Episode 2 – How to Navigate HITRUST CSF Controls

by Joseph Kirkpatrick / August 10th, 2017

Getting started with your HITRUST certification journey can be overwhelming; the CSF is a lengthy framework containing 845 requirement statements spread over three implementation levels. Here is a step-by-step guide for understanding how to navigate the makeup of each control by determining the scope of the assessment, determining your unique risk factors, and knowing which level applies to your organization.

Defining the Scope of your Assessment

Defining the Scope of your HITRUST Assessment MapThe very first thing organizations must do before downloading the HITRUST CSF or beginning any work in the MyCSF tool itself is define the scope of the assessment. Properly scoping your environment is an important step in becoming HITRUST certified. The scope of your assessment will determine to which extent the CSF controls will apply to your organization and whether you are able to minimize or condense the amount of work that needs to be done. Are you assessing a particular business unit? Or a geographical location? Or segmented network? When determining scope, you must consider all people, processes, and technology that come into contact with sensitive data.

Determining your Risk Factors

The next step in your HITRUST journey should be determining your inherent risk factors. These risk factors are comprised of organizational, system, and regulatory risks.

Organizational Risk Factors

Organizational risk factors are defined based on the type, size, and complexity of the organization and its environment. Different industries require different requirements. For example, a health plan or insurance company’s implementation level is determined based on the number of covered lives, whereas a medical facility or hospital’s level is determined based on the number of licensed beds. Third party processors must determine their implementation level based on the number of records processed each year. Understanding your unique risk factors is important to know which implementation level applies to your organization.

System Risk Factors

System factors are based on system characteristics that could potentially increase the likelihood or impact of a vulnerability being exploited. The following information must be gathered for all in-scope systems before assessing yourself against the CSF:

  • Are they storing processing, or transmitting sensitive information?
  • Is it accessible from the internet?
  • Is it accessible by a third party?
  • Is it publicly accessible?
  • Is there mobile technology being used?
  • What is the total number of users?

Regulatory Risk Factors

There are a number of regulatory risk factors that could also affect your in-scope systems. Does PCI DSS apply to your organization? FISMA? FTC Red Flags Rule? HITECH Act? If you know that any of these regulations apply to your organization, you must be sure to implement the associated requirement statements.

Understanding your Implementation Level

Once you have defined your scope and your risk factors, your implementation level can be determined by industry type and organizational risk factor for volume of business, record count, etc. For example, an IT service provider with between 10 and 60 million records and 15 to 60 terabytes of data would be considered level 2 and have to implement controls for level 1 and level 2. If the same hospital exceeded 60 million total records or 60 terabytes of data, they would then be considered level 3 and have to implement controls for levels 1,2 and 3. As you can see, the HITRUST CSF provides a scalable, layered approach based on your unique risk factors and implementation control levels.

Define your scope, determine your risk factors, and start at level 1. Then you can build to level 2 or 3, and include regulatory requirements, as applicable to your organization. If you need help with preparing for a HITRUST certification assessment or navigating the HITRUST CSF controls, contact me today at s.morris@

In our last video, we talked about the CSF and how it breaks down into numbers. To shorten that, there’s 149 controls spread out over the 14 categories. Keep in mind that only 66 of those controls are required when you’re pursuing certification. What we’re going to talk about in today’s video teaches you how to navigate the controls themselves. The CSF, when you download it from the HITRUST website, is a very lengthy document. There’s a lot of content in there, so I wanted to break it down for you and show you step-by-step the makeup of the controls, how to determine what your risk factors are, which levels affect you, etc. That’s what today’s video is all about. Hopefully you’ll stick with us for our next video, but we’re really wanting to zero-in on the controls themselves today.

