Home Compliance StandardsHITRUST How Long Does it Take to Get HITRUST Certified?
HITRUST

How Long Does it Take to Get HITRUST Certified?

by RSI Security
written by RSI Security

Over the past two decades, many healthcare companies have struggled to transition from physical to digital record keeping as mandated by the HITECH Act. Naturally, the convoluted changes, standards, and stringencies outlined therein have left businesses confused, scratching their heads, wondering how best to wade through this quagmire. As a result, the total overhaul of such a massive system has moved at a glacial pace. 

To make matters more complicated, as the healthcare industry develops, growing evermore dependent upon emerging and expanding technologies in order to cache and deliver electronic healthcare records [EHR], ensuring compliance and maintaining cybersecurity has become an increasingly intricate ballet. A large aspect of compliance involves obtaining your HITRUST certification, which is no simple process. So, to help you prepare for the obstacles ahead, below, you’ll find our comprehensive guide on the HITRUST certification process and timeline.

 

HITRUST Certification Timeline 

The CSF process involves four primary steps, some of which must be taken by your organization before any official assessment takes place. Briefly, the timeline for these steps looks like:

  • CSF Self-Assessment – 2 to 8 weeks
  • CSF Validated Assessment – 6 to 8 weeks
  • CSF HITRUST Alliance Certification – 3 to 24 months 
  • Repeat Annually  – Although it’s difficult to say for certain, the re-review process is significantly shorter than the initial reviews.

HITRUST requirements state that in order to pass, you must show readiness against every one of the 135 Community Security Framework [CSF] controls. These controls are divided into 19 different domains:

  1. Access Control
  2. Audit Logging & Monitoring
  3. Business Continuity & Disaster Recovery
  4. Configuration Management
  5. Data Protection & Privacy
  6. Education, Training & Awareness
  7. Endpoint Protection
  8. Incident Management
  9. Information Protection Program
  10. Mobile Device Security
  11. Network Protection
  12. Password Management
  13. Physical & Environmental Security
  14. Portable Media Security
  15. Risk Management
  16. Third-Party Security
  17. Transmission Protection
  18. Vulnerability Management
  19. Wireless Protection

CSF follows a risk-based approach that sets security standards proportionate to your particular level of risk. You are assigned one of three levels with Level 1 acting as the baseline control requirements. Every additional level involves the lower levels and then tacks on further requirements relating to your increased risk.  

Because the process is time-consuming, typically taking at least 90 days for the primary audit, HITRUST recommends that you perform an internal readiness or self-assessment ahead of time prior to undergoing the validated assessment.

 

Assess your HITRUST compliance

 

HITRUST Self-Assessment

The self-assessment allows your company, regardless of its size, to gauge how compliant it currently is and provides you with an opportunity to make fixes or iron out problems that would otherwise result in a failure. Refusal to do so will likely result in a failed test and additional delays. According to HITRUST

Self-assessment allows organizations to self-assess using the standard methodology, requirements, and tools provided under the CSF Assurance Program. HITRUST will then perform limited validation on the results of the self-assessment to provide a limited level of assurance to the relying entity. 

This process will take anywhere from two to eight weeks in order to complete, but the exact timeline will depend heavily upon the complexity and size of your business. The self-assessment and the following degrees of assurance will typically follow nine prescriptive steps: 

Step 1: Project Startup

The initial step is meant to provide a full picture as to your company’s scope and structure and will inform the rigors and scope of the total assessment. This involves identifying a project coordinator who will be in charge of organizing personnel, conducting interviews, gathering documents, and giving insight. Ideally, you will want to select someone who has authority within the organization to make decisions and access to higher-ups within the company. 

 

Step 2: Defining the Organizational Scope 

The goal of this phase is to properly gauge the size and scope of your organization. This includes:

  • Identifying The Business Units – Dividing the business into auditable business units, typically these are determined by whether or not they can operate distinctly from another department. 
  • Regulatory Factors – There are a variety of regulatory factors that may be applicable to your business. These could include:
    • 21 CFR Part II
    • Banking Requirements
    • CMS Minimum Security Requirements
    • CRR V2016
    • EHNAC Accreditation
    • EU GDPR
    • FedRAMP Certification Requirements
    • FISMA Compliance
    • FTC Red Flags Rule Compliance
    • HIPAA
    • HITRUST De-ID Framework Requirements
    • IRS Pub 1075 Compliance
    • Joint Commission Accreditation
    • MARS-E Requirements
    • PCI Compliance
    • Personal Data Protection Act
    • Supplemental Requirements
  • Identifying The Physical Facilities – Your organization’s physical footprint plays an integral role in making a determination on scope. Facilities might include:
    • Administrative offices
    • Clinics
    • Data centers
    • Manufacturing locations
    • Satellite locations
    • Co-locations

Once facilities are identified, you can begin narrowing down which ones might fall under the assessment scope. Usually, it will be locations where sensitive information can be stored, accessed, or sent out or a place where sensitive information could potentially be physically accessed.

