Over the past two decades, many healthcare companies have struggled to transition from physical to digital record keeping as mandated by the HITECH Act. Naturally, the convoluted changes, standards, and stringencies outlined therein have left businesses confused, scratching their heads, wondering how best to wade through this quagmire. As a result, the total overhaul of such a massive system has moved at a glacial pace.
To make matters more complicated, as the healthcare industry develops, growing evermore dependent upon emerging and expanding technologies in order to cache and deliver electronic healthcare records [EHR], ensuring compliance and maintaining cybersecurity has become an increasingly intricate ballet. A large aspect of compliance involves obtaining your HITRUST certification, which is no simple process. So, to help you prepare for the obstacles ahead, below, you’ll find our comprehensive guide on the HITRUST certification process and timeline.
HITRUST Certification Timeline
The CSF process involves four primary steps, some of which must be taken by your organization before any official assessment takes place. Briefly, the timeline for these steps looks like:
- CSF Self-Assessment – 2 to 8 weeks
- CSF Validated Assessment – 6 to 8 weeks
- CSF HITRUST Alliance Certification – 3 to 24 months
- Repeat Annually – Although it’s difficult to say for certain, the re-review process is significantly shorter than the initial reviews.
HITRUST requirements state that in order to pass, you must show readiness against every one of the 135 Community Security Framework [CSF] controls. These controls are divided into 19 different domains:
- Access Control
- Audit Logging & Monitoring
- Business Continuity & Disaster Recovery
- Configuration Management
- Data Protection & Privacy
- Education, Training & Awareness
- Endpoint Protection
- Incident Management
- Information Protection Program
- Mobile Device Security
- Network Protection
- Password Management
- Physical & Environmental Security
- Portable Media Security
- Risk Management
- Third-Party Security
- Transmission Protection
- Vulnerability Management
- Wireless Protection
CSF follows a risk-based approach that sets security standards proportionate to your particular level of risk. You are assigned one of three levels with Level 1 acting as the baseline control requirements. Every additional level involves the lower levels and then tacks on further requirements relating to your increased risk.
Because the process is time-consuming, typically taking at least 90 days for the primary audit, HITRUST recommends that you perform an internal readiness or self-assessment ahead of time prior to undergoing the validated assessment.
The self-assessment allows your company, regardless of its size, to gauge how compliant it currently is and provides you with an opportunity to make fixes or iron out problems that would otherwise result in a failure. Refusal to do so will likely result in a failed test and additional delays. According to HITRUST:
Self-assessment allows organizations to self-assess using the standard methodology, requirements, and tools provided under the CSF Assurance Program. HITRUST will then perform limited validation on the results of the self-assessment to provide a limited level of assurance to the relying entity.
This process will take anywhere from two to eight weeks in order to complete, but the exact timeline will depend heavily upon the complexity and size of your business. The self-assessment and the following degrees of assurance will typically follow nine prescriptive steps:
Step 1: Project Startup
The initial step is meant to provide a full picture as to your company’s scope and structure and will inform the rigors and scope of the total assessment. This involves identifying a project coordinator who will be in charge of organizing personnel, conducting interviews, gathering documents, and giving insight. Ideally, you will want to select someone who has authority within the organization to make decisions and access to higher-ups within the company.
Step 2: Defining the Organizational Scope
The goal of this phase is to properly gauge the size and scope of your organization. This includes:
- Identifying The Business Units – Dividing the business into auditable business units, typically these are determined by whether or not they can operate distinctly from another department.
- Regulatory Factors – There are a variety of regulatory factors that may be applicable to your business. These could include:
- 21 CFR Part II
- Banking Requirements
- CMS Minimum Security Requirements
- CRR V2016
- EHNAC Accreditation
- EU GDPR
- FedRAMP Certification Requirements
- FISMA Compliance
- FTC Red Flags Rule Compliance
- HITRUST De-ID Framework Requirements
- IRS Pub 1075 Compliance
- Joint Commission Accreditation
- MARS-E Requirements
- PCI Compliance
- Personal Data Protection Act
- Supplemental Requirements
- Identifying The Physical Facilities – Your organization’s physical footprint plays an integral role in making a determination on scope. Facilities might include:
- Administrative offices
- Data centers
- Manufacturing locations
- Satellite locations
Once facilities are identified, you can begin narrowing down which ones might fall under the assessment scope. Usually, it will be locations where sensitive information can be stored, accessed, or sent out or a place where sensitive information could potentially be physically accessed.
Step 3: Define System Scope
This HITRUST certification requirement is intended to help you narrow down which information systems will be the main emphasis of the CSF assessment. Upon completion, your business will have a more thorough understanding of which areas pose the highest risk and require the most oversight. This will involve:
- Identifying information systems
- Aggregating systems, where appropriate
- Documenting system factors
- Scheduling stakeholder interviews
- Implementing required levels
Step 4: Examine Documentation and Practices
At this stage, your assessment team can take all the information gathered in the previous stages and begin evaluating them for compliance based on the various controls. This will necessitate a thorough review of at least one information security practice. During this phase, the team will inspect, observe, review and analyze the processes and procedures and then move from there.
Step 5: Conduct Interviews
In step 3, one of the tasks involves scheduling stakeholder interviews for step 5. These give the assessment team a chance to gain a broad and practical understanding of how organization and system controls of CSF are conducted and adhered to. It’s helpful to gather and review any relevant documents related to the interviewees’ field. Doing so will allow you to ask poignant questions and to identify potential problems or areas that require redress.
