Episode 5 – 5 Things You Need to Get Started with HITRUST Compliance

by Joseph Kirkpatrick / August 24th, 2017

HITRUST is becoming a buzzword around the healthcare industry. Many business associates are being asked by clients to obtain HITRUST CSF certification. Many business associates are looking for a way to demonstrate compliance with HIPAA laws and maintain a competitive advantage in the industry. If you are brand new to HITRUST CSF and aren’t quite sure where to start, take a look at these five things your organization should do first on the path to compliance.

Get Started with HITRUST Compliance

Step 1 – Familiarize yourself with HITRUST CSF

The first thing your organization should do when considering HITRUST CSF certification is to familiarize yourself with the CSF. The HITRUST CSF can be downloaded directly from HITRUST’s website. Navigating the CSF controls may feel a bit overwhelming in this 586-page document, so we advise organizations to refer back to our video on understanding the controls. The CSF can be helpful whether you’re going through a Self-Assessment or a Validated Assessment because it lays out all of the controls, each implementation requirement, as well as how each control maps to other frameworks.

Step 2 – Define the Scope of your Assessment

The second step your organization must take in the process is defining the scope of your assessment. Scoping is important for any type of assessment as it helps you set your objectives by answering some important questions: What are the systems in your network that contain sensitive data? Where are these systems located? Knowing the boundaries and limitations of your scope will help you determine who needs to be involved from those respective business units. Using things like network diagrams and data flow diagrams can be helpful when narrowing your scope in preparation for your HITRUST CSF engagement.

Step 3 – Determine Assessment Type and Report

Next, your organization must determine which assessment type and report option are right for you. The most common assessment is the Security Assessment. This assessment requires the evaluation of 66 controls. There is also an option to add a Privacy element to the assessment, if applicable. Another assessment option is the Comprehensive Assessment, which includes all 149 controls within the CSF. Selecting this option will depend on our internal requirements, client requirements, and whether or not certification is required. This assessment also has an optional Privacy element. Lastly, there is the NIST Cybersecurity Framework. This assessment option is the least common, but is available if it is something that is applicable to your organization. Once you’ve decided which assessment to pursue, you must determine which report type is right for your organization. There are currently five HITRUST report options: SOC 2, SOC 2 +, SOC 2 + HITRUST, HITRUST CSF Self-Assessment, and HITRUST CSF Validated Assessment. More information on these options can be found here.

Step 4 – Assemble a Project Team and Develop a Plan

Step four in the process is to assemble a project team and develop a plan. This means that you need to assign responsibility to make sure you have the right players involved in the HITRUST process. Depending on your scope, it is possible you may have various business units and geographical locations to include. The HITRUST risk management framework incorporates policies, procedures, administrative, and technical controls. This is why it is important to have the right people involved in order to address each requirement implementation.

Step 5 – Build Relationships

You’ve downloaded the HITRUST CSF, established your scope, selected an assessment type and report option, and assembled your team to begin working on your HITRUST CSF compliance. Lastly, you must build relationships. If you’re pursuing a Validated Assessment or working towards achieving certification, you must first develop a relationship with HITRUST directly. You also must develop a relationship with an assessor firm, such as KirkpatrickPrice. The assessor firm must be an approved firm by HITRUST. This three-way relationship will be the key to your HITRUST CSF compliance journey.

If you have any questions regarding which steps you need to be taking to pursue your HITRUST CSF compliance objectives, contact us today!

Hi, this is Jessie Skibbe, Chief Compliance Officer with KirkpatrickPrice. This is our 5th video in our series for navigating HITRUST CSF compliance. This video today is for those of you who are brand new to HITRUST. We get a lot of calls, people really don’t know where to start, and that’s totally understandable. This may be another framework, one that’s new to you, or something that was just requested based on a client demand. I want to give you the first 5 things that you should do to get yourself on the path to compliance.

We’re starting with step 1. Step 1 is to familiarize yourself with the HITRUST CSF. How you do that is you go to their website and download it. Some of you may not know that it’s free to download as long as you’re a qualified organization. Reading it and understanding it can be tedious; it’s about a 586-page document. If you have any trouble navigating the controls themselves, please refer back to a previous video that I’ve recorded that breaks that down for you and hopefully helps you figure that out. The reason that you should have it is because whether you’re going through a Self-Assessment or whether you’re going through a Validated Assessment, it’s just a great resource to have on hand. All of the controls are laid out, every single implementation requirement is listed, as well as how it maps to other frameworks. As I mentioned, it’s a lengthy document, it’s full of great information, it’s definitely the very first thing you should have when you start working on your HITRUST CSF compliance.

