Episode 6 – Understanding HITRUST – Top 5 HITRUST FAQs

As many organizations are new to the HITRUST CSF, we receive a lot of questions regarding HITRUST CSF compliance. Certified HITRUST CSF Practitioner, Jessie Skibbe, has presented to us the top five frequently asked questions about HITRUST. Here are her answers:

Top 5 Frequently Asked Questions about HITRUST

I was just told that I need to be HITRUST certified by December 31, 2017. What should I do?

First, don’t panic, because KirkpatrickPrice is going to help you get through it. It’s important to keep in mind that on average, a Self-Assessment and Validated Assessment for certification will take you about four and a half months complete. It does require planning, and although there are certain things that can be shortened, there are a lot of time frames that you cannot shorten. For example, the Self-Assessment itself will likely only take 30-60 days, but after that you must allow time to remediate. The Validated Assessment takes 90 days, allowing a couple of weeks for Quality Assurance, and then four to six weeks for HITRUST to develop and complete the certification report. Be sure to keep those time frames in mind when working backwards to meet a deadline.

If I have a SOC 2 utilizing the HITRUST framework, is that the same thing as being HITRUST certified?

Not necessarily. There are three options when it comes to incorporating the HITRUST CSF into your SOC 2 report. The first option is just a SOC 2 using the Trust Services Principles. In this instance, we will list the mapping from HITRUST to the TSPs under Section 5 of the report. The second option is a SOC 2 +. In this option, the HITRUST CSF controls are incorporated into the body of the report. In this case, the CPA firm is issuing an opinion on overall HITRUST CSF compliance. This option does not include certification. The third, and final, option is a SOC 2 + HITRUST in which the SOC 2 incorporates the HITRUST CSF framework in addition to HITRUST certification. This is both a SOC 2 report and HITRUST CSF certification all in one. In this instance, certification is involved so the use of the MyCSF tool and HITRUST issuing the certification is required.

How many hours should I expect to invest on my end?

Keep in mind it takes about four and a half months to get through the Validated Assessment process, beginning with the Self-Assessment. To answer how many hours, it depends on where you are as far as your overall maturity. Do you have policies and procedures documented and in place? Do you need to implement any new controls? Starting with the Self-Assessment will give you a good idea of where your organization currently stands and where it needs to be.

How much should I expect this assessment to cost?

Depending on the type of assessment and report, fees will vary. A Self-Assessment (which you go through yourself using the MyCSF tool) will cost you about $2,500. A Validated Assessment requires you to engage with HITRUST as well as the assessor firm that is going to perform the assessment work. In this case, you will have fees coming from two different organizations. HITRUST fees start at $3,750. Fees are based on the number of users you want to have access to the MyCSF tool as well as things like your company’s annual revenue. As far as fees owed to the assessor, if you are a level 1 from an organizational and risk standpoint (service provider IT/non-IT), you can expect to pay around $10,000-$20,000. There are several varying factors that go into the amount of work that the assessor firm will need to accomplish. As we’ve mentioned before, the CSF is scalable, so you’ll need to work with your assessor firm to determine your scope and your true assessment cost.

I’m already compliant with PCI DSS. Do I still need to do the Self-Assessment? Or can I avoid doing the Self-Assessment?

No, you can’t avoid doing the Self-Assessment. There is a difference between PCI DSS and HITRUST CSF because HITRUST is a risk management framework and PCI DSS is a compliance framework. Whereas HITRUST is scalable and based on risk factors, PCI DSS is very compliance-focused and black and white. Although there may be a crossover between controls, the requirements are different and not all of the HITRUST CSF controls are covered in something like PCI DSS.

Hopefully our video series on Navigating HITRUST CSF Compliance has been helpful in preparing for your HITRUST compliance journey. If you need help getting started or have any further questions regarding HITRUST CSF Certification or building your relationship with HITRUST, contact me today at s.morris@kirkpatrickprice.com.

Video Transcription

We get a lot of questions on HITRUST CSF compliance. That is why this last video, video #6 in our navigating HITRUST CSF compliance series, is all about those frequently asked questions. I’m Jessie Skibbe, Chief Compliance Officer with KirkpatrickPrice and Certified HITRUST CSF Practitioner. Let’s get started with those questions.

We commonly hear this: I was just told that I need to be HITRUST certified by December 31, 2017. What should I do? Well, first of all, you may want to panic just a little bit and then get over it, because we’re here to help you through this. The reason for a little bit of the panic is the time frame involved. Something to keep in mind is that on average, it’s going to take you at least four and a half months to get through the Self-Assessment and the Validated Assessment in order to get certified. It’s something that does require a little bit of planning. There are certain things that can be shortened, but there are some time frames that cannot be shortened. For example, you could probably get through the assessment in about 30-60 days (the Self-Assessment), but beyond that there is time to remediate, 90 days in total to complete the Validated Assessment, a couple of weeks in there for the Quality Assurance work, and then there’s four to six weeks for HITRUST to actually develop and complete the certification report (if certification is granted). Keep those time frames in mind when you’re working backwards towards a deadline.

The second question we most commonly receive is: If I have a SOC 2 utilizing the HITRUST framework, is that the same thing as being HITRUST certified? The answer to that is: not necessarily. There’s three options when it comes to incorporating the HITRUST CSF in your SOC 2 report. The first option is just a SOC 2 in itself, using the Trust Services Principles. In this situation, under Section 5 of the report which is an attested section, we can simply list the mapping from HITRUST over to the TSPs. This just serves to be informational to the people reading the report. Option number two is referred to as a SOC 2+. In this situation, the HITRUST CSF controls are brought into the body of the report. In this case, the CPA firm is issuing an opinion on overall HITRUST CSF compliance. This is again not certification. Only option #3 that I’m going to describe to you, which is a SOC 2 incorporating the HITRUST framework in addition to the HITRUST certification being attached or appended to the report. This is both a SOC 2 report and HITRUST certification all in one. In this situation, as I mentioned before, certification is involved, therefore use of the MyCSF tool and HITRUST issuing that certification is required. So only the last option would be considered HITRUST certification.

