RSI Security

How Long Does it Take to Get HITRUST Certified?

RSI Security

Over the past two decades, many healthcare companies have struggled to transition from physical to digital record keeping as mandated by the HITECH Act. Naturally, the convoluted changes, standards, and stringencies outlined therein have left businesses confused, scratching their heads, wondering how best to wade through this quagmire. As a result, the total overhaul of such a massive system has moved at a glacial pace. 

To make matters more complicated, as the healthcare industry develops, growing evermore dependent upon emerging and expanding technologies in order to cache and deliver electronic healthcare records [EHR], ensuring compliance and maintaining cybersecurity has become an increasingly intricate ballet. A large aspect of compliance involves obtaining your HITRUST certification, which is no simple process. So, to help you prepare for the obstacles ahead, below, you’ll find our comprehensive guide on the HITRUST certification process and timeline.

 

HITRUST Certification Timeline 

The CSF process involves four primary steps, some of which must be taken by your organization before any official assessment takes place. Briefly, the timeline for these steps looks like:

HITRUST requirements state that in order to pass, you must show readiness against every one of the 135 Community Security Framework [CSF] controls. These controls are divided into 19 different domains:

  1. Access Control
  2. Audit Logging & Monitoring
  3. Business Continuity & Disaster Recovery
  4. Configuration Management
  5. Data Protection & Privacy
  6. Education, Training & Awareness
  7. Endpoint Protection
  8. Incident Management
  9. Information Protection Program
  10. Mobile Device Security
  11. Network Protection
  12. Password Management
  13. Physical & Environmental Security
  14. Portable Media Security
  15. Risk Management
  16. Third-Party Security
  17. Transmission Protection
  18. Vulnerability Management
  19. Wireless Protection

CSF follows a risk-based approach that sets security standards proportionate to your particular level of risk. You are assigned one of three levels with Level 1 acting as the baseline control requirements. Every additional level involves the lower levels and then tacks on further requirements relating to your increased risk.  

Because the process is time-consuming, typically taking at least 90 days for the primary audit, HITRUST recommends that you perform an internal readiness or self-assessment ahead of time prior to undergoing the validated assessment.

 

Assess your HITRUST compliance

 

HITRUST Self-Assessment

The self-assessment allows your company, regardless of its size, to gauge how compliant it currently is and provides you with an opportunity to make fixes or iron out problems that would otherwise result in a failure. Refusal to do so will likely result in a failed test and additional delays. According to HITRUST

Self-assessment allows organizations to self-assess using the standard methodology, requirements, and tools provided under the CSF Assurance Program. HITRUST will then perform limited validation on the results of the self-assessment to provide a limited level of assurance to the relying entity. 

This process will take anywhere from two to eight weeks in order to complete, but the exact timeline will depend heavily upon the complexity and size of your business. The self-assessment and the following degrees of assurance will typically follow nine prescriptive steps: 

Step 1: Project Startup

The initial step is meant to provide a full picture as to your company’s scope and structure and will inform the rigors and scope of the total assessment. This involves identifying a project coordinator who will be in charge of organizing personnel, conducting interviews, gathering documents, and giving insight. Ideally, you will want to select someone who has authority within the organization to make decisions and access to higher-ups within the company. 

 

Step 2: Defining the Organizational Scope 

The goal of this phase is to properly gauge the size and scope of your organization. This includes:

Once facilities are identified, you can begin narrowing down which ones might fall under the assessment scope. Usually, it will be locations where sensitive information can be stored, accessed, or sent out or a place where sensitive information could potentially be physically accessed.

 

Step 3: Define System Scope

This HITRUST certification requirement is intended to help you narrow down which information systems will be the main emphasis of the CSF assessment. Upon completion, your business will have a more thorough understanding of which areas pose the highest risk and require the most oversight. This will involve:

 

Step 4: Examine Documentation and Practices

At this stage, your assessment team can take all the information gathered in the previous stages and begin evaluating them for compliance based on the various controls. This will necessitate a thorough review of at least one information security practice. During this phase, the team will inspect, observe, review and analyze the processes and procedures and then move from there. 

 

Step 5: Conduct Interviews 

In step 3, one of the tasks involves scheduling stakeholder interviews for step 5. These give the assessment team a chance to gain a broad and practical understanding of how organization and system controls of CSF are conducted and adhered to. It’s helpful to gather and review any relevant documents related to the interviewees’ field. Doing so will allow you to ask poignant questions and to identify potential problems or areas that require redress. 

