RSI Security hosted a webinar on measuring the ROI and benefits of HITRUST certification. Tom Glaser, a Security Assessor with RSI Security, led the presentation.
Tom started by emphasizing the need for organizations to understand HITRUST certification. From his experience as a Security Assessor, he believes education about the HITRUST certification process guides cybersecurity decision-making and enables security programs to mature.
Over his 20-year career in the cybersecurity industry, he has performed security assessments spanning various frameworks, including:
- Payment Card Industry (PCI) standards
- National Institute of Standards and Technology (NIST)
- HITRUST CSF
- Center for Internet Security (CIS) Critical Security Controls (CSC)
Tom concluded his introduction by mentioning that he considers himself a generalist in information security with an IT audit background.
ROI with a HITRUST Certification vs. Benefits
Tom introduced the first section of the webinar, highlighting the need to compare the ROI with a HITRUST certification to its benefits. Before investing in HITRUST certification, validation, or audits, you must understand the HITRUST processes.
Top Concerns for HITRUST
Tom shared some of the common concerns expressed by clients looking to obtain HITRUST certification:
- Customer assurance – Although customers typically request security assurance, stakeholders (e.g., executives, Board of Directors, vendors) may also ask about your data security controls.
- Compliance risk – With constant changes to compliance regulations, organizations must effectively manage compliance risk to stay current.
- Audit fatigue – Organizations may experience audit fatigue if they have to address the compliance requirements of multiple regulatory frameworks.
HITRUST compliance and certification can address the above concerns by building assurance amongst stakeholders, managing compliance risk, and streamlining compliance across various frameworks.
Important Features of HITRUST CSF
When making decisions about maturing your security program, Tom highlighted the importance of leveraging HITRUST to build assurance amongst customers and stakeholders around data security and risk management.
Specifically, HITRUST is a highly rigorous, industry-recognized framework that provides immediate risk management assurance. By mentioning your HITRUST certification in business discussions, you present a solid reputation for your security program.
Furthermore, the HITRUST CSF framework is widely adopted within the healthcare industry and applies to several other related frameworks within or related to healthcare (e.g., PCI DSS, GDPR, CCPA).
Requirements for Investing in HITRUST CSF
Next, Tom discussed potential considerations for organizations looking to invest in HITRUST:
Internal Staffing Investment
First, HITRUST CSF compliance requires organization-wide commitment involving:
- IT staff to manage security infrastructure
- Compliance teams
- Management-level oversight to streamline processes
- Coordinator to liaise with different teams
- Technical writers to document HITRUST procedures
Internal staff should anticipate dedicating 20 to 30 hours per week to HITRUST readiness over two to three months.
Internal Security Investment
Next, you must conduct a readiness assessment in preparation for HITRUST certification. Tom advised investing in security tools and infrastructure that meet HITRUST validation standards, ensuring gap remediation where necessary.
Examples of security tools and infrastructure that may require gap remediation include:
- Log monitoring
- Multifactor authentication for remote access
- Employee screening
- Mobile device security
- Security awareness training
- Data classification
Gap remediation could take anywhere from a few weeks to several months, depending on organization-specific needs. Therefore, it is critical to define your timeline for HITRUST certification when planning gap remediation and the overall investment in HITRUST readiness.
Tom discussed the external investments organizations should prepare for when investing in HITRUST CSF.
Costs to prepare for include:
- MyCSF portal subscription – The only way to obtain a HITRUST validation is to work with HITRUST and subscribe to the MyCSF portal, which streamlines:
- Validation audits
- Tracking of audit progress
- Management of program maturity
- Advisory and assessment – HITRUST certification preparedness also requires investing in:
- Readiness advisory to prepare for validation (with the help of a Security Assessor)
- Technical writing expertise
- Remediation advisory (also with the help of a Security Assessor)
- Validation assessment
It is important to note that the above costs will vary based on your posture going into the HITRUST certification process.