Another question we commonly get is: How many hours should I expect to invest on my end? Keeping in mind what we answered previously, if it takes about four and a half to five months to get through the Validated Assessment process (beginning with the Self-Assessment), it depends on where you are as far as your overall maturity. Do you have policies and procedures, or do you need to write those? Do you need to implement new controls? It really starts with that Self-Assessment to get a good idea of where you are and where you need to go. Until that Self-Assessment is performed, it’s tough to estimate exactly how many hours will be required.

The fourth question that I want to talk to you about today, and something that I would also be wondering if I was on your side, is: How much should I expect for the assessment to cost? Keep in mind that depending on the type of assessment report, fees are going to vary. A Self-Assessment report, which is something that you go through on your own using the MyCSF tool and really only maintain a relationship with HITRUST at that point unless you require or would like to have the assistance of an assessment firm, can be completed on your own using the MyCSF tool. That’s going to cost you about $2,500. In that situation, you get access to the MyCSF tool for 90 days and you also get a Self-Assessment report that helps you focus on where the gaps that you need to remediate are. Beyond that, you have the Validated Assessment. In the case of a Validated Assessment, you’re going to need to engage with HITRUST to receive a Validated Assessment report and you’re also going to need to engage with the Assessor firm that’s going to perform the assessment work; so, you have fees for the Validated Assessment report coming from 2 different companies. In that case, HITRUST fees start at $3,750. Fees range based on the number of users you want to have access to the MyCSF tool, as well as things such as your annual company revenue. You will want to contact HITRUST directly to get the fees associated with the Validated Assessment report. I can tell you from the Assessor point of view, giving you just a ballpark of what that would cost you; if you are basically a level 1 from an organizational and risk standpoint for a service provider IT/non-IT, you can expect to pay around $10,000-$20,000. I’m giving you a wide range because that are a lot of different varying factors that go into the amount of work that the Assessor firm will need to do. There are up to 845 requirement statements and that really varies based on the overall scalability of the CSF. You want to work with your Assessor firm, hopefully it’s KirkpatrickPrice, to get that scope nailed down to get the true assessment cost.

The last question that I commonly get is: I’m already compliant with PCI DSS. Do I still need to do the Self-Assessment? Can I avoid doing the Self-Assessment? I would say no. There’s a difference between PCI and the HITRUST CSF because HITRUST is a risk management framework, versus something like PCI DSS which is a compliance framework. Very different. HITRUST is scalable and based on risk factors. PCI is very black and white and very compliance-focused. Although there may be crossover between the controls, there’s very different requirements. Policy, Process (Procedure), Implemented, Measured, and Managed – the controls in place are very different. Not all of the HITRUST CSF controls are covered in something such as PCI.

That concludes our 6-part series on navigating HITRUST CSF compliance. I want to thank you for watching these videos. I really hope it was a valuable use of your time. We at KirkpatrickPrice really strive at educating, empowering, and inspiring our clients and we hope you enjoyed the content that we presented here. If you did enjoy the content, I strongly encourage you to subscribe to our channel. Also check out our website because it’s full of very useful content – blog posts that you can subscribe to, white papers that you can download – it’s all there and free for you. Please feel free to reach out to us directly at the contact information below. Again, thank you for joining us and I hope to see you again soon!

Episode 5 – 5 Things You Need to Get Started with HITRUST Compliance

HITRUST is becoming a buzzword around the healthcare industry. Many business associates are being asked by clients to obtain HITRUST CSF certification. Many business associates are looking for a way to demonstrate compliance with HIPAA laws and maintain a competitive advantage in the industry. If you are brand new to HITRUST CSF and aren’t quite sure where to start, take a look at these five things your organization should do first on the path to compliance.

Get Started with HITRUST Compliance

Step 1 – Familiarize yourself with HITRUST CSF

The first thing your organization should do when considering HITRUST CSF certification is to familiarize yourself with the CSF. The HITRUST CSF can be downloaded directly from HITRUST’s website. Navigating the CSF controls may feel a bit overwhelming in this 586-page document, so we advise organizations to refer back to our video on understanding the controls. The CSF can be helpful whether you’re going through a Self-Assessment or a Validated Assessment because it lays out all of the controls, each implementation requirement, as well as how each control maps to other frameworks.

Step 2Step 2 – Define the Scope of your Assessment

The second step your organization must take in the process is defining the scope of your assessment. Scoping is important for any type of assessment as it helps you set your objectives by answering some important questions: What are the systems in your network that contain sensitive data? Where are these systems located? Knowing the boundaries and limitations of your scope will help you determine who needs to be involved from those respective business units. Using things like network diagrams and data flow diagrams can be helpful when narrowing your scope in preparation for your HITRUST CSF engagement.

Step 3Step 3 – Determine Assessment Type and Report

Next, your organization must determine which assessment type and report option are right for you. The most common assessment is the Security Assessment. This assessment requires the evaluation of 66 controls. There is also an option to add a Privacy element to the assessment, if applicable. Another assessment option is the Comprehensive Assessment, which includes all 149 controls within the CSF. Selecting this option will depend on our internal requirements, client requirements, and whether or not certification is required. This assessment also has an optional Privacy element. Lastly, there is the NIST Cybersecurity Framework. This assessment option is the least common, but is available if it is something that is applicable to your organization. Once you’ve decided which assessment to pursue, you must determine which report type is right for your organization. There are currently five HITRUST report options: SOC 2, SOC 2 +, SOC 2 + HITRUST, HITRUST CSF Self-Assessment, and HITRUST CSF Validated Assessment. More information on these options can be found here.

Step 4Step 4 – Assemble a Project Team and Develop a Plan

Step four in the process is to assemble a project team and develop a plan. This means that you need to assign responsibility to make sure you have the right players involved in the HITRUST process. Depending on your scope, it is possible you may have various business units and geographical locations to include. The HITRUST risk management framework incorporates policies, procedures, administrative, and technical controls. This is why it is important to have the right people involved in order to address each requirement implementation.

Step 5Step 5 – Build Relationships

You’ve downloaded the HITRUST CSF, established your scope, selected an assessment type and report option, and assembled your team to begin working on your HITRUST CSF compliance. Lastly, you must build relationships. If you’re pursuing a Validated Assessment or working towards achieving certification, you must first develop a relationship with HITRUST directly. You also must develop a relationship with an assessor firm, such as KirkpatrickPrice. The assessor firm must be an approved firm by HITRUST. This three-way relationship will be the key to your HITRUST CSF compliance journey.