Step 6: Undergo Technical Testing
The testing process allows you to unveil vulnerabilities, flaws, or issues in information systems. It will include:
- Vulnerability assessment
- Penetration testing
- Configuration setting validation
- Account lockout
- Audit settings
- Anti-virus data file levels
- Password settings
- Patch levels
- User listings
Step 7: Document Findings
Upon completion of technical testing and control assessment, your team will begin to compile all relevant findings. Once the report is finished, it will eventually be submitted to HITRUST. One of the primary goals of this fact-finding mission is to identify and select alternate controls, particularly in areas of noncompliance. This creates a risk-mitigation avenue that allows your organization to respond to control deficiencies.
Step 8: Reporting
Once the entire self-assessment procedure reaches its conclusion, the onus is on your team to report your findings and fix any areas of noncompliance. The reporting stage involves:
- Creating Remediation Prescription – The first task of your assessment team is to outline and recommend actions to address and manage areas of CSF noncompliance. This will include recommending ways to mitigate risk and propose improvements or solutions to issues.
- Submitting The Report To HITRUST – Your team will need to submit the following to CSF:
- The baseline questionnaire
- Description of scope
- Review of your company’s:
- Security program
- Performed tests
- Plans for corrective action
Upon receiving the report, CSF will provide a score for each control domain.
- Delivering The Report To Executive Management – Also known as socialization, the project manager is required to report your team’s findings to executive management. This document will include sections such as:
- Organization’s level of compliance based on CSF strictures
- The systems’ level of compliance based on CSF strictures
- The team’s remediation recommendations
This report should be passed along to all important stakeholders and presented to both management and key stakeholders. Doing so allows your team to review, discuss, and plan for the future.
- Management Responds – Upon briefing, management will need to prescribe a set of actions to take based on the report’s findings. Such actions likely include implementing alternate or appropriate controls.
Step 9: Remediation
A corrective action plan is a step by step plan of action that is developed to achieve targeted outcomes for resolution of identified errors in an effort to: Identify the most cost-effective actions that can be implemented to correct error causes; develop and implement a plan of action to improve processes or methods so that outcomes are more effective and efficient; achieve measurable improvement in the highest priority areas – Eliminate repeated deficient practices
A high-level CAP should mirror management’s response to the report and will include:
- Control gap
- Control gap identifier
- Corrective actions
- Date identified
- HITRUST CSF control mapping
- Point of contact
- Schedule completion date
- Status of corrective action
Upon completing the self-assessment, reporting your findings, and taking corrective measures, your team will once more undergo the same process, but via the HITRUST CSF Validated Assessment. According to HITRUST: “Validated assessments are conducted by a HITRUST Approved CSF Assessor. The CSF Assurance Program’s assessment methodology is used and the controls are scored using HITRUST’s maturity approach to control implementation. Assessments meeting or exceeding the current CSF Assurance Program requirements receive a HITRUST validated report indicating they are HITRUST CSF Certified.”
This stage requires a third-party CSF Assessor such as RSI Security in order to confirm that your company is in compliance. They will perform a thorough CSF Assessment and Compliance Audit, ensuring that you’re in the clear. As mentioned previously, this process will also take some time to complete – approximately six to eight weeks, if not longer – depending on the scope, area, and complexity of your organization. In addition, there may be additional or follow up audits that take up shorter spans of time.
The assessor will go through similar steps as outlined by the CSF Self-Assessment. If your company is found to be in compliance with HITRUST and no remediation necessary, you will move on to the final and longest stage of the audit process.
Once the documentation from your third-party assessment is uploaded online, the HITRUST Alliance will then conduct a painstaking audit in order to determine whether or not all of the HITRUST regulations were upheld and if all the requisite paperwork was filed. Documentation will include:
- Risk assessments
- Technical documentation
Thereafter, HITRUSTS lawyers will take anywhere from a few months to two years to perform their audit. Once more, timelines depend on your particular business.
Upon completion of this process, if you pass, HITRUST will award your organization with its HITRUST CSF certificate. Should you reach this stage, you can breathe a sigh of relief knowing that the worst is past; however, you’re not in the clear yet.
Repeating the Process
Naturally, as systems and technology evolves, new or different measures are required in order to remain in compliance with CSF. As a result, your business will be compelled to complete an annual audit to demonstrate that you’ve updated your standards and practices to comply with a changing IT world.
This process is far faster and easier to conduct since it will typically only require minor tweaks or provisions to current practices and methodologies. Because of that, costs should also be lower for subsequent audits. In regards to a timeframe, you should expect additional audits to take anywhere from four to eight weeks, once more depending on the scope and complexity of the assessment.
The HITRUST Timeline
As you’ve no doubt discovered, there are hundreds of HITRUST requirements your business must satisfy in order to be “HIPPA compliant.” Your first time through the process will be the most arduous of the audits, likely taking anywhere from one to three years from start to finish.
Fortunately for you, RSI Security is an experienced and licensed CSF Assessor. Our goal is to make compliance easy for you. So, reach out today and our professional team will help get you moving along the HITRUST certification timeline.
It’s not a simple procedure.
But we make it so.
HITRUST. CSF Assurance FAQ. https://hitrustalliance.net/documents/FAQ/CSFAssuranceFAQ.pdf
Center for Medicare and Medicaid Services. Corrective Action Plan Process. https://www.cms.gov/research-statistics-data-and-systems/monitoring-programs/perm/downloads/2013correctiveactionpowerpoint.pdf
HITRUST Alliance. What types of assessments are available in the CSF Assurance Program? https://hitrustalliance.net/frequently-asked/1/en/topic/what-types-of-assessments-are-available-in-the-csf-assurance-program