General Timeline for HITRUST r2 Validated Assessments
Tom then explained the phases of the HITRUST r2 Validation Assessments:
The initial step in r2 Validation Assessments is to work with an External Assessor to define the scope of the audit.
It is helpful for your scoping strategy to consider the:
- Subsidiaries within the organization
- Different lines of business
HITRUST allows you to define audit boundaries and specify which departments to include in audit processes. Even when you’re not ready for an organization-wide HITRUST assessment, starting assessments within critical areas of the organization helps strengthen your security.
Readiness Advisory, Assessment and Remediation Roadmaps
Once scoping is complete, you can work with a Security Assessor on readiness preparedness. Readiness advisory is a dry run through HITRUST control descriptions to determine your security posture.
A Security Assessor can help you establish a remediation roadmap to define the steps required to address security gaps.
Following a gap assessment, preparation for a validation audit requires you to spend a few months running the security controls and preparing evidence items to meet the audit criteria. During the gap assessment and remediation, controls also need to be implemented operationally.
Tom emphasized that the validation audit will also require internal resources to gather evidence items necessary for the controls and control descriptions.
Each control has a control description upon which it is evaluated, based on a minimum of three criteria:
For each control, you must have appropriate documentation levels within your policy and procedural documentation to demonstrate their scope.
HITRUST CSF Controls
Tom then introduced HITRUST CSF controls. He mentioned that the total number of controls varies with your options for HITRUST assessments. However, each control you choose requires you to meet very specific criteria.
With HITRUST CSF, you cannot subjectively respond to controls based on your organization-specific implementation. Instead, you must address each of the control descriptions per HITRUST expectations.
Changes to HITRUST Assessments
Tom highlighted some of the changes to HITRUST assessments. He expressed his excitement about the new assessments because they allow any organization to build up its security program.
New HITRUST Basic Assessment
Organizations can start with the HITRUST Basic Assessment (which can be conducted as a self-assessment or with the help of an external Assessor), providing several benefits:
- A better understanding of your security posture
- The ability to discuss alignment with the HITRUST framework during discussions with stakeholders, even without certification
- The opportunity to complete the i1 (entry-level certification audit), which provides a baseline for security controls
Tom also mentioned that RSI Security has not yet conducted any of the above audits since they have just been released but believes the i1 HITRUST assessments are great for organizations looking to get started with HITRUST.
Unlike the i1 controls, the r2 control set involves:
- An exercise of scoping factors, which results in a customized control set specific to your organization’s profile
- Addressing a larger control set with far more control descriptions (over 200 controls, each with three criteria) and more evidence preparation
Tom reiterated that the higher rigor of HITRUST makes it a highly regarded certification.
Why Invest in HITRUST?
Even with a lengthy timeline and resource investment, Tom discussed some benefits of investing in HITRUST.
The biggest benefit is addressing concerns presented by customers and stakeholders. HITRUST certification provides a competitive advantage and demonstrates proper stewardship of data.
Tom mentioned that vendor security questionnaires are typically extensive (sometimes containing 400-500 questions) and can potentially impact business opportunities.
HITRUST certification can save you time by demonstrating security in such instances. However, he added that some organizations still require vendor security questionnaires—still, HITRUST can save time when filling these questionnaires.
Looking internally, HITRUST also improves your security posture by formalizing the residual risk reduction process.
Which HITRUST Assessment is Right for You?
To determine which HITRUST assessment might be right for an organization, Tom suggested two criteria to help guide the decision-making:
- The requirements of your customers
- The risk appetite of an organization’s leadership
Tom went ahead to provide the benefits of each assessment.
HITRUST Basic Current-State Assessment
Tom mentioned several advantages of starting with a HITRUST Basic Assessment:
- Flexibility – With a lengthy timeline for addressing HITRUST validation criteria and conducting gap assessments—especially when there aren’t pressing requirements for certification—HITRUST Basic accommodates restraints due to:
- Staff availability
- Budget limits
- Initial assurance – Even when the HITRUST certification process is not complete, HITRUST Basic provides assurance to customers during the sales process and bypasses initial security concerns that could hinder contract discussions.