If you have any questions regarding which steps you need to be taking to pursue your HITRUST CSF compliance objectives, contact me today at s.morris@kirkpatrickprice.com.


Video Transcription

Hi, this is Jessie Skibbe, Chief Compliance Officer with KirkpatrickPrice. This is our 5th video in our series for navigating HITRUST CSF compliance. This video today is for those of you who are brand new to HITRUST. We get a lot of calls, people really don’t know where to start, and that’s totally understandable. This may be another framework, one that’s new to you, or something that was just requested based on a client demand. I want to give you the first 5 things that you should do to get yourself on the path to compliance.

We’re starting with step 1. Step 1 is to familiarize yourself with the HITRUST CSF. How you do that is you go to their website and download it. Some of you may not know that it’s free to download as long as you’re a qualified organization. Reading it and understanding it can be tedious; it’s about a 586-page document. If you have any trouble navigating the controls themselves, please refer back to a previous video that I’ve recorded that breaks that down for you and hopefully helps you figure that out. The reason that you should have it is because whether you’re going through a Self-Assessment or whether you’re going through a Validated Assessment, it’s just a great resource to have on hand. All of the controls are laid out, every single implementation requirement is listed, as well as how it maps to other frameworks. As I mentioned, it’s a lengthy document, it’s full of great information, it’s definitely the very first thing you should have when you start working on your HITRUST CSF compliance.

Step 2 in the process is defining the scope of your assessment. Whether you’re doing a Self-Assessment or a Validated Assessment, or whether you’re having this in a SOC 2 report, you need to know what defines the scope. Where are the systems in your network that contain the data that needs to be protected? In some organizations, this may be a business unit; you may be able to separate that based on geographical location. In fact, if you’re a smaller organization, it may be your entire network or your entire organization. Knowing where that scope is and where those boundaries are will help you determine which people you need to involve from those respective business units into your project as you head down this path. Using things like network diagrams, like business units, and geographical locations can help you narrow down the scope. The systems containing the ePHI are what you want to focus on. Where are those systems located? How can you define scope around that to know where you’re starting for your assessment?

Step 3 in the process is knowing which assessment type and report option are right for you. The report options that HITRUST has in place right now, there’s 5 of them. The most common, which is what we see most often, is the Security Assessment. The Security Assessment requires the evaluation of 66 controls, as of version 8.1. There’s also the option to add Privacy to that assessment, if that applies to you. Also something to consider is what’s called the Comprehensive Assessment, and that includes all 149 controls within the framework. That may or may not be used based on your internal requirements versus those going for certification to satisfy a client requirement. Another type of assessment available to you is the NIST Cybersecurity Framework. That’s less common, but it is available to you if that’s something you want to pursue. Once you’ve decided the assessment option, you have to determine which report is right for you. The report options that you have available to you are listed here, starting with the SOC 2. The SOC 2, because of the relationship/agreement that is in place between the ACIPA and HITRUST, allows you to utilize the HITRUST framework within the SOC 2 report. What that really means is that as a third party, as a CPA firm, we are attesting to your compliance against the framework. That’s much different than actual certification, so that’s important to understand. A SOC 2+ using HITRUST without certification is not certification. Your next option on the list here is a SOC+ HITRUST certification. Now that may be used, for example, if you already have a SOC 2 to satisfy some of your clients and you want to add HITRUST certification to satisfy the others. It combines both into one process. Keep in mind in this situation, whenever certification is involved, HITRUST and the MyCSF tool are always involved, as HITRUST is the only one that can issue that certification. This is a way of combining those 2 reports into 1. You also have, as a report option, the HITRUST CSF Self-Assessment. Going through the MyCSF tool, answering and responding to all the requirement statements, you do have the ability to get a Self-Assessment report from HITRUST in that scenario. This is the minimal level of providing assurance to your clients, but it is a really good way and the fastest way to get a report that demonstrates to someone what your compliance is. The other, the most popular, is getting a HITRUST CSF Validated Assessment. This is what’s actually required for certification. If certification is a requirement, you have 2 options here: using the SOC 2 and HITRUST combined effort, or pursuing the Validated Assessment to get your certification. By now, you’ve downloaded the CSF, you understand the meaning and the intent behind the risk management framework, you’ve effectively scoped your environment, you know which systems and which business units are in that scope, you’ve decided which assessment type and which report option you’re going to go forward with.

The very next thing to do is step 4. Assemble a project team and develop a plan. What that means is you’re going to assign responsibility and you’re going to make sure you have the right players involved in the process. Depending on your scope, you may have various business units, various geographical locations to pull in. The reason why you need this team is because the HITRUST risk management framework incorporates policies, procedures, administrative, and technical controls. Having the right people to address the requirement implementations is key. Assemble that team of people, make sure policies and procedures are addressed, as well as the technical implementation of the controls, and divide and conquer that so you have help when you are facilitating your plan.

As this point, you’ve downloaded the CSF, you’ve established your scope, you’ve chosen an assessment type and a report option, you’ve assembled your internal team to begin working on your compliance. Step 5 in this process that I want you to be aware of, is the relationships that you must build. If your end result is a Validated Assessment, or if you’re working towards achieving CSF certification, you need to understand that you have to have a relationship with HITRUST directly. In our diagram here, you as the client must also retain a relationship with HITRUST. You also have to retain a relationship with an Assessor firm, such as KirkpatrickPrice. There’s a 3-way relationship going on. The Assessor firm has to be an approved Assessor firm by HITRUST, so the relationship there must already exist. Establishing a relationship directly with HITRUST to get you on track with your Self-Assessment, or get signed up for your Validated Assessment is something you want to plan to do ahead of time to make sure you’re going to meet your deadline. Also, involve your Assessor firm when that’s reasonable for you. If you need help with any of steps 1-4, you may want to consider involving your Assessor firm early. Some of the things – such as the Self-Assessment process that you go through – may be done on your own, but it may also involve an Assessor firm to act as a guide. You may need some help along the way with policies, procedures, or general guidance. Feel free to involve your Assessor firm earlier on in the process to make sure you’re on the right track. Definitely, when you put your project plan together, make sure that your Assessor firm can meet your deadline, as far as when you want to have your report done.

