The HITRUST Alliance protects healthcare companies from cyberattacks by combining multiple regulatory compliance requirements into one uniform text — the Common Security Framework (CSF). The HITRUST Bridge Assessment makes it easier for businesses seeking re-certification.
What is a HITRUST Bridge Assessment?
Given the challenges businesses face due to the COVID-19 pandemic and its ongoing economic impacts, HITRUST has sought a solution to help “bridge” the gap between your last and next periods of compliance.
Nevertheless, Bridge Assessment is complex in its own right, and it is not a substitute for full HITRUST compliance. This blog will break down everything you need to know into two primary sections:
- A 101 on HITRUST Bridge Assessment, as well as other forms of assessment
- A 101 on the HITRUST CSF and the controls required for full compliance
By the end of this article, you’ll know what it takes to complete a Bridge Assessment and achieve full verification. But first, let’s take a look at the broader HITRUST Alliance approach.
What is the HITRUST Approach?
The HITRUST Alliance offers more than merely a set of controls to follow. The broader HITRUST Approach is a complex system of risk mitigation and incident response built around the CSF and Risk Management Frameworks specific to individual industries.
The four-step approach includes:
- Identify and Define Risks – Employ measures to monitor, inventory, and analyze all threats and vulnerabilities to streamline responses as cyberattacks occur.
- Specify Appropriate Controls – Before, during, and after security events, ensure plans are in place that meet risks efficiently, minimizing any compromise.
- Implement and Manage Controls – Employ preventative measures and responses to neutralize and resolve security risks.
- Assess and Report on Recovery – Regularly monitor the efficacy of all cybersecurity practices to ensure fidelity and take immediate actions to correct identified security flaws.
Bridge Assessment is one part of this overall scheme — it involves continuing Certification into a new term despite not hitting deadlines for assessments.
HITRUST Bridge Assessment 101
Per the Bridge program press release, HITRUST introduced the program during the COVID-19 pandemic. It was executed to assist businesses struggling to meet deadlines for recertification. It applies to select companies that had already been HITRUST compliant (who are seeking another certification).
Bridge Certification opens a 90-day “Bridge period” within which the organization must make a concerted effort to finalize everything it needs to achieve full recertification.
For full Certification, companies need to undergo traditional HITRUST CSF Assessment or a “Validated Assessment” through an Authorized External Assessor. Given a high enough score, the Validated Assessment will grant a two-year Certification. However, this period will only cover the entire two years if the company completes an Interim Assessment at the one-year mark.
The Bridge program is not an extension of the existing Certification, nor a replacement for full Certification. Nevertheless, it requires a stringent process of verifying select controls, just like you would need to do in a full Validated Assessment. Let’s take a closer look at the process.
Steps Required for Bridge Assessment
According to HITRUST Alliance’s guide to Bridge Assessment, achieving Bridge Certification requires a straightforward, six-step process between two periods of full Certification:
- Step 1 – Obtain a HITRUST CSF Bridge Assessment Object in the MyCSF platform.
- Step 2 – Contract an Authorized External Assessor to test 19 “requirement statements.” Validated Assessments that are already underway may be used for Bridge Assessment.
- Step 3 – Represent the following truths, agreed to by Authorized External Assessor: no reportable breaches of significance have occurred since the last Certification; no significant changes to security environment have happened since the previous Certification; the organization will complete a Validated Assessment before the Bridge period ends.
- Step 4 – Await “fast track” Quality Assurance Review of Assessor’s tests from HITRUST.
- Step 5 – Await official issuance of HITRUST CSF Bridge Certificate from HITRUST.
- Step 6 – Submit a Validated Assessment to HITRUST before the Bridge period expires. Days within the Bridge period are subtracted from any subsequent Certification period.
Importantly, as noted above, Bridge Certification is not a replacement for full Certification. For that, your company will need to ensure all of the HITRUST CSF is fully implemented and maintained. So, let’s take a closer look at the entire framework and how to meet compliance.
HITRUST CSF Compliance 101
The Bridge Assessments are not the only requirements for compliance. Critically, companies need to implement all of the controls across the CSF. The CSF comprises 156 Control References. These are distributed across 14 Control Categories, which break down into 49 Objective Names that house each individual Reference.
These Categories, Objectives, and Controls reflect analogous schemes across compliance frameworks the CSF draws from. For example, many Category names are similar to categories in the NIST Cybersecurity Framework, and References often draw directly from HIPAA and HITECH.
The CSF is currently in Version 9.4.1, which is available for free download only after signing a licensing agreement with HITRUST. The breakdown below is sourced from the CSF.
Categories, Objectives, and References
The Categories, Objectives, and References that make up the CSF break down as follows:
- Control Category 0.0: Information Security Management – Executive-level maintenance of security policies (one Objective Name, one Control Reference)
- Control Category 0.1: Access Control Security – Restrictions on access through credential and account management (seven Objective Names, 25 Control References)
- Control Category 0.2: Human Resources Security – Personnel movement and management practices (four Objective Names, nine Control References)
- Control Category 0.3: Risk Management Policy – Systematic approaches to risk monitoring and analysis (one Objective Name, four Control References)
- Control Category 0.4: Security Policy – Requirements for creation and maintenance of security policies (one Objective Name, two Control References)
- Control Category 0.5: Information Security Organization – Internal and external stakeholder governance (two Objective Names, 11 Control References)
- Control Category 0.6: Regulatory Framework Compliance – Controls ensuring compliance across frameworks (three Objective Names, ten Control References)
- Control Category 0.7: Asset Management Security – Protocols for inventory monitoring and control (two Objective Names, five Control References)
- Control Category 0.8: Physical and Environmental Security – Restrictions on access to protected devices and spaces (two Objective Names, 13 Control References)
- Control Category 0.9: Communications and Operations Security – Controls for sensitive transmissions over networks (ten Objective Names, 32 Control References)
- Control Category 0.10: Information Systems Management – Regulations for software, hardware, and applications (six Objective Names, 13 Control References)
- Control Category 0.11: Security Incident Management – Protocols to follow if a cybersecurity event occurs (two Objective Names, five Control References)
- Control Category 0.12: Business Continuity Management – Practices to restore operations post-attack (one Objective Name, five Control References)
- Control Category 0.13: Privacy Security Practices – Methods for ensuring accountability across staff (seven Objective Names, 21 Control References)
A Professional Approach to HITRUST
Here at RSI Security, we’re committed to helping you accomplish any form of HITRUST testing you need, from Self to Bridge Assessments. Our suite of HITRUST compliance services spans initial patch reporting and readiness analysis, development and implementation of cybersecurity architecture, and guidance with all assessment levels. We’re a one-stop HITRUST shop.
Plus, we’re also committed to helping your company with all other compliance and managed IT or security services you might need. We’ve helped businesses of all sizes across all industries keep their stakeholders safe for over a decade. Whether you need help with a HITRUST Bridge Assessment, Certification, or any other cyberdefense element, contact RSI Security today!
Download Our HITRUST Compliance Checklist
Assess where your organization currently stands with being HITRUST compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.