 

Step 6: Undergo Technical Testing 

The testing process allows you to unveil vulnerabilities, flaws, or issues in information systems. It will include:

 

Step 7: Document Findings 

Upon completion of technical testing and control assessment, your team will begin to compile all relevant findings. Once the report is finished, it will eventually be submitted to HITRUST. One of the primary goals of this fact-finding mission is to identify and select alternate controls, particularly in areas of noncompliance. This creates a risk-mitigation avenue that allows your organization to respond to control deficiencies. 

 

Step 8: Reporting 

Once the entire self-assessment procedure reaches its conclusion, the onus is on your team to report your findings and fix any areas of noncompliance. The reporting stage involves:

Upon receiving the report, CSF will provide a score for each control domain. 

This report should be passed along to all important stakeholders and presented to both management and key stakeholders. Doing so allows your team to review, discuss, and plan for the future. 

 

Step 9: Remediation 

The final step of the self-assessment process is known as remediation, which involves your team producing a corrective action plan [CAP]

A corrective action plan is a step by step plan of action that is developed to achieve targeted outcomes for resolution of identified errors in an effort to: Identify the most cost-effective actions that can be implemented to correct error causes; develop and implement a plan of action to improve processes or methods so that outcomes are more effective and efficient; achieve measurable improvement in the highest priority areas – Eliminate repeated deficient practices

A high-level CAP should mirror management’s response to the report and will include: 

 

 

CSF Validated

Upon completing the self-assessment, reporting your findings, and taking corrective measures, your team will once more undergo the same process, but via the HITRUST CSF Validated Assessment. According to HITRUST: “Validated assessments are conducted by a HITRUST Approved CSF Assessor. The CSF Assurance Program’s assessment methodology is used and the controls are scored using HITRUST’s maturity approach to control implementation. Assessments meeting or exceeding the current CSF Assurance Program requirements receive a HITRUST validated report indicating they are HITRUST CSF Certified.

This stage requires a third-party CSF Assessor such as RSI Security in order to confirm that your company is in compliance. They will perform a thorough CSF Assessment and Compliance Audit, ensuring that you’re in the clear. As mentioned previously, this process will also take some time to complete – approximately six to eight weeks, if not longer – depending on the scope, area, and complexity of your organization. In addition, there may be additional or follow up audits that take up shorter spans of time. 

The assessor will go through similar steps as outlined by the CSF Self-Assessment. If your company is found to be in compliance with HITRUST and no remediation necessary, you will move on to the final and longest stage of the audit process. 

 

CSF Certified 

Once the documentation from your third-party assessment is uploaded online, the HITRUST Alliance will then conduct a painstaking audit in order to determine whether or not all of the HITRUST regulations were upheld and if all the requisite paperwork was filed. Documentation will include:

Thereafter, HITRUSTS lawyers will take anywhere from a few months to two years to perform their audit. Once more, timelines depend on your particular business.

Upon completion of this process, if you pass, HITRUST will award your organization with its HITRUST CSF certificate. Should you reach this stage, you can breathe a sigh of relief knowing that the worst is past; however, you’re not in the clear yet.  

 

Repeating the Process

Naturally, as systems and technology evolves, new or different measures are required in order to remain in compliance with CSF. As a result, your business will be compelled to complete an annual audit to demonstrate that you’ve updated your standards and practices to comply with a changing IT world. 

This process is far faster and easier to conduct since it will typically only require minor tweaks or provisions to current practices and methodologies. Because of that, costs should also be lower for subsequent audits. In regards to a timeframe, you should expect additional audits to take anywhere from four to eight weeks, once more depending on the scope and complexity of the assessment. 

 

 

The HITRUST Timeline

As you’ve no doubt discovered, there are hundreds of HITRUST requirements your business must satisfy in order to be “HIPPA compliant.” Your first time through the process will be the most arduous of the audits, likely taking anywhere from one to three years from start to finish. 

Fortunately for you, RSI Security is an experienced and licensed CSF Assessor. Our goal is to make compliance easy for you. So, reach out today and our professional team will help get you moving along the HITRUST certification timeline. 

It’s not a simple procedure.

But we make it so. 

 

Speak with a HITRUST expert today!

 

Download Our HITRUST Compliance Checklist

Assess where your organization currently stands with being HITRUST compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.

 

Sources

HITRUST. CSF Assurance FAQ. https://hitrustalliance.net/documents/FAQ/CSFAssuranceFAQ.pdf

Center for Medicare and Medicaid Services. Corrective Action Plan Process. https://www.cms.gov/research-statistics-data-and-systems/monitoring-programs/perm/downloads/2013correctiveactionpowerpoint.pdf

HITRUST Alliance. What types of assessments are available in the CSF Assurance Program? https://hitrustalliance.net/frequently-asked/1/en/topic/what-types-of-assessments-are-available-in-the-csf-assurance-program

Exit mobile version