Management’s Responsibilities During a HITRUST CSF Assessment

When your organization begins preparing to undergo a HITRUST CSF assessment, management needs to review what their own responsibilities are, regardless of how seemingly small some of them might seem. For example, does your organization have an executive charter in place that delegates the responsibilities of the CISO? What level of involvement do your C-level executives have in your information security program? In this webinar, Shannon Lane dives into one of the most commonly missed components of a HITRUST CSF assessment, the executive charter, and provides guidance on how your organization should go about ensuring that one is in place.

What is an Executive Charter?

An executive charter is a a policy that drives your entire organization’s security posture. It demonstrates whether or not your senior-level executives are involved in your information security program, grants rights, responsibilities, and power to departments, defines responsibilities of individuals, establishes baseline accountability and reporting structure, and should be built into your organization’s foundational documentation.

Because the executive charter sets aside who does what at each level, it serves as a type of check-and-balance system for an organization. Specifically, the executive charter for an information security management policy does this by outlining the following:

  • Addressing the CISO role and IS department
  • Defining the powers and responsibilities of the CISO/ISO
  • Defining the reporting structure of the CISO/ISO
  • Establishing the independence of the IS department
  • Allowing the IS department to set appropriate policies to the limits allowable by the CEO
  • Empowering the IS team within he who of the corporate structure
  • Defining the limits of the IS team operation

Is My Executive Charter Compliant?

When you’re engaging in HITRUST CSF assessment, KirkpatrickPrice Information Security Specialists will be looking to validate that your executive charter adheres to HITRUST CSF protocols. In order to ensure that your executive charter meets the expectations of the HITRUST CSF, you’ll need to ensure that your senior management officials have assigned an individual or group to do the following:

  • Ensure the effectiveness of the information protection program through program oversight
  • Establish and communicate the organization’s priorities for organizational missions, objectives, and activities
  • Review and update the organization’s security plan
  • Ensure compliance with the security plan by the workforce
  • Evaluate and accept security risks on behalf of the organization

You’ll also need to ensure that your executive charter meets the following HITRUST CSF requirement statements:

  • A senior-level information security official is appointed and is responsible for ensuring security processes are in place, communicated to all stakeholders, and consider and address organizational requirements.
  • The owner of the security policies has management’s approval and is assigned the responsibility to develop, review, update, and approve the security policies, and such reviews, updates, and approvals occur no less than annually.
  • An individual or dedicated team is assigned to manage the information security of the organization’s users.

The executive charter lays the foundation for a strong security posture. To learn more about how to establish and implement an executive charter to prepare for your HITRUST CSF engagement, download the full webinar. To get started on your HITRUST CSF journey, contact us today to speak to an expert.

HITRUST Scoping 101

Are you in the process of preparing for a HITRUST CSF assessment? Do you need more information about how to properly scope your engagement? In this webinar, Shannon Lane, an Information Security Specialist at KirkpatrickPrice, will cover all things related to HITRUST CSF scoping, such as how HITRUST expects you to scope your engagement, what boundaries you should set, and how to determine your scoping demographics.

What is the Most Important Thing I Need to Know about HITRUST Scoping?

As you begin preparing for your HITRUST CSF assessment, scoping should be at the forefront of every conversation. Why? Because everything that you do in a HITRUST CSF engagement is about your scope. Considering this, it’s imperative that you work with your assessor to narrow your scope as much as possible to ensure that your assessment most acutely aligns with the parts of your organization that you want to get HITRUST certified.

For example, let’s say that you are a hospital looking to become HITRUST CSF certified. Typically, HITRUST is not going to certify an entire organization – they wouldn’t want to certify all of the departments that make up a hospital. Instead, they are looking to certify different components of an organization, like your billing department, human resources, inpatient and outpatient services, psychology department, ER, or ICU.

How Do I Narrow My Scope?

To begin narrowing your scope, you’ll need to define system boundaries around what you want to get certified. Building off the previous example, if you’re looking to certify your billings department, you would need to consider the following:

  1. How are things processed? What systems are used for billing purposes?
  2. How is billing data stored? Where is it kept?
  3. How is billing data transmitted? What devices move the data between system components into or out of the outside world?

After you’ve determined your system processes, you’ll need to define your system by creating or locating your data flow diagram, network diagram, system inventory, and system management procedures. Doing this allows you to establish boundaries and move onto determining your scoping demographics.

What are Scoping Demographics?