That concludes our 5-step process. Keep in mind that these are not the only 5 things you have to do, just the first 5 things that we’re recommending you start with. If you need help along the way, please consider involving your Assessor firm, such as KirkpatrickPrice. You can contact us directly at the link below. We hope you found this information useful and we thank you for your time today.

Episode 4 – How are HITRUST Controls Scored? The HITRUST CSF Maturity Model

Whether you are doing a HITRUST CSF Self-Assessment or Validated Assessment, you will be required to score your organization’s compliance with the controls according to the HITRUST Maturity Model. For organizations familiar with the Plan, Do, Check, Act model – a cycle which starts with direction and tone from the top and used as a template for continuous improvement – you will find similarities within the HITRUST Maturity Model and scoring system. This model acts as assurance that each control in the HITRUST CSF has been properly implemented.

The HITRUST CSF Maturity Model

The Maturity Model used by the HITRUST CSF is categorized into 5 steps. This model is to be a continuous improvement cycle, implemented by all organizations seeking to comply with the HITRUST CSF. These steps are as follows:

  1. Policy – Does an organization know what it is supposed to do? Are the requirements stated in the policy understood by the organization? Are the appropriate implementation requirements listed in the policy? Is the policy communicated to all employees who need to know?
  2. Process – Also known as procedure. Does the organization know how to do what it is supposed to do? Does the process follow the policy, assign responsibility, and give further instruction for carrying out the policy? Keeping the implementation requirements in mind, are they documented within the process? Is the process understood by those who it applies to?
  3. Implemented – Has the control been implemented? Does the organization implement all elements of a specified control and is it implemented everywhere it should be implemented? Is the intent of each control being met and followed? Can it be tested?
  4. Measured – Are you able to measure the performance of the control? How is that control being measured for success? Can you provide a statistical analysis? Are threats being continuously re-evaluated?
  5. Managed – Does the organization correct any problems that are identified while monitoring the effectiveness of the control? Do you understand and are you managing security vulnerabilities? Are controls being adapted to emerging threats and the changing landscape?

While 75% of your score comes from Policy, Process, and Implemented, assurance that the control with continue to be effective is indicated by Measured and Managed. This model should be a cycle of continuous improvement and the core functionality of a successful information security management system. This model is used by HITRUST and by CSF Assessors to assess your overall compliance with each objective in the HITRUST CSF. To obtain certification, you must receive a 3+ or a 3 with a corrective action plan in each of the assessment categories.

How are HITRUST Controls Scored?

During the assessment process, how do you select the right score? It is important to understand how the controls are scored and how the calculation works. The HITRUST scoring process uses a compliance scale consisting of the following:

  • Non-Compliant (NC)
  • Somewhat Compliant (SC)
  • Partially Compliant (PC)
  • Mostly Compliant (MC)
  • Fully Compliant (FC)

As you work through the many implementation requirements, you will ask yourself, “Am I somewhat compliant with this control based on the calculation?” “Am I fully compliant?” Your scores will determine whether you are compliant with the HITRUST CSF. For help with your HITRUST CSF compliance journey or information security management system, contact me today at s.morris@kirkpatrickprice.com.

Video Transcript

Hi, this is Jessie Skibbe, Chief Compliance Officer with KirkpatrickPrice. Thank you for joining us today! We’re continuing on in our video series for navigating HITRUST CSF compliance. This is video #4 in our series. Just to take you back very briefly on where we’ve been so far – we’ve talked about who HITRUST is and a high-level overview of what the CSF is and why it was developed. We’ve also talked about the controls, how they’re made up, and how to apply them to your organization based on the risk factors involved, and how to apply the levels. We also talked about, in our last video, the assessment types and the report options. That’s all leading you to where we are today. Today’s discussion is going to be about the scoring mechanism and how the controls are scored.

Whether you’re doing a Self-Assessment or a Validated Assessment, you must score your compliance with the controls according to the Maturity Model. This makes sense knowing that the CSF was developed based on ISO principles. If you’re familiar with the “Plan, Do, Check, Act” model, which starts with direction and tone at the top, what’s implemented, and then continuing that cycle of improvement by monitoring and acting on those controls in motion. In the Maturity Model scoring that’s used by HITRUST and the CSF for either a Self-Assessment or a Validated Assessment, there are 5 areas, beginning with policy. Policies, Process (Procedures), Implemented, Measured, and Managed – those are the 5 different areas.

We’re all pretty familiar with policies. “Are there requirements stated in the policy or standard that are understood by the organization?” In this situation, what you’re doing is you’re looking through the CSF and you’re looking for those implementation requirements. As an assessor, we’re looking for if it’s listed in a policy and if it’s communicated with employees who need to know. The second area, which involves process/procedures, follows those policies. They assign responsibility and they give further instruction on carrying out that overall policy. Taking those implementation requirements in mind, you’re going to want to know if they’re documented within the procedures, or if that procedure is understood by those that are responsible for following that procedure.

We’re also testing to see if that control has been implemented. Taking into consideration, again, those implementation requirements, part of our testing as an assessor or part of your internal testing during a Self-Assessment is measuring out: is that implemented? Is this control and the intent of the control being followed? Can it be tested? Can it be tested for operational effectiveness? Again – Policy, Procedures, Implemented. These 3 areas make up about 75% of the overall score. HITRUST realizes it’s very much a “walk before you run” scenario. In the Maturity Model, as far as achieving certification goes, these are the 3 most important areas to make sure are in place for every control. The other 2 that make up the other 25% of the 100% of the score are Measured and Managed. Measured meaning can you put some sort of statistical analysis, can you use a calculation to measure the performance of that control. Again, taking into consideration the implementation requirements, how is that control measured? How is it being measured for success? You obviously can’t really manage something unless you have a measurement system to tell how it’s reacting, so Measured and Managed very must go together. Managed meaning are you taking that feedback from your measurement, are you actually acting upon it, are you making improvements. Again, this very much follows along the lines of the “Plan, Do, Check, Act” model. It’s a cycle of continuous improvement. It’s the core functionality of an effective security management system. This is the model that HITRUST utilizes and we as assessors use to manage your overall compliance with that control objective.

