7 Deadly Sins of a HITRUST CSF Assessment

by Shannon Lane / May 21st, 2019

 7 Deadly Sins of HITRUST

At KirkpatrickPrice, we’ve worked with clients of all sizes – from startups to enterprise-level organizations. By working with so many organizations of varying sizes and industries, we’ve been able to identify seven primary pitfalls that make for a challenging audit environment, all of which represent initial difficulties that often lead to a failed or very drawn out HITRUST validated assessment attempts. In recognizing how significant these pitfalls are, our firm has designed our engagements to address these early and often over the course of the assessment, raising red flags whenever one is discovered. The following seven deadly sins of HITRUST, while in no particular order, are all of primary significance to the audit as a whole and occur with roughly the same frequency. To begin, let’s look at one of the biggest misconceptions about HITRUST.

Does HITRUST Certification Represent Equivalent Work Effort to Other Framework?

While HITRUST encompasses many of the key components of these frameworks, each assessment has its own approach and purpose. ISO tests best practices. FISMA tests against standards. SOC 2 tests against risk thresholds and company procedures. Every single engagement has its own caveats and assessor instructions. After all, if they were all the same, we’d all do the same assessment, right? Since they are not the same assessment, we assess against standards that target what we need to express to our clients and represent within the competitive scope of our business.

At is core, HITRUST is a risk-based, prescriptive audit that is designed to test systems’ infrastructure against an external risk threshold and company maturity. Nothing else is quite like it, from what the assessed organization is expected to do, to the role of the assessor, to the role of HITRUST as a certifying body. Especially in an organization’s first year, HITRUST should be approached from a position of education and understanding: no matter what you know, you likely don’t quite know all of the things you need to know to be successful within the HITRUST framework.

Ultimately, while HITRUSST can be used to assess compliance with other frameworks, the converse is not true.

About the Author

Shannon Lane

Shannon Lane has over 20 years of experience in information services, including healthcare IT, e-commerce data extrapolation, network administration, database administration, and external audit work. Lane now serves as an Information Security Auditor at KirkpatrickPrice, represents KirkpatrickPrice on the 2018 HITRUST CSF Assessor Council, and holds CISSP, CISA, QSA, MSDBA, and CCSFP certifications.