 

Step 3: Define System Scope

This HITRUST certification requirement is intended to help you narrow down which information systems will be the main emphasis of the CSF assessment. Upon completion, your business will have a more thorough understanding of which areas pose the highest risk and require the most oversight. This will involve:

  • Identifying information systems
  • Aggregating systems, where appropriate
  • Documenting system factors
  • Scheduling stakeholder interviews
  • Implementing required levels

 

Step 4: Examine Documentation and Practices

At this stage, your assessment team can take all the information gathered in the previous stages and begin evaluating them for compliance based on the various controls. This will necessitate a thorough review of at least one information security practice. During this phase, the team will inspect, observe, review and analyze the processes and procedures and then move from there. 

 

Step 5: Conduct Interviews 

In step 3, one of the tasks involves scheduling stakeholder interviews for step 5. These give the assessment team a chance to gain a broad and practical understanding of how organization and system controls of CSF are conducted and adhered to. It’s helpful to gather and review any relevant documents related to the interviewees’ field. Doing so will allow you to ask poignant questions and to identify potential problems or areas that require redress. 

 

Step 6: Undergo Technical Testing 

The testing process allows you to unveil vulnerabilities, flaws, or issues in information systems. It will include:

 

Step 7: Document Findings 

Upon completion of technical testing and control assessment, your team will begin to compile all relevant findings. Once the report is finished, it will eventually be submitted to HITRUST. One of the primary goals of this fact-finding mission is to identify and select alternate controls, particularly in areas of noncompliance. This creates a risk-mitigation avenue that allows your organization to respond to control deficiencies. 

 

Step 8: Reporting 

Once the entire self-assessment procedure reaches its conclusion, the onus is on your team to report your findings and fix any areas of noncompliance. The reporting stage involves:

  • Creating Remediation Prescription – The first task of your assessment team is to outline and recommend actions to address and manage areas of CSF noncompliance. This will include recommending ways to mitigate risk and propose improvements or solutions to issues. 
  • Submitting The Report To HITRUST – Your team will need to submit the following to CSF:
    • The baseline questionnaire 
    • Description of scope
    • Review of your company’s:

Upon receiving the report, CSF will provide a score for each control domain. 

  • Delivering The Report To Executive Management – Also known as socialization, the project manager is required to report your team’s findings to executive management. This document will include sections such as:
    • Organization’s level of compliance based on CSF strictures
    • The systems’ level of compliance based on CSF strictures
    • The team’s remediation recommendations

This report should be passed along to all important stakeholders and presented to both management and key stakeholders. Doing so allows your team to review, discuss, and plan for the future. 

  • Management Responds – Upon briefing, management will need to prescribe a set of actions to take based on the report’s findings. Such actions likely include implementing alternate or appropriate controls. 

 

Step 9: Remediation 

The final step of the self-assessment process is known as remediation, which involves your team producing a corrective action plan [CAP]

A corrective action plan is a step by step plan of action that is developed to achieve targeted outcomes for resolution of identified errors in an effort to: Identify the most cost-effective actions that can be implemented to correct error causes; develop and implement a plan of action to improve processes or methods so that outcomes are more effective and efficient; achieve measurable improvement in the highest priority areas – Eliminate repeated deficient practices

A high-level CAP should mirror management’s response to the report and will include: 

  • Control gap
  • Control gap identifier
  • Corrective actions
  • Date identified
  • HITRUST CSF control mapping
  • Point of contact
  • Schedule completion date
  • Status of corrective action 

 

 

CSF Validated

Upon completing the self-assessment, reporting your findings, and taking corrective measures, your team will once more undergo the same process, but via the HITRUST CSF Validated Assessment. According to HITRUST: “Validated assessments are conducted by a HITRUST Approved CSF Assessor. The CSF Assurance Program’s assessment methodology is used and the controls are scored using HITRUST’s maturity approach to control implementation. Assessments meeting or exceeding the current CSF Assurance Program requirements receive a HITRUST validated report indicating they are HITRUST CSF Certified.

