How to Scope a HITRUST Engagement

by Sarah Harvey / July 17th, 2018

One of the most frequent questions that our Information Security Specialists are asked when engaging in a HITRUST CSF assessment with a client for the first time is, “What is the purpose of narrowing the scope of the engagement?” This is a great question and the answer is simple: everything that you do in a HITRUST CSF assessment is about your scope. The larger your scope is, the more complex your audit will be.

When you’re in the beginning stages of a HITRUST CSF assessment, narrowing your scope makes obtaining HITRUST CSF certification more feasible. Think of it this way: if you’re a hospital and you’re wanting to obtain HITRUST CSF certification, you wouldn’t attempt to certify get the entire hospital. That could entail millions of records, processes, technologies, and personnel. Because hospitals are collections of systems and each system is its own complex, detailed entity, it would be extremely difficult, time consuming, and costly to certify an entire hospital. On the other hand, if you were to narrow your scope to focus solely on your billings department or your ICU department, you would make HITRUST CSF certification more attainable.

How Do You Begin Narrowing Your Scope?

Narrowing your scope isn’t as challenging as one might think. Like any large project, it’s best to start small and take it piece by piece. To do so, you’ll need to define system and control boundaries to determine exactly what you want to get HITRUST CSF certified. Having these boundaries in place allows for a better understanding of what your needs and goals are for obtaining HITRUST CSF certification. When setting system boundaries, you would ask yourself questions, such as:

• What systems actually perform the process that you want to certify? What people are involved? How do they interact with your records?
• Where do you store your data? How do you collect it, process it, or remove it?
• What devices, protocols, or systems move that data between the components of your system or interactions with your clients? How do people give you the data to process? How do you transfer data to users?

Going a step further, after defining your system boundaries, you need to set control boundaries. You can do this by asking:

• How do you maintain your systems?
• What systems could impact the security of your processes?
• Are you using patch management?

What Documentation is Needed?

Understanding how you use data is fundamental to understanding your scope, so the following documentation is absolutely necessary when narrowing your scope:

1. Data flow diagram: This is essential for understanding how data flow through your network.
2. Network diagram: This is essential for understanding how your environment fits together.
3. System inventory: This is essential for understanding what systems are involved within your scope boundaries.
4. System management procedures: This is essential for understanding how you’re managing your systems.

Once your boundaries are set and have defined exactly what you want to certify, you can begin to establish the demographics of your scope.

Determining Scoping Demographics

Aside from setting boundaries, you need to determine your scoping demographics. These demographics determine your custom set of requirement statements that you must comply with to attain HITRUST CSF certification. This is where narrowing your scope might get tricky because the more demographics that you include, the more requirement statements you’ll have to comply with to achieve HITRUST CSF certification. The following factors should be accounted for when narrowing your scope:

1. Organization and Entity Type: The first scoping demographic to decide on is your organization and entity type, which identifies your organization’s risk and complexity. The entity type will be either a business associate or covered entity. There are more options for organization types, such as service providers, payers, hospital facilities, pharmacies, etc.
2. Organizational Factors: These factors drive the majority of the requirement statements. Organizational factors represent the number of records that could be lost due to a catastrophic breach. You’ll be asked to identify how many records you have, ranging from less than 10 million to over 60 million.
3. Geographic Factors: These factors are based on where your organization collects, processes, maintains uses, shared, or disposes of information. The amount of risk that an organization whose operations are centralized in one state as opposed to multiple states would greatly vary, so the amount of controls included in the scope would change. There are also even more risk factors associated with moving data off shore.
4. Systems Factors: Determining how your systems process, store, and transmit data is essential when limiting your scope. You’ll need to  answer a series of questions to identify the accessibility of your system, if your system transmits or receives data from third parties, and if mobile devices are used in your environment. You’ll also need to determine how many systems you connect to on a permanent basis, how many system users there are, and the number of transactions per day.
5. Regulatory Factors: Determining your compliance needs greatly impacts the number of requirement statements applicable to your organization. Including an additional framework such as state-specific requirements, FISMA, or GDPR in your HITRUST CSF assessment could completely change your scope.

By following each of these steps, not only will HITRUST CSF certification be more attainable for your organization, but you’ll see a greater return on investment. Don’t waste your time and money by having too broad of a scope when you engage in a HITRUST CSF assessment. When you work closely with one of our Information Security Specialists, we’ll work hard to assist you in narrowing your scope to set your organization up for success.

Ready to get started on your HITRUST CSF assessment journey? Let us help! Contact us today to get started.