How to Prepare for a HITRUST CSF Assessment
If you’re managing healthcare data, it’s critical from a business and reputational standpoint to protect yourself from risk and maintain a strong relationship with your clients who are also trying to mitigate their risks. HITRUST certification is a great way to ensure this is happening.
The HITRUST Common Security Framework, or CSF, is a certifiable framework that provides organizations with a comprehensive, flexible, and efficient approach to regulatory compliance and risk management. The framework was developed to provide a solution to increasing regulatory scrutiny, increasing risk and liability associated with data breaches, inconsistent implementation of minimum controls, and the rapidly changing business, technology, and regulatory environment. It is a healthcare industry standard that was built from what works within other standards and authoritative sources, like ISO 27001/27002, HIPAA, PCI DSS, and NIST 800-53, just to name a few. It was also built on risk management principals and aligns with existing, relative controls, and requirements. It’s scalable depending on organizational, system, and regulatory factors.
As a HITRUST Authorized CSF Assessor, we recommend following six steps to prepare for a HITRUST CSF assessment.
The first step is to form relationships with HITRUST and the assessor. If you’re pursuing a Validated Assessment or working towards achieving certification, you must first develop a relationship with HITRUST directly. You also must develop a relationship with an assessor firm, such as KirkpatrickPrice. The assessor firm must be an approved firm by HITRUST. This three-way relationship will be a key component to your HITRUST CSF compliance journey.
Once you’ve formed relationships with HITRUST and the assessor, you’ll need to educate yourself on the CSF and the assessment process. The HITRUST CSF is a security and privacy framework that is the foundation of all HITRUST programs. It leverages federal and state regulations, industry standards and frameworks, and a focus on risk management to create a comprehensive standard. The framework has applicability not only in the healthcare industry, but also in the financial services, travel and hospitality, media and entertainment, telecommunications, and with start-ups. HITRUST reports that because of its continued report to improve and update the framework, the HITRUST CSF is the most widely-adopted security framework in the US healthcare industry.