Before you open up that CSF document, or before you begin any work in the My CSF tool (say, for example, you’re going through self-assessment), you need to define your scope because the scope is where it all starts. You can possibly limit the scope to condense the amount of work that needs to go into the assessment, like if you have multiple business units, multiple geographic locations, etc. Getting an understand of what business units are going to be involved in that scope and how to narrow that scope when it seems appropriate. For a lot of smaller organizations, the entire organization may be what’s in scope. It’s really important to start there. If you have a flat network, everything’s going to be in scope because there’s no segmentation. The proper way to segment, if you’re going to take the business or the geographical region approach, you need to make sure you’re scoping from a network perspective to make sure you have proper segmentation in place. Keep that in mind. Always get a clear definition of scope because if there are various business units involved, you’ll want to make sure that the leaders from those business units and the corporate people are brought into the assessment. This is one of the very first things as an assessor firm that we’re going to want to confirm – the scope of your environment. We’re going to want to know the people involved, we’re going to want to know the systems that are involved in that scope because that is what the assessment is going to be performed on. So like I said, whether you’re starting in the My CSF tool or whether you’re starting by just opening up the document to determine what you’re compliant with and what you’re not, really having an understanding of scope is step one. Once you have that defined, you know what systems are in scope and what potential business units are in scope, then you can move into determining what your risk factors are. We’re talking about inherent risk factors associated with organizational, system, and regulatory items.

The very next thing that you’re going to want to do after you’ve determined what the scope of your environment is, is you’re going to want to make a pretty simple assessment. There are different categories that you must select, whether you’re, again, in the My CSF tool. You have to have an understanding of that if you’re just using the CSF to determine compliance. For example, are you a health information exchange company? Are you a hospital? (Of course, you know the answers to these questions) Are you a payer, pharmacy, physician’s practice, service provider IT, or service provider non-IT (Those are the 2 most common we see for Business Associates)? Understanding whether you’re categorized as a “service provider IT” or whether you’re a “service provider non-IT” is definitely something you need to determine. For example, an IT service provider is generally someone who provides IT services such as cloud services or hosted IT infrastructure. If you fit into that category, you’re definitely a service provider IT. Service providers non IT are companies that are generally defined as Business Associates that provide non-IT-related services such as transcription services and clearing houses. You want to know, for example, what category you fit into, and based on that category, there are some risk factors that you’ll want to know the answers to. Gathering this information before you begin the assessment is critical because it’s going to determine, for example, if level 2 or level 3 applies to your organization. As you’re going through the controls you’re going to want to know the answer, for example if you are service provider IT, to: what is your total record count that you have? If you don’t know the answer to that, there are alternatives such as, what is the annual record count? What is the total volume of data that you have in the systems that are in scope? People often ask me, what is considered a record? And, of course as I just mentioned, you have to know the number of records that you’re maintaining to know which levels apply to you. A record, as defined by HITRUST, is as instance where data items (fields) are stored with a unique identifier. Such records include but are NOT limited to designated record set as defined under HIPAA. Having an understanding of how many records you have is going to be included in the scope of your assessment.

Gathering this data on the in-scope systems prior to starting the assessment is critical because you need to know where and when those levels 2 and 3 will apply. Also for those in-scope systems, you’re going to want to gather the following information. You don’t have to memorize or write down what I’m saying, it’s all listed in the CSF, but I want to walk through it just to explain it to you.

For example, for the in-scope systems you have to know if they are storing, processing, or transmitting sensitive information. Is it accessible from the internet? Is it accessible by a third party? Is it publicly accessible? Is there mobile technology being used on the in-scope system? What is the total number of users? The important thing is not that I’m giving you the entire list here; the important thing is remembering that you must gather this information prior to jumping in and trying to assess yourself against the controls. Again, step number one is defining the scope. Is it a different business unit? Is it a geographic location? Is it systems that are segmented on the network? Those are the types of things you want to know before you start the assessment. Then, recognizing your organizational factors. How many records do you have, etc. And of course, evaluating the in-scope systems.