One of the most important things to understand, and I think this is missed when you first download the CSF initially and it’s your first take at looking at it, is that you really don’t know or have an understanding of how controls are scored. I want to walk you through that today because if you’re going for the Validated Assessment, this is what the assessor is going to be assessing you against. This is what will dictate whether or not you are certified. In order to achieve certification, you must have a 3+ or a 3 with a Corrective Action Plan in each of the 19 assessment categories. This is something that you initially start, you evaluate yourself using the tool, and I’m going to walk you through that. The assessor comes and either agrees or disagrees with your evaluation after some testing. Then HITRUST gathers all of that information and decides whether or not you are meeting compliance and can achieve certification. That, from a high-level, is how that works.

To dig in deeper to how the controls are actually scored, I’ve presented you with this graphic. This happens behind the scenes when you’re working in the MyCSF tool, but I think it’s important to understand how the calculation works. If you’re reading through all of the implementation requirements, you have to understand if you’re somewhat compliant with X control based on the calculation, or if you’re fully compliant with X control. There’s a lot of different categories and areas in which you’re scored. Just stepping through this, we have across the top: Policy, Procedures, Implemented, Measured, and Managed. It’s really important to understand that 75% of your overall score, meaning 75% of that total that goes towards that 1-3 rating, comes from Policy, Procedure, and Implemented. That’s because the most important thing in this “walk before you run” scenario that HITRUST has in place, is that it’s in a policy, it’s in a procedure, people know how to do it, and it’s fully implemented, meaning it can be tested to prove effectiveness. Measured and Managed are more for those mature organizations that have systems in place to measure the performance of a control. Think about internal audit, think about gathering statistics, vulnerability scanning, think about antivirus, think about ways that you can apply a statistical analysis to how effective a control is. Maybe it’s, “Every time I test it, it’s 90% effective.” Maybe it’s, “Every time I test it, it fails 30% of the time.” Whatever that measurement is, think about Measured as the testing and monitoring of controls. Managed is really taking those measurements and making changes to your environment based on that statistical analysis. It’s that continuous cycle of improvement. It’s about Policy, Procedure, Implemented, and then measuring it and managing it from a monitoring standpoint. Again, across the top you’re looking at Policy, Procedures, Implemented, Measured, and Managed. Along those lines, you have an opportunity to receive a 0-100 score even in those categories from a subcategory level. Let’s say, for example, Policy. Your policy may consider 0% of the implementation requirements. In that case, you would receive no score for that particular item. But, for example, if you had some of the CSF implementation requirements being met or there’s some sort of ad hoc way of testing and understanding of that, you may be able to achieve 75% in that category. As you’re answering questions in the MyCSF tool or as you’re measuring your own compliance using the HITRUST documentation, just keep in mind that this is how you’re going to be scored when you’re going for either a Validated Assessment or you’re doing a Self-Assessment evaluation. You need to know if you’re meeting the control, if you’re meeting some of the control, or if you’re meeting none of it. That’s how the scoring model works.

The important thing to take away from this is not that you’re expected to know all of these calculations that are going on behind the scenes. The point that I want to make is that if you’re a smaller organization and you don’t have a robust internal audit department or a way to effectively or cost-effectively do the measuring and managing that’s need to meet compliance 100% across the board, focus in on the Policy, Procedure, and Implementation areas. If you can show that you’re meeting 100% compliance – meaning that your policies are meeting the implementation requirements, your procedures are documented and can be understood by the employees that that are performing then, and that it can be tested for operational effectiveness – you are going to pass that control. You are going to meet compliance with that control. There is a certain percentage of Measured and Managed that should be in place in order to achieve certification, but it’s important to understand that the focus needs to be placed on the Policy, Procedure, and Implementation areas. From a smaller company perspective, even a larger company, that may not have 100% coverage of all of these controls, focusing in on those 3 key areas will help you achieve certification.

Thank you so much for joining us for this video. We hope that you found the information useful. Next up in our video series, we’re going to give you steps 1-5 of things you should do right now to get yourself on your way to HITRUST compliance or certification. We look forward to seeing you then! If you need any information right now, you can reach out to KirkpatrickPrice directly by clicking the link below. We’d love to see you at our next video!

Episode 3 – HITRUST CSF Assessment & Report Options

When navigating your HITRUST CSF compliance journey, there are a few different assessment and reporting options to consider. But before you start the process of which HITRUST CSF assessment and report is right for you, it’s important to fully understand what your client is requesting. Have you received a letter from a client in the mail? Are you reviewing an RFP? The first question you must know the answer to is whether certification is required or not. Once you know what your client is asking for, you can determine your level of engagement with the HITRUST CSF and which assessment type makes sense based on your business objectives.

HITRUST Assessment Options

HITRUST Assessment OptionsCSF Security Assessment

The most common, and baseline, assessment option that organizations choose is the CSF Security Assessment. There are 66 controls that are required for HITRUST certification, and those are directly related to the CSF Security Assessment.

CSF Security Assessment + Privacy Assessment

There is an optional add-on for your CSF Security Assessment, and that is adding a Privacy component. If privacy is a concern of yours or applicable to your business, it will make sense to add the Privacy component to your CSF Security Assessment.

CSF Comprehensive Security Assessment

The CSF Comprehensive Security Assessment option evaluates all 149 controls, including the baseline 66 controls. Organizations will select this assessment option based on client demands. Maybe there will be someone internally, like a stakeholder, who wants to take a holistic approach to how your organization stands against the HITRUST CSF framework. This assessment option evaluates an organization’s information security management system against all the controls in the HITRUST CSF.

CSF Comprehensive Security + Privacy Assessment

Just like with the baseline CSF Security Assessment, there is an option to add a Privacy component to the CSF Comprehensive Security Assessment.

NIST Cybersecurity Assessment

If the NIST Cybersecurity Framework is applicable to your organization, you also have the option to evaluate the HITRUST CSF requirement statements that pertain to the NIST Cybersecurity Framework with the NIST Cybersecurity Assessment option.

