HITRUST has in place, is that it’s in a policy, it’s in a procedure, people know how to do it, and it’s fully implemented, meaning it can be tested to prove effectiveness. Measured and Managed are more for those mature organizations that have systems in place to measure the performance of a control. Think about internal audit, think about gathering statistics, vulnerability scanning, think about antivirus, think about ways that you can apply a statistical analysis to how effective a control is. Maybe it’s, “Every time I test it, it’s 90% effective.” Maybe it’s, “Every time I test it, it fails 30% of the time.” Whatever that measurement is, think about Measured as the testing and monitoring of controls. Managed is really taking those measurements and making changes to your environment based on that statistical analysis. It’s that continuous cycle of improvement. It’s about Policy, Procedure, Implemented, and then measuring it and managing it from a monitoring standpoint. Again, across the top you’re looking at Policy, Procedures, Implemented, Measured, and Managed. Along those lines, you have an opportunity to receive a 0-100 score even in those categories from a subcategory level. Let’s say, for example, Policy. Your policy may consider 0% of the implementation requirements. In that case, you would receive no score for that particular item. But, for example, if you had some of the CSF implementation requirements being met or there’s some sort of ad hoc way of testing and understanding of that, you may be able to achieve 75% in that category. As you’re answering questions in the MyCSF tool or as you’re measuring your own compliance using the HITRUST documentation, just keep in mind that this is how you’re going to be scored when you’re going for either a Validated Assessment or you’re doing a Self-Assessment evaluation. You need to know if you’re meeting the control, if you’re meeting some of the control, or if you’re meeting none of it. That’s how the scoring model works.

The important thing to take away from this is not that you’re expected to know all of these calculations that are going on behind the scenes. The point that I want to make is that if you’re a smaller organization and you don’t have a robust internal audit department or a way to effectively or cost-effectively do the measuring and managing that’s need to meet compliance 100% across the board, focus in on the Policy, Procedure, and Implementation areas. If you can show that you’re meeting 100% compliance – meaning that your policies are meeting the implementation requirements, your procedures are documented and can be understood by the employees that that are performing then, and that it can be tested for operational effectiveness – you are going to pass that control. You are going to meet compliance with that control. There is a certain percentage of Measured and Managed that should be in place in order to achieve certification, but it’s important to understand that the focus needs to be placed on the Policy, Procedure, and Implementation areas. From a smaller company perspective, even a larger company, that may not have 100% coverage of all of these controls, focusing in on those 3 key areas will help you achieve certification.

Thank you so much for joining us for this video. We hope that you found the information useful. Next up in our video series, we’re going to give you steps 1-5 of things you should do right now to get yourself on your way to HITRUST compliance or certification. We look forward to seeing you then! If you need any information right now, you can reach out to KirkpatrickPrice directly by clicking the link below. We’d love to see you at our next video!