Using the HITRUST CSF Maturity Model

by Sarah Harvey / September 28th, 2018

Organizations are often overwhelmed by the technical terminology and the number of requirements in the HITRUST CSF. However, while the HITRUST CSF may be daunting at first glance, the HITRUST CSF is not like any other framework. Achieving HITRUST CSF certification goes beyond showing whether or not you’re doing something, but instead it shows how well you’re doing it. In order to do this,  organizations are scored on how well they perform on each requirement statement. In this webinar, KirkpatrickPrice Lead Practitioner, Shannon Lane, discusses requirement statements, using the HITRUST CSF Maturity Model, and scoring.

What is the HITRUST CSF Maturity Model?

The HITRUST CSF Maturity Model is a scoring model based on the COBIT CMM and other similar models, and classifies organizations based on relative process maturity. With levels ranging from 1- to 5+, HITRUST’s goal is to elevate organizations from Level 2 to Level 3.

• Level 1: A Level 1 organization is usually an early start-up type of organization that has informal processes. They have a weak definition of products and services and are the most agile because they have to do what it takes to get things done on the fly.
• Level 2: A Level 2 organization is typically what most organizations are classified. These organizations have well-defined products and services and their projects are controlled. These organizations know what they’re doing, but don’t know why. They react to situations instead of proactively planning for them.
• Level 3: A Level 3 organization represents HITRUST’s goal for certification. At an organization that is a Level 3, everyone understands what they’re doing and how and why they’re doing it. This organization has moved from reacting to issues to proactively planning for them. At Level 3 maturity, an organization demonstrates the most effective combination of process workflow and agility.
• Level 4: A Level 4 organization looks for the small stuff. They are less agile because they have all of their processes in place and are actively managing success.
• Level 5: A Level 5 organization trades agility for process management and absolute control. In this level, management has a deep understanding of the organization’s processes and operations run smoothly. While a Level 5 is almost impossible to obtain, organizations should continue to find ways to improve their balance between process and agility.

How is the HITRUST CSF Maturity Model Used?

To put it simply: the HITRUST CSF Maturity Model is used to score each of the requirement statements included in an organization’s scope. On average during a HITRUST CSF assessment, an organization might be tested on anywhere from 290 to 600 requirements. Each requirement is tested based on the maturity level of 5 areas: policy, procedure, implementation, measurement, and management. Each of these areas receives a score between 1 through 5.

In order to achieve HITRUST CSF Certification, an organization must obtain a score 3+, which is the equivalent of a 72 or higher. Because the weight of policies, procedures, and implementation is higher than measurement and management, an organization that receives a score of 5/5/5/0/0 will have obtained the desired 3+.

Becoming HITRUST CSF certified might seem daunting, but it doesn’t have to be. To learn more about how organizations can move from a Level 2 to a Level 3, how the HITRUST CSF Maturity Model is used, and how the HITRUST CSF is scored, watch the full webinar. Are you ready to embark on your HITRUST CSF certification journey? We want to help! Contact us today to speak to one of our HITRUST experts.