This stage requires a third-party CSF Assessor such as RSI Security in order to confirm that your company is in compliance. They will perform a thorough CSF Assessment and Compliance Audit, ensuring that you’re in the clear. As mentioned previously, this process will also take some time to complete – approximately six to eight weeks, if not longer – depending on the scope, area, and complexity of your organization. In addition, there may be additional or follow up audits that take up shorter spans of time. 

The assessor will go through similar steps as outlined by the CSF Self-Assessment. If your company is found to be in compliance with HITRUST and no remediation necessary, you will move on to the final and longest stage of the audit process. 

 

CSF Certified 

Once the documentation from your third-party assessment is uploaded online, the HITRUST Alliance will then conduct a painstaking audit in order to determine whether or not all of the HITRUST regulations were upheld and if all the requisite paperwork was filed. Documentation will include:

  • Risk assessments
  • Policies
  • Configurations
  • Technical documentation 

Thereafter, HITRUSTS lawyers will take anywhere from a few months to two years to perform their audit. Once more, timelines depend on your particular business.

Upon completion of this process, if you pass, HITRUST will award your organization with its HITRUST CSF certificate. Should you reach this stage, you can breathe a sigh of relief knowing that the worst is past; however, you’re not in the clear yet.  

 

Repeating the Process

Naturally, as systems and technology evolves, new or different measures are required in order to remain in compliance with CSF. As a result, your business will be compelled to complete an annual audit to demonstrate that you’ve updated your standards and practices to comply with a changing IT world. 

This process is far faster and easier to conduct since it will typically only require minor tweaks or provisions to current practices and methodologies. Because of that, costs should also be lower for subsequent audits. In regards to a timeframe, you should expect additional audits to take anywhere from four to eight weeks, once more depending on the scope and complexity of the assessment. 

 

 

The HITRUST Timeline

As you’ve no doubt discovered, there are hundreds of HITRUST requirements your business must satisfy in order to be “HIPPA compliant.” Your first time through the process will be the most arduous of the audits, likely taking anywhere from one to three years from start to finish. 

Fortunately for you, RSI Security is an experienced and licensed CSF Assessor. Our goal is to make compliance easy for you. So, reach out today and our professional team will help get you moving along the HITRUST certification timeline. 

It’s not a simple procedure.

But we make it so. 

 

Speak with a HITRUST expert today!

 

Download Our HITRUST Compliance Checklist

Assess where your organization currently stands with being HITRUST compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.

 

Sources

HITRUST. CSF Assurance FAQ. https://hitrustalliance.net/documents/FAQ/CSFAssuranceFAQ.pdf

Center for Medicare and Medicaid Services. Corrective Action Plan Process. https://www.cms.gov/research-statistics-data-and-systems/monitoring-programs/perm/downloads/2013correctiveactionpowerpoint.pdf

HITRUST Alliance. What types of assessments are available in the CSF Assurance Program? https://hitrustalliance.net/frequently-asked/1/en/topic/what-types-of-assessments-are-available-in-the-csf-assurance-program

0 comment
1
FacebookTwitterGoogle +LinkedinEmail

RSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, risk management and compliance efforts (GRC). RSI Security is an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA).

You may also like

How to Optimize Data Encryption in Healthcare

March 4, 2022

Who Needs HITRUST Certification?

October 23, 2019

How Often Do I Need a HITRUST CSF...

November 13, 2019

What is the HITRUST Threat Catalogue?

November 17, 2021

How To Get A HITRUST Certification Assessment

November 22, 2019

HITRUST vs. HIPAA: What’s the Difference?

July 3, 2019

Improving Critical Infrastructure Cybersecurity: NIST CSF vs. HITRUST...

December 18, 2022

HIPAA Risk Assessment, CMMC Compliance, and HITRUST Audits

August 10, 2023

What Are the Different Types of HITRUST Assessments?

October 22, 2019

The Difference Between Business and Individual HITRUST Certification

September 27, 2021

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This website uses cookies to improve your experience. If you have any questions about our policy, we invite you to read more. Accept Read More