Like going to the doctor for an updated checkup, healthcare companies need to know where they stand concerning cybersecurity on the regular. A HITRUST certification is like getting a booster shot that’s valid for two years and will protect you from a wide variety of cybersecurity concerns.
Healthcare organizations are some of the juiciest targets out there for malicious cybercriminals in search of someone to compromise. These entities hoard data that is both highly sensitive and highly identifiable, so breaches here can have serious repercussions on people’s privacy and general security alike. These breaches are not only expensive to fix but leave people feeling especially vulnerable.
Larger institutions like Massachusetts General Hospital might have a dedicated staff to handle medical data security issues, but startups and smaller organizations don’t necessarily have that level of resources available.
Fortunately, a helpful cybersecurity standard is called HITRUST is out there, and it’s available to all organizations that meet or exceed its data handling requirements. A HITRUST certification is a mark of compliance, denoting healthcare entities that take active steps to securely handle medical data.
If you want a similar mark of compliance for your organization, then you need to successfully pass a certification assessment. But this ought not to be taken lightly — a successful HITRUST certification only goes out to companies that have prepared for it.
Don’t take an expensive gamble on getting this certification — you should have a good clue of where you stand before the real assessor ever shows up. That’s why the first step is to take stock of your situation.
Run a gap analysis to see what you might be missing.
Identify what you might already be doing wrong from a cybersecurity perspective. Your completed HITRUST certification assessment will provide more insight into any actionable shortcomings to address and how to address them, but it’s helpful to take this stock at the outset.
It’ll get you into a model that you’ve entered into tweaking a process, and it might take some time for that process to run according to plan. Entering into this experience with your data will only make your HITRUST journey more effective.
Identify your engagement level.
Companies pursue different HITRUST certification assessments for different reasons. Knowing your engagement level points you toward the assessment you need. Each one of these levels requires that you access different CSF-provided tools and work with different levels of program assurance.
The different engagement levels go as follows.
Self-assessment: an organization only wants to review its controls and isn’t pursuing a CSF-validated assessment or CSF certification
Validated assessment: an organization wants to perform the self-assessment, then get a CSF-validated assessment or become CSF-certified
Adopter: an organization wants to use the HITRUST CSF to establish its privacy and security controls.
The self-assessment is a useful on-ramp for someone new to these topics and want to see where they stand. Validated assessments are for people who have already done some groundwork and prepared their team to meet new standards. And adopters are those who want to go more hands-on with the HITRUST framework.
Get validated and certified!
You not only need a HITRUST CSF certification, but a validation as well before you can find an assessor to conduct your test. HITRUST certification starts with your self-assessment but then tags in a HITRUST CSF assessor to review your controls and validate how effective they are.
The self-assessment process starts with a risk-based questionnaire that identifies your organization’s maturity level across several categories. It will want to know if your business has various existing cybersecurity policies or standards, which processes support those policies and how they’re implemented, if management tests and measure the operation, and if they take corrective action as needed.
This is all done in the name of identifying a level of compliance. Within the previously named categories, companies pursuing HITRUST certification may be tagged as non-compliant, somewhat compliant, partially compliant, mostly compliant, or fully compliant. When you finish the self-assessment, forward the results to HITRUST.
A CSF assessor will conduct an on-site review using HITRUST’s MyCSF Tool. You’ll answer the assessment questions using the tool, then the assessor will compare the supporting documentation and run the testing. Your CSF assessor will generate a report at the end of this, and that report is called the CSF-validated report. It goes to HITRUST for certification.
Once HITRUST certifies the report, certification remains active for 24 months. Until you report a breach to the Department of Health and Human Services, that is.
In cases of a breach, you have to perform an appropriate analysis of the situation, including forensics work to determine where the technical controls failed. Any HITRUST CSF-certified organization that experiences a data breach will have to take an annual assessment for two years following the breach. In the event of a control failure or misrepresentation of a control, HITRUST may decertify your organization entirely.
HITRUST processes help your organization gain a high-resolution window into its overall cybersecurity health. Data breaches represent a real threat to the 2019 business landscape, so it’s important to not be willfully ignorant here. Healthcare organizations are especially vulnerable to meddlesome hackers seeking access to data.