HITRUST CSF Report Options

There are several options for demonstrating your compliance with the HITRUST CSF framework. These options include:

  • SOC 2
  • SOC 2 +
  • SOC 2 + HITRUST CSF Certification
  • HITRUST CSF Self-Assessment
  • HITRUST CSF Validated Assessment (Certification)

Some of your clients may accept a HITRUST CSF Self-Assessment only, as a Self-Assessment Security Assessment might satisfy the OCR’s requirements for a HIPAA risk analysis since it’s a risk-based compliance framework. A Self-Assessment is a great way to begin your HITRUST compliance efforts, and is what KirkpatrickPrice recommends to clients who are just starting out. To begin a HITRUST CSF Self-Assessment, you must establish a relationship with HITRUST, log into the MyCSF tool, and select the self-assessment option. A Self-Assessment must be completed within 90 days and results in a finalized report. This option doesn’t provide the highest level of assurance since it is based on your own evaluation and attestation of your organization’s compliance.

A Validated Assessment provides a greater level of information security assurance and is performed by an approved CSF Assessor, like KirkpatrickPrice. Validated assessments include a HITRUST CSF Self-Assessment in which you answer questions and attest to your compliance, followed by a CSF Assessor validating your controls against what you have said is in place.

Once you have decided which assessment type and level of engagement is right for you, you need to know which report is required. A few years ago, HITRUST and the AICPA came to an agreement that the HITRUST CSF framework itself can be used within a SOC 2 Report. In some instances, your client may ask you for either HITRUST CSF Certification or a SOC 2 only. In other cases, depending on if you service different industries, you may have clients that ask for both. In this case, it would benefit most organizations to utilize the HITRUST CSF within the SOC 2 framework, satisfying both. It’s important to remember that clients who are asking for HITRUST CSF Certification will not be satisfied with a SOC 2 only, and you must have the certification element if that is what your client is requiring.

Understanding which HITRUST CSF assessment and report option your clients will accept is key. Contact me at s.morris@kirkpatrickprice.com for more information on which assessment and report type is right for your organization.

Video Transcription

Hello, this is Jessie Skibbe, Chief Compliance Officer with KirkpatrickPrice. We’re here today to continue our video series of navigating HITRUST CSF compliance. To take you back to where we’ve been, we started off with video #1 in the series, talking about who HITRUST is, what the CSF is, and what it aims to solve as far as problems in the healthcare industry. In video #2, we started digging deeper and deeper into the CSF itself, helping you determine how to establish scope and how to navigate the controls in greater detail. Today, I want to talk about the assessment options that you have.

You have assessment options and then you have report options to consider. Before you start this process of trying to determine which is right for you, it’s really important to know what your client is requesting. If you are a Business Associate pursuing HITRUST certification or HITRUST compliance, you must understand what your client is asking for. If you’ve received a letter in the mail or if you have been reviewing an RFP that you’re applying for, you must understand if certification is required. That’s first and foremost the important step.

Out of the assessment options that you have, the most common assessment option is the CSF Security Assessment option. That’s what I’ve been referring to all along in this video series as the requirement for certification. There’s 66 controls right now required for HITRUST certification and those are related to the CSF Security Assessment.

The optional add-on, option #2, is the CSF Security + Privacy Assessment. If privacy is a concern of yours or applicable to your business, you may want to select the Security + Privacy option.

The third on the list of assessment options is the CSF Comprehensive Security Assessment. The difference between Comprehensive and Security is that Comprehensive covers all 149 of those controls; beyond that subset of the 66, it covers all 149. The reason for choosing a Comprehensive Assessment may be because your client demands it, although that hasn’t been the norm of what we’ve seen. It may be a situation where someone internally, like a CEO or investment partners, may want to know from a holistic view how you’re doing comprehensively according to the framework. They would want your information security management system to be evaluated against all 149 controls.

Beyond that, you can choose the CSF Comprehensive Security + Privacy Assessment. Again, adding that Privacy component onto that Comprehensive Assessment.

The next option would be if the NIST Cybersecurity Framework applies to you. That seems not to be the common element, but it is an assessment option that’s available to you.

The assessment options will apply whether or not you’re pursuing a Validated Assessment or whether you’re pursuing a SOC 2. Let’s dig deeper into the report options. Once you decide which assessment option is right for you, you need to know what report is required. Some of your clients may accept what’s called a HITRUST CSF Self-Assessment. A HITRUST CSF Self-Assessment, for example, may satisfy the OCR’s requirements for a risk assessment, given it is a risk-based compliance framework. Keep that in mind because a Self-Assessment is an excellent way to begin with your compliance efforts. In fact, that’s what we recommend, to always start with a Self-Assessment. If the Self-Assessment happens, you establish a relationship with HITRUST, you log into the My CSF tool, and you select the Self-Assessment option. The Self-Assessment must be completed within 90 days. It’s all based on your input and your evaluation of controls. What comes out of that is a HITRUST CSF Self-Assessment Report. A Self-Assessment, of course, is not the highest level of information security assurance because it’s all based on how you are evaluating yourself.

The next option, the HITRUST CSF Validated Assessment, is a greater level of information security assurance. In that case, you would hire someone who is a CSF Assessor firm, very much like KirkpatrickPrice, to validate your controls against what you have said is in place. A Validated Assessment is just that; it’s you entering information, it’s you attesting to your compliance, and then it’s someone coming in to validate that.

Another report option to consider is a SOC 2. A couple of years ago, the AICPA and HITRUST came together and came to an agreement that the HITRUST framework itself could be utilized within a SOC 2 report. In some cases, your client may ask you for either certification or a SOC 2; they may ask for either/or. Some of the benefits of having a SOC 2 that uses the HITRUST framework is that you may have some clients that ask for both. Maybe some of your clients are in financial services, other clients are in healthcare. Having a SOC 2 performed using the HITRUST framework could satisfy both, but keep in mind that those clients asking for HITRUST certification will not be satisfied with a SOC 2 using HITRUST components. You have to have that certification element if your client is requiring it. In that case, you could do the SOC 2 and then the HITRUST certification could be added to that as an additional component of the SOC 2. There’s lots of different options as far as the assessment types and the report options. Knowing which is right for you is the first step in determining what your next step in your overall compliance objectives should be. This concludes our overview of assessment types and report options. To further assist you in deciding which is right for you, we’ve put together the graphic that you’re seeing now. As you can see, at the starting point is really knowing if certification is required. If certification is required, then navigating the rest of the options is fairly simple. It’s the first question that we would ask you if you called our firm and asked for assistance. We’d want to know if your client is asking for certification or not. Something that you need to know and remember is that if certification is required, HITRUST is the only entity that can issue certification directly; a 3-way relationship must exist. We have a relationship as a CSF Assessor firm with HITRUST, you have a relationship with HITRUST from using the My CSF tool and requesting that HITRUST CSF Validated Assessment Report, and then we have a relationship with you as our client. That relationship has to be established because HITRUST is the only entity that can issue certification. That word – certification – is always step #1. Knowing if that is required should be the first thing you get an answer to.