- Cost reduction – With reduced rigor, HITRUST Basic also lowers the external costs of security advisory associated with certified audits. HITRUST Basic also reduces the costs and resources required to complete audits within a defined timeframe, especially when you don’t have pressing external or internal HITRUST requirements.
As a simple approach to HITRUST, the Basic Assessment is a great starting point for organizations new to HITRUST compliance.
HITRUST i1 Validated Assessment
The i1 Validated Assessment is a baseline audit, which addresses the core set of controls that should be met before undergoing a validation audit. However, it is a step-up from the Basic Assessment.
As discussed earlier, the i1 Assessment involves:
- Advisory period with a Security Assessor
- Gap assessment of security controls
- Remediation of security gaps
- Validation audit against HITRUST evaluation criteria
- Certification (with the presentation of a certified report) following validation audit
Tom mentioned that the i1 Validated Assessment is great for organizations looking to obtain HITRUST certification but do not currently have the resources for the r2 Validated Assessment.
HITRUST r2 Validated Assessment
The HITRUST r2 Validated Assessment is based on a customized control set determined by the scoping factors entered into the MyCSF portal. The r2 Validated Assessment can evaluate a minimum of 260 controls, which are subject to increase, based on how many scoping factors are entered in MyCSF.
When conducting the r2 Validated Assessment, Tom added that organizations should factor in the multiplicative effect of the three criteria required to assess each control. Organizations must satisfy the criteria for each control and demonstrate implementation with the appropriate evidence.
The r2 Validated Assessment also provides the opportunity to expand on the regulatory factors within the control set. For example, as more states implement state-specific privacy regulations, they can be added to the HITRUST assessment by organizations.
However, Tom highlighted the need to consider the time, resource, and financial investment required when additional controls are added to the 260 already present in the r2 Validated Assessment.
HITRUST vs. Other Information Security Programs
So, now that you’ve invested in HITRUST, what benefits can you expect, and what is the associated ROI? Tom highlighted a few benefits of the HITRUST framework.
Tom emphasized that the MyCSF portal is currently the best in any security framework.
Benefits of the MyCSF portal include:
- Tracking the progress of HITRUST assessments
- Capturing and storing evidence within the portal
- Communication between relevant stakeholders of the HITRUST process, including:
- Organizations and Security Assessors
- Security Assessors and the HITRUST QA team
The MyCSF portal streamlines HITRUST CSF compliance and reduces delays during the HITRUST assessment process.
Active Management of HITRUST
Unlike other security frameworks, HITRUST is actively managed. Each year, HITRUST evaluates all the changes taking place across:
- Regulatory frameworks
- Data security best practices
- Cybersecurity threat landscape
HITRUST incorporates all the updates into the control revisions of the framework.
Although other frameworks may be updated every few years (e.g., PCI DSS, NIST), HITRUST is updated annually to reflect the changes to the fast-changing privacy regulatory environment.
The differentiating factor of HITRUST is its dedication to keeping control sets current and addressing pressing data security needs across organizations—hence maximizing your security ROI.
Risks of Ineffective Cybersecurity
As a security program matures, issues of ineffective cybersecurity might come up. Tom emphasized the need for ongoing security amidst growing security threats. It matters how well you are positioned to face cybersecurity threats.
Tom also referred the audience to security tools that can help navigate the ever-changing threat and risk management landscape.
He concluded the webinar by emphasizing the ROI with HITRUST as the acceleration of data security assurance with customers and stakeholders.
Optimize Your HITRUST CSF Compliance
In the current cybersecurity threat environment, preparedness is critical to mitigating security risks. RSI Security’s team of Security Assessors will help you identify the right HITRUST assessment that fits your organization’s security needs and optimize your security posture.
Contact RSI Security today to get started with robust HITRUST CSF compliance!