One of the benefits of the HITRUST CSF® framework is that it provides each organization with a custom, prescriptive set of requirement statements. As leaders think through how to interpret requirement statements for their organization, they should consider any applicable organizational context, such as written policies and procedures, the IT environment (for example, data and systems), and existing control processes and methodology, including requirements performed by a third party and the organization’s use of “not applicable” to indicate which requirements do not apply.
Time should be built into the planning phase for the process of interpreting requirement statements and gathering evidence, ideally starting several weeks to months before the assessors are scheduled to test the organization’s evidence to support its set of requirement statements. Any requirements that trigger questions should be discussed internally as well as with the assessor and even with HITRUST if needed. This is equally important for organizations going through their second or third assessment as it is for first-time organizations, as the HITRUST CSF version updates can bring new requirements.
Success strategies for requirement statement interpretation include the following:
Two important 90-day time frames come into play during the assessment:
Success strategies for assessment timing include the following:
It’s important to pay attention to the specifics of each requirement statement. Here’s an overview of the HITRUST maturity model:
CAPs describe the organization’s specific plans for correcting gaps identified during an assessment. Overall, CAPs should be measurable, feasible, supported, and monitored. The due date on each CAP will be reviewed during the interim assessment in the second year of the r2 certification. Organizations should use their existing IT risk and compliance processes where possible, while focusing on the required CAPs and prioritizing quick wins. If a CAP is not completed by the due date and the date needs to be extended, the organization should have a discussion with its assessor firm and explain the need to change the date and set a new, reasonable deadline.
These three gaps are seen consistently in HITRUST certification and are common causes of the need for CAPs:
MyCSF converts scores in the following categories to a scale of 1- to 5+. These are target scores:
An interim assessment, which can be done only by organizations that are already HITRUST certified, assesses organizations against the same HITRUST CSF version as a full certification. These assessments are performed prior to the one-year mark to extend certification through a second year. So, as an example, for an organization originally certified on Oct. 31, the MyCSF interim assessment object is automatically created 90 days before certification expires. If an organization would like to start earlier, it can create the assessment object 120 days before the certification date. Then, the organization would gather the control evidence to prepare for assessor fieldwork, typically 30 days prior to the expiration. The scope includes a sample of one control from each domain plus a review of any CAPs that were identified in the first-year assessment. Once testing is completed, the assessor submits the assessment to HITRUST on or before the one-year certification date.
As part of the interim assessment process, for organizations to extend the prior year’s certification through the second year, the assessor is required to evaluate these three areas and report the evaluation to HITRUST:
To implement control monitoring, organizations should identify any existing processes that also can help monitor HITRUST controls. Ongoing monitoring might include creating IT, security, or risk committees; tracking metrics through dashboards; and creating alerts or activity reports. Then, the costs and benefits of implementing additional monitoring processes should be considered. Organizations should consider any separate assessments – such as internal audit or compliance testing, third-party security testing, and security program reviews – as independent measures and metrics supporting the HITRUST controls. If adequate monitoring is in place, the organizations should give themselves credit through measured and managed scores.
HITRUST CSF frameworks are updated regularly with both major and minor releases, so organizations should check for any updates at least once per year.
Develop and implement
Reinforce and monitor
Identify and discuss potential scope changes
One-year mark: Interim assessment
Show CAP progress
Scoring refresh
Continue to evolve internal controls
Year two-plus: Ongoing efforts
Measured and managed
CSF updates
Contact our HITRUST team