In our next video, we’re going to talk about how the scoring mechanism works within the control framework. If a Validated Assessment is chosen and you want to receive certification, you must understand the maturity model and how controls are scored in order to know if you’re going to meet the certification requirements. I hope you’ll join us for our next video! If you need any further information or need assistance immediately, please contact us at the link below.

Episode 2 – How to Navigate HITRUST CSF Controls

Getting started with your HITRUST certification journey can be overwhelming; the CSF is a lengthy framework containing 845 requirement statements spread over three implementation levels. Here is a step-by-step guide for understanding how to navigate the makeup of each control by determining the scope of the assessment, determining your unique risk factors, and knowing which level applies to your organization.

Defining the Scope of your Assessment

Defining the Scope of your HITRUST Assessment MapThe very first thing organizations must do before downloading the HITRUST CSF or beginning any work in the MyCSF tool itself is define the scope of the assessment. Properly scoping your environment is an important step in becoming HITRUST certified. The scope of your assessment will determine to which extent the CSF controls will apply to your organization and whether you are able to minimize or condense the amount of work that needs to be done. Are you assessing a particular business unit? Or a geographical location? Or segmented network? When determining scope, you must consider all people, processes, and technology that come into contact with sensitive data.

Determining your Risk Factors

The next step in your HITRUST journey should be determining your inherent risk factors. These risk factors are comprised of organizational, system, and regulatory risks.

Organizational Risk Factors

Organizational risk factors are defined based on the type, size, and complexity of the organization and its environment. Different industries require different requirements. For example, a health plan or insurance company’s implementation level is determined based on the number of covered lives, whereas a medical facility or hospital’s level is determined based on the number of licensed beds. Third party processors must determine their implementation level based on the number of records processed each year. Understanding your unique risk factors is important to know which implementation level applies to your organization.

System Risk Factors

System factors are based on system characteristics that could potentially increase the likelihood or impact of a vulnerability being exploited. The following information must be gathered for all in-scope systems before assessing yourself against the CSF:

  • Are they storing processing, or transmitting sensitive information?
  • Is it accessible from the internet?
  • Is it accessible by a third party?
  • Is it publicly accessible?
  • Is there mobile technology being used?
  • What is the total number of users?

Regulatory Risk Factors

There are a number of regulatory risk factors that could also affect your in-scope systems. Does PCI DSS apply to your organization? FISMA? FTC Red Flags Rule? HITECH Act? If you know that any of these regulations apply to your organization, you must be sure to implement the associated requirement statements.

Understanding your Implementation Level

Once you have defined your scope and your risk factors, your implementation level can be determined by industry type and organizational risk factor for volume of business, record count, etc. For example, an IT service provider with between 10 and 60 million records and 15 to 60 terabytes of data would be considered level 2 and have to implement controls for level 1 and level 2. If the same hospital exceeded 60 million total records or 60 terabytes of data, they would then be considered level 3 and have to implement controls for levels 1,2 and 3. As you can see, the HITRUST CSF provides a scalable, layered approach based on your unique risk factors and implementation control levels.

Define your scope, determine your risk factors, and start at level 1. Then you can build to level 2 or 3, and include regulatory requirements, as applicable to your organization. If you need help with preparing for a HITRUST certification assessment or navigating the HITRUST CSF controls, contact me today at s.morris@kirkpatrickprice.com.

Video Transcription

In our last video, we talked about the CSF and how it breaks down into numbers. To shorten that, there’s 149 controls spread out over the 14 categories. Keep in mind that only 66 of those controls are required when you’re pursuing certification. What we’re going to talk about in today’s video teaches you how to navigate the controls themselves. The CSF, when you download it from the HITRUST website, is a very lengthy document. There’s a lot of content in there, so I wanted to break it down for you and show you step-by-step the makeup of the controls, how to determine what your risk factors are, which levels affect you, etc. That’s what today’s video is all about. Hopefully you’ll stick with us for our next video, but we’re really wanting to zero-in on the controls themselves today.

Before you open up that CSF document, or before you begin any work in the My CSF tool (say, for example, you’re going through self-assessment), you need to define your scope because the scope is where it all starts. You can possibly limit the scope to condense the amount of work that needs to go into the assessment, like if you have multiple business units, multiple geographic locations, etc. Getting an understand of what business units are going to be involved in that scope and how to narrow that scope when it seems appropriate. For a lot of smaller organizations, the entire organization may be what’s in scope. It’s really important to start there. If you have a flat network, everything’s going to be in scope because there’s no segmentation. The proper way to segment, if you’re going to take the business or the geographical region approach, you need to make sure you’re scoping from a network perspective to make sure you have proper segmentation in place. Keep that in mind. Always get a clear definition of scope because if there are various business units involved, you’ll want to make sure that the leaders from those business units and the corporate people are brought into the assessment. This is one of the very first things as an assessor firm that we’re going to want to confirm – the scope of your environment. We’re going to want to know the people involved, we’re going to want to know the systems that are involved in that scope because that is what the assessment is going to be performed on. So like I said, whether you’re starting in the My CSF tool or whether you’re starting by just opening up the document to determine what you’re compliant with and what you’re not, really having an understanding of scope is step one. Once you have that defined, you know what systems are in scope and what potential business units are in scope, then you can move into determining what your risk factors are. We’re talking about inherent risk factors associated with organizational, system, and regulatory items.