The CSF also has a number of regulatory considerations where regulatory inherent risk factors would apply. If, for example, PCI applies to your environment, FISMA, maybe the FTC Red Flags Rule, or the HITECH Act – there’s a list of regulatory factors that may or may not affect the in-scope systems or the scope as you’ve defined it. Understand that before you get started will also determine which levels apply to you. For example, when you use the My CSF tool, if you’re going through an assessment using the My CSF tool, these are all questions that you have to answer before the questionnaire is built. You have to know the answers to these questions. Most likely, if you’re working with an assessment firm, these are all questions that they’re going to ask you right off the bat before they start working with you. The answers to these questions will determine how many requirement statements actually will apply, so it really determines scalability. Is it going to be a rather small assessment, or is it going to be a rather large assessment? So the answers to these questions from an organizational, from a regulatory, and a system aspect will determine the number of controls that apply and how long or short the assessment is going to be overall.

So now I’m going to break it down. If you have the actual CSF in front of you or downloaded (Version 8.1 as it’s the most current version at the recording of this video), you can follow along. I want to take you to page 280 if you want to follow along. If not, you can just listen to the way I’m describing this. Each control is broken down and the control reference that I’m going to share with you today is the “Physical Entry Control.” This example, the control specification states (I apologize for reading, but I don’t have these memorized), “Secure areas shall be protected by appropriate entry control to ensure that only authorized personnel are allowed access.” The other thing that you’ll notice in this particular control is there’s an asterisk that says, “Required for HITRUST certification, CSF Version 8.1.” Every control that is required for certification – again, it’s one of those 66 controls – is defined within the CSF as required for certification. If it’s not listed there, you know that this is not a control that would apply if you’re working towards certification as the end result. So for this particular control, we’re read the control specification and we know that is factor type is organizational. This means that the organizational risk factors that we talked about a minute ago really come into play.

In my example today, we’re looking at level 1 implementation requirements for this particular control. Let’s pretend, for example, that we are a service provider IT. What’s going to apply in this control is how many records do we have. So I’m looking at level 1 implementation requirements and I’m going through the list. I know that all of these controls are going to apply to me because this is going to apply to everyone. I have to make sure that my visitor records contain the following information: name, organization, signature, form of indication, etc. You can read all of that, obviously, in the CSF. What I really want to walk you through is what’s next. For example, level 2 would apply to me as an IT service provider, if I had 15 to 16 total terabytes of data. If my data falls within that category, I need to make sure that all of level 1 implementation requirements are met as well as level 2. In this case, I’m also going to make sure this visitor log contains the data and time of arrival and departure, visitor’s name, etc. It’s a little bit deeper. The concept here is: the greater the risk, the more controls in place to protect that risk. Having between 15 and 16 terabytes of data increases my overall amount of risk as a business partner to my client. Going down through the list, if I have more than 16 terabytes that I’m maintaining for my client, you have to also consider that doors and internal secure areas are locked, implemented a door delay alarm, and are equipped with a secure lock. That’s an example of, “I have to have all of level 1, all of level 2, and all of level 3 in place.” That is only if, as an IT provider, I am housing more than 60 terabytes of data. That ties back to understand those risk factors involved in your scope before you go into the assessment, because you’re going to need to know how deep you need to go. This gives you a basic idea of how the controls are structured, understanding what risk factors are, and first and foremost, determining if level 1, 2, or 3 applies to you.

The other things I really didn’t really cover with you here are regulatory risk factors. If you’re navigating the CSF and know PCI applies to you, you would also have to make sure that those requirement statements that are in the PCI sections are also implemented. We’re building upon and building layers as we go. Like I said, the CSF is scalable. Starting at level 1, which applies to all organizations, adding level 2, level 3, and then those regulatory requirements really adds a layered approach. It’s relevant to how much risk you are trying to maintain. Again, it’s a risk-based framework that works really nicely in the layers I described.

That concludes this video, where we’re wanting to define for you how the controls are structured and what applies to you and what doesn’t. In our next video, we’re going to talk about your different assessment options, like the SOC 2 option, validated assessment, the certification – all of that information will help you determine the next step, which is: what is your goal in achieving an assessment? Thank you for joining us today, I look forward to seeing you in the next video! If you need any help immediately, please contact us at the link below.