HITRUST Scoping 101

by Sarah Harvey / July 12th, 2018

What is the Most Important Thing I Need to Know about HITRUST Scoping?

Are you in the process of preparing for a HITRUST CSF assessment? Do you need more information about how to properly scope your engagement? In this webinar, Shannon Lane, an Information Security Specialist at KirkpatrickPrice, will cover all things related to HITRUST CSF scoping, such as how HITRUST expects you to scope your engagement, what boundaries you should set, and how to determine your scoping demographics.

As you begin preparing for your HITRUST CSF assessment, scoping should be at the forefront of every conversation. Why? Because everything that you do in a HITRUST CSF engagement is about your scope. Considering this, it’s imperative that you work with your assessor to narrow your scope as much as possible to ensure that your assessment most acutely aligns with the parts of your organization that you want to get HITRUST certified.

For example, let’s say that you are a hospital looking to become HITRUST CSF certified. Typically, HITRUST is not going to certify an entire organization – they wouldn’t want to certify all of the departments that make up a hospital. Instead, they are looking to certify different components of an organization, like your billing department, human resources, inpatient and outpatient services, psychology department, ER, or ICU.

How Do I Narrow My Scope?

To begin narrowing your scope, you’ll need to define system boundaries around what you want to get certified. Building off the previous example, if you’re looking to certify your billings department, you would need to consider the following:

1. How are things processed? What systems are used for billing purposes?
2. How is billing data stored? Where is it kept?
3. How is billing data transmitted? What devices move the data between system components into or out of the outside world?

After you’ve determined your system processes, you’ll need to define your system by creating or locating your data flow diagram, network diagram, system inventory, and system management procedures. Doing this allows you to establish boundaries and move onto determining your scoping demographics.

What are Scoping Demographics?

Scoping demographics allow you to lessen the number of requirement statements you must comply with to become HITRUST CSF certified. The following are scoping demographics you’ll need to consider:

1. Organizational Factors: These are the core of the assessment. What is your organization type? What number of records could you lose if a catastrophic breach occurs?
2. Geographic Factors: These are based on where the collection, processing, maintenance, use sharing, dissemination, or disposition of information occurs. How do you operate? Where does collection processing occur? Are you located in multiple states?
3. System Factors: These are scoping questions that demonstrate the importance of limiting a scope. How many systems do you connect to on a permanent basis? How many people use your system? How many transactions do you have on your database per day?
4. Regulatory Factors: These are optional, but you should consider what your clients’ needs are and what your business needs are. Are you looking to show your level of assurance with other frameworks, such as SOC 2, PCI, GDPR, or FISMA?

Ultimately, the narrower your scope is for your HITRUST CSF assessment, the better. The ramifications of having too broad of a scope could be costly. Keep in mind that when you’re able to narrow your scope for the audit, you could receive a larger return on investment. For more information on scoping a HITRUST CSF assessment, watch the full webinar now. To learn more about how you can begin the HITRUST CSF certification process, contact us today to speak to an expert.