The very next thing that you’re going to want to do after you’ve determined what the scope of your environment is, is you’re going to want to make a pretty simple assessment. There are different categories that you must select, whether you’re, again, in the My CSF tool. You have to have an understanding of that if you’re just using the CSF to determine compliance. For example, are you a health information exchange company? Are you a hospital? (Of course, you know the answers to these questions) Are you a payer, pharmacy, physician’s practice, service provider IT, or service provider non-IT (Those are the 2 most common we see for Business Associates)? Understanding whether you’re categorized as a “service provider IT” or whether you’re a “service provider non-IT” is definitely something you need to determine. For example, an IT service provider is generally someone who provides IT services such as cloud services or hosted IT infrastructure. If you fit into that category, you’re definitely a service provider IT. Service providers non IT are companies that are generally defined as Business Associates that provide non-IT-related services such as transcription services and clearing houses. You want to know, for example, what category you fit into, and based on that category, there are some risk factors that you’ll want to know the answers to. Gathering this information before you begin the assessment is critical because it’s going to determine, for example, if level 2 or level 3 applies to your organization. As you’re going through the controls you’re going to want to know the answer, for example if you are service provider IT, to: what is your total record count that you have? If you don’t know the answer to that, there are alternatives such as, what is the annual record count? What is the total volume of data that you have in the systems that are in scope? People often ask me, what is considered a record? And, of course as I just mentioned, you have to know the number of records that you’re maintaining to know which levels apply to you. A record, as defined by HITRUST, is as instance where data items (fields) are stored with a unique identifier. Such records include but are NOT limited to designated record set as defined under HIPAA. Having an understanding of how many records you have is going to be included in the scope of your assessment.

Gathering this data on the in-scope systems prior to starting the assessment is critical because you need to know where and when those levels 2 and 3 will apply. Also for those in-scope systems, you’re going to want to gather the following information. You don’t have to memorize or write down what I’m saying, it’s all listed in the CSF, but I want to walk through it just to explain it to you.

For example, for the in-scope systems you have to know if they are storing, processing, or transmitting sensitive information. Is it accessible from the internet? Is it accessible by a third party? Is it publicly accessible? Is there mobile technology being used on the in-scope system? What is the total number of users? The important thing is not that I’m giving you the entire list here; the important thing is remembering that you must gather this information prior to jumping in and trying to assess yourself against the controls. Again, step number one is defining the scope. Is it a different business unit? Is it a geographic location? Is it systems that are segmented on the network? Those are the types of things you want to know before you start the assessment. Then, recognizing your organizational factors. How many records do you have, etc. And of course, evaluating the in-scope systems.

The CSF also has a number of regulatory considerations where regulatory inherent risk factors would apply. If, for example, PCI applies to your environment, FISMA, maybe the FTC Red Flags Rule, or the HITECH Act – there’s a list of regulatory factors that may or may not affect the in-scope systems or the scope as you’ve defined it. Understand that before you get started will also determine which levels apply to you. For example, when you use the My CSF tool, if you’re going through an assessment using the My CSF tool, these are all questions that you have to answer before the questionnaire is built. You have to know the answers to these questions. Most likely, if you’re working with an assessment firm, these are all questions that they’re going to ask you right off the bat before they start working with you. The answers to these questions will determine how many requirement statements actually will apply, so it really determines scalability. Is it going to be a rather small assessment, or is it going to be a rather large assessment? So the answers to these questions from an organizational, from a regulatory, and a system aspect will determine the number of controls that apply and how long or short the assessment is going to be overall.

So now I’m going to break it down. If you have the actual CSF in front of you or downloaded (Version 8.1 as it’s the most current version at the recording of this video), you can follow along. I want to take you to page 280 if you want to follow along. If not, you can just listen to the way I’m describing this. Each control is broken down and the control reference that I’m going to share with you today is the “Physical Entry Control.” This example, the control specification states (I apologize for reading, but I don’t have these memorized), “Secure areas shall be protected by appropriate entry control to ensure that only authorized personnel are allowed access.” The other thing that you’ll notice in this particular control is there’s an asterisk that says, “Required for HITRUST certification, CSF Version 8.1.” Every control that is required for certification – again, it’s one of those 66 controls – is defined within the CSF as required for certification. If it’s not listed there, you know that this is not a control that would apply if you’re working towards certification as the end result. So for this particular control, we’re read the control specification and we know that is factor type is organizational. This means that the organizational risk factors that we talked about a minute ago really come into play.

In my example today, we’re looking at level 1 implementation requirements for this particular control. Let’s pretend, for example, that we are a service provider IT. What’s going to apply in this control is how many records do we have. So I’m looking at level 1 implementation requirements and I’m going through the list. I know that all of these controls are going to apply to me because this is going to apply to everyone. I have to make sure that my visitor records contain the following information: name, organization, signature, form of indication, etc. You can read all of that, obviously, in the CSF. What I really want to walk you through is what’s next. For example, level 2 would apply to me as an IT service provider, if I had 15 to 16 total terabytes of data. If my data falls within that category, I need to make sure that all of level 1 implementation requirements are met as well as level 2. In this case, I’m also going to make sure this visitor log contains the data and time of arrival and departure, visitor’s name, etc. It’s a little bit deeper. The concept here is: the greater the risk, the more controls in place to protect that risk. Having between 15 and 16 terabytes of data increases my overall amount of risk as a business partner to my client. Going down through the list, if I have more than 16 terabytes that I’m maintaining for my client, you have to also consider that doors and internal secure areas are locked, implemented a door delay alarm, and are equipped with a secure lock. That’s an example of, “I have to have all of level 1, all of level 2, and all of level 3 in place.” That is only if, as an IT provider, I am housing more than 60 terabytes of data. That ties back to understand those risk factors involved in your scope before you go into the assessment, because you’re going to need to know how deep you need to go. This gives you a basic idea of how the controls are structured, understanding what risk factors are, and first and foremost, determining if level 1, 2, or 3 applies to you.

The other things I really didn’t really cover with you here are regulatory risk factors. If you’re navigating the CSF and know PCI applies to you, you would also have to make sure that those requirement statements that are in the PCI sections are also implemented. We’re building upon and building layers as we go. Like I said, the CSF is scalable. Starting at level 1, which applies to all organizations, adding level 2, level 3, and then those regulatory requirements really adds a layered approach. It’s relevant to how much risk you are trying to maintain. Again, it’s a risk-based framework that works really nicely in the layers I described.

That concludes this video, where we’re wanting to define for you how the controls are structured and what applies to you and what doesn’t. In our next video, we’re going to talk about your different assessment options, like the SOC 2 option, validated assessment, the certification – all of that information will help you determine the next step, which is: what is your goal in achieving an assessment? Thank you for joining us today, I look forward to seeing you in the next video! If you need any help immediately, please contact us at the link below.