Scoping demographics allow you to lessen the number of requirement statements you must comply with to become HITRUST CSF certified. The following are scoping demographics you’ll need to consider:

  1. Organizational Factors: These are the core of the assessment. What is your organization type? What number of records could you lose if a catastrophic breach occurs?
  2. Geographic Factors: These are based on where the collection, processing, maintenance, use sharing, dissemination, or disposition of information occurs. How do you operate? Where does collection processing occur? Are you located in multiple states?
  3. System Factors: These are scoping questions that demonstrate the importance of limiting a scope. How many systems do you connect to on a permanent basis? How many people use your system? How many transactions do you have on your database per day?
  4. Regulatory Factors: These are optional, but you should consider what your clients’ needs are and what your business needs are. Are you looking to show your level of assurance with other frameworks, such as SOC 2, PCI, GDPR, or FISMA?

Ultimately, the narrower your scope is for your HITRUST CSF assessment, the better. The ramifications of having too broad of a scope could be costly. Keep in mind that when you’re able to narrow your scope for the audit, you could receive a larger return on investment.

For more information on scoping a HITRUST CSF assessment, download the full webinar now. To learn more about how you can begin the HITRUST CSF certification process, contact us today to speak to an expert.

What to Expect from Your First HITRUST CSF Assessment

Have you been thinking about engaging in a HITRUST CSF assessment? Have you been approached about getting HITRUST CSF certified? Are you wondering what the timeframe for a HITRUST CSF assessment looks like? Do you want to learn about the responsibilities and expectations that you, your assessor, and HITRUST will face during an assessment? In this webinar, Jessie Skibbe, Chief Compliance Officer with KirkpatrickPrice, and Shannon Lane, Information Security Specialist with KirkpatrickPrice, will answer these questions and more to give you the steps needed to start your HITRUST CSF compliance journey.

How Can I Prepare for a HITRUST CSF Assessment?

For organizations that are just beginning their HITRUST CSF assessment journey, we suggest following these three steps:

  1. Identify Your Level of Readiness: What frameworks do you already follow – ISO 27001/27002, NIST 800-53, PCI DSS, SOC 1, or SOC 2? Do you have policies and procedures documented and in place? Are you starting with a HITRUST self-assessment? Is this your first compliance effort?
  2. Establish and Narrow Your Scope: Do you have a data inventory? Do you understand what data you have and how it moves? Do you have your data mapped? Do you have good data retention procedures? Do you understand where all of your data resides? How is it maintained? What compliance standards do you want to incorporate into our HITRUST CSF assessment?
  3. Determine the Assessment and Report Type Needed: What are your clients requiring of you? Are they asking you to have HITRUST CSF certification, a validated assessment, or self-assessment?

What is the Timeline for a HITRUST CSF Assessment?

The timeline for a first-time HITRUST CSF assessment varies depending on the level of maturity of your information security program. For organizations that have an immature information security program, we believe that the remediation period will and should take 180 days. For organizations with a more mature information security program, or organizations that have NIST, ISO, or PCI DSS controls in place, we believe that remediation periods could take about 60 days. Nevertheless, remediation periods ultimately depend on the time it takes to fix the issues identified during the gap period and self-assessment. If an organization rushes through a remediation period, they can still obtain a validated assessment, but the chances of becoming HITRUST CSF certified significantly decreases.

Download the full webinar to learn more about what you can expect from a first-time HITRUST CSF assessment. For more information about HITRUST CSF assessments and how KirkpatrickPrice can assist you in meeting your compliance goals, contact us today.

The HITRUST CSF Assessment Process and Beyond

So far in this webinar series, you’ve learned who HITRUST is, what the HITRUST CSF is, how to scope your environment, and which risk factors affect your defined scope. In this webinar, Jessie Skibbe outlines HITRUST’s Maturity Model for control scoring, the assessment process, report options and timeline projections, and some strategies for maintaining compliance.