Step 2 in the process is defining the scope of your assessment. Whether you’re doing a Self-Assessment or a Validated Assessment, or whether you’re having this in a SOC 2 report, you need to know what defines the scope. Where are the systems in your network that contain the data that needs to be protected? In some organizations, this may be a business unit; you may be able to separate that based on geographical location. In fact, if you’re a smaller organization, it may be your entire network or your entire organization. Knowing where that scope is and where those boundaries are will help you determine which people you need to involve from those respective business units into your project as you head down this path. Using things like network diagrams, like business units, and geographical locations can help you narrow down the scope. The systems containing the ePHI are what you want to focus on. Where are those systems located? How can you define scope around that to know where you’re starting for your assessment?

Step 3 in the process is knowing which assessment type and report option are right for you. The report options that HITRUST has in place right now, there’s 5 of them. The most common, which is what we see most often, is the Security Assessment. The Security Assessment requires the evaluation of 66 controls, as of version 8.1. There’s also the option to add Privacy to that assessment, if that applies to you. Also something to consider is what’s called the Comprehensive Assessment, and that includes all 149 controls within the framework. That may or may not be used based on your internal requirements versus those going for certification to satisfy a client requirement. Another type of assessment available to you is the NIST Cybersecurity Framework. That’s less common, but it is available to you if that’s something you want to pursue. Once you’ve decided the assessment option, you have to determine which report is right for you. The report options that you have available to you are listed here, starting with the SOC 2. The SOC 2, because of the relationship/agreement that is in place between the ACIPA and HITRUST, allows you to utilize the HITRUST framework within the SOC 2 report. What that really means is that as a third party, as a CPA firm, we are attesting to your compliance against the framework. That’s much different than actual certification, so that’s important to understand. A SOC 2+ using HITRUST without certification is not certification. Your next option on the list here is a SOC+ HITRUST certification. Now that may be used, for example, if you already have a SOC 2 to satisfy some of your clients and you want to add HITRUST certification to satisfy the others. It combines both into one process. Keep in mind in this situation, whenever certification is involved, HITRUST and the MyCSF tool are always involved, as HITRUST is the only one that can issue that certification. This is a way of combining those 2 reports into 1. You also have, as a report option, the HITRUST CSF Self-Assessment. Going through the MyCSF tool, answering and responding to all the requirement statements, you do have the ability to get a Self-Assessment report from HITRUST in that scenario. This is the minimal level of providing assurance to your clients, but it is a really good way and the fastest way to get a report that demonstrates to someone what your compliance is. The other, the most popular, is getting a HITRUST CSF Validated Assessment. This is what’s actually required for certification. If certification is a requirement, you have 2 options here: using the SOC 2 and HITRUST combined effort, or pursuing the Validated Assessment to get your certification. By now, you’ve downloaded the CSF, you understand the meaning and the intent behind the risk management framework, you’ve effectively scoped your environment, you know which systems and which business units are in that scope, you’ve decided which assessment type and which report option you’re going to go forward with.

The very next thing to do is step 4. Assemble a project team and develop a plan. What that means is you’re going to assign responsibility and you’re going to make sure you have the right players involved in the process. Depending on your scope, you may have various business units, various geographical locations to pull in. The reason why you need this team is because the HITRUST risk management framework incorporates policies, procedures, administrative, and technical controls. Having the right people to address the requirement implementations is key. Assemble that team of people, make sure policies and procedures are addressed, as well as the technical implementation of the controls, and divide and conquer that so you have help when you are facilitating your plan.

As this point, you’ve downloaded the CSF, you’ve established your scope, you’ve chosen an assessment type and a report option, you’ve assembled your internal team to begin working on your compliance. Step 5 in this process that I want you to be aware of, is the relationships that you must build. If your end result is a Validated Assessment, or if you’re working towards achieving CSF certification, you need to understand that you have to have a relationship with HITRUST directly. In our diagram here, you as the client must also retain a relationship with HITRUST. You also have to retain a relationship with an Assessor firm, such as KirkpatrickPrice. There’s a 3-way relationship going on. The Assessor firm has to be an approved Assessor firm by HITRUST, so the relationship there must already exist. Establishing a relationship directly with HITRUST to get you on track with your Self-Assessment, or get signed up for your Validated Assessment is something you want to plan to do ahead of time to make sure you’re going to meet your deadline. Also, involve your Assessor firm when that’s reasonable for you. If you need help with any of steps 1-4, you may want to consider involving your Assessor firm early. Some of the things – such as the Self-Assessment process that you go through – may be done on your own, but it may also involve an Assessor firm to act as a guide. You may need some help along the way with policies, procedures, or general guidance. Feel free to involve your Assessor firm earlier on in the process to make sure you’re on the right track. Definitely, when you put your project plan together, make sure that your Assessor firm can meet your deadline, as far as when you want to have your report done.

That concludes our 5-step process. Keep in mind that these are not the only 5 things you have to do, just the first 5 things that we’re recommending you start with. If you need help along the way, please consider involving your Assessor firm, such as KirkpatrickPrice. You can contact us directly at the link below. We hope you found this information useful and we thank you for your time today.