HITRUST Maturity Model

You will be required to score your organization’s compliance with the controls according to the HITRUST Maturity Model. This model acts as assurance that each control in the HITRUST CSF has been properly implemented. The Maturity Model used by the HITRUST CSF is categorized into 5 steps, which is to be a continuous improvement cycle. The intent behind the Maturity Model is to avoid the practice of “implementing and forgetting.” The five steps of the HITRUST Maturity Model are as follows:

  1. Policy – Does an organization know what it is supposed to do? Requirements must be stated in a policy or standard and understood by the organization.
  2. Process – Also known as procedure. Does the process follow the policy, assign responsibility, and give further instruction for carrying out the policy? Is the process understood by those who it applies to? Processes are necessary to ensure the control can be implemented in a repeatable and consistent way.
  3. Implemented – Has the control been implemented? Does the organization implement all elements of a specified control and is it implemented everywhere it should be implemented? Can it be tested? Evaluation of the control’s implementation across the organization is the most common way of assessing a control’s effectiveness.
  4. Measured – Are you able to measure the performance of the control? How is that control being measured for success? Can you provide a statistical analysis? You cannot manage what you do not measure.
  5. Managed – Does the organization correct any problems that are identified while monitoring the effectiveness of the control? Do you understand and are you managing security vulnerabilities? Are controls being adapted to emerging threats and the changing landscape? This level of maturity provides additional assurance that the control will not fail.

Strategies for Maintaining Compliance

  • Where certification is granted, certification is valid for two years (24 months) from the certification date on the condition that the interim review and continuous monitoring requirements are met.
  • The interim review is vital. It should be completed as close as possible to the one-year anniversary of the initial report date.
  • Your Corrective Action Plan should describe the specific measures that are planned to correct deficiencies identified during the assessment for validation or certification.
  • Be aware of de-certification criteria.

Listen to the full webinar to hear evaluation examples, see timeline projections, dive deeper into the HITRUST Maturity Model, and learn more about how to maintain HITRUST compliance. Contact us today to get started on your HITRUST journey.

Navigating the HITRUST CSF

In this webinar, Jessie Skibbe discusses one of the most important steps in the certification journey: scoping. She will cover how to scope your environment for a HITRUST CSF assessment and how to define the risk factors related to your scope.

Scoping is the very first step in your certification journey. Before you even contact an assessor, you must determine what your scope is. The controls of the HITRUST CSF are designed to apply to all information systems irrelevant of classification or function; however, for the purposes of HITRUST CSF Validation/Certification, only those systems that store, process or transmit PHI or support the storing, processing or transmission of PHI should be included. The scope of the assessment should cover the following:

  • Patient care systems, applications and devices that store and process ePHI (e.g., pharmacy, infection control, cancer registry, MRI, CTI, Ultrasound), whether they are standalone systems or connected to the network
  • Business systems and applications that store, process, or transmit ePHI to support billing, customer service and general administrative operations, (e.g., supply chain, state submissions, credentialing)
  • Infrastructure components, such as routers and firewalls, that are connected to or facilitate the transmission of ePHI to/from the types of systems described above

The HITRUST CSF is scalable. The organizational, system, regulatory, and information system risk factors will determine the total number of control requirements that will apply to your assessment scope. In this webinar, we give examples of questions you should be asking during the scope determination process:

  • How many records does your organization store?
  • Does the system store, process, or transmit sensitive information?
  • Is the system accessible by a third-party?
  • What is the number of interfaces to other systems?
  • How many transactions per day does the system process?
  • Is your organization subject to PCI compliance?
  • Is your organization subject to the State of Massachusetts Data Protection Act?
  • Is your organization subject to the State of Texas Medical Records Privacy Act?

More about HITRUST

HITRUST is a not-for-profit organization found in 2007, “born out of the belief that information protection should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges.” HITRUST partners with public and private healthcare technology, privacy, and information security leaders. HITRUST develops, maintains, and provides broad access to its common risk and compliance management frameworks. The HITRUST CSF is a certifiable framework that provides organizations with a comprehensive, flexible and efficient approach to regulatory compliance and risk management. The framework was developed to provide a solution to increasing regulatory scrutiny, increasing risk and liability associated with data breaches, inconsistent implementation of minimum controls, and the rapidly changing business, technology, and regulatory environment. It is a healthcare industry standard that was built from what works within other standards and authoritative sources, like ISO 27001/27002, HIPAA, PCI DSS, NIST 800-53…just to name a few. It was also built on risk management principals. It aligns with existing, relative controls and requirements.

Have questions about HITRUST CSF requirements? Contact our team today to have them answered. KirkpatrickPrice can assist you with SOC 2, SOC 2 +, SOC 2 + HITRUST CSF Certification, HITRUST CSF Certification, Assisted HITRUST CSF Self-Assessment, Policy and Procedure drafting, guided Risk Analysis, and general guidance/consulting.

Additional Resources

Contact us today to get started on your HITRUST journey.