The healthcare industry has unique security and privacy challenges, owing to the sensitive data exchanging hands every second. Complying with multiple government regulations and security standards like HIPAA, PCI DSS, SOC 2, etc. can get complicated, and the added pressure of staying competitive with your peers doesn’t make things easier. Healthcare auditing through HITRUST assessments can help organizations obtain an industry-leading certification and showcase their commitment to protecting and securing patient data.
Five Steps for Optimal Healthcare Auditing
Most organizations in and adjacent to healthcare are moving towards HITRUST certification to streamline their security and compliance needs. As such, the top strategies for healthcare security audits revolve around the HITRUST audits and the HITRUST Approach to security.
To perfect your Healthcare IT audit process, follow these steps:
- Begin with an accurate scoping process to determine your needs
- Perform readiness and self-assessments before full-fledged audits
- Install HITRUST CSF Controls to your required Implementation Level
- Ensure long-term functionality with ongoing maintenance practices
- Select the appropriate assessment and secure long-term assurance
The intricacies of HITRUST might seem overwhelming at first, but working with third-party healthcare audit firms like RSI Security will optimize your cyberdefense and security ROI.
Download Our Complete Guide to Navigating Healthcare Compliance Whitepaper
#1: Perform Accurate Security Scoping
An efficient healthcare IT audit begins with a plan informed by your organization’s particular regulatory needs, its IT assets, and the risks you are subject to in your security environment.
To begin your scoping process for a HITRUST assessment, you should determine your:
- Compliance needs – Any applicable regulations (e.g., PCI, NIST, CCPA, GDPR), which will help to determine your Implementation Levels for HITRUST Controls
- Current architecture – All IT and security systems you have in place, including physical endpoints (computers, devices, etc.) and virtual assets (networks, etc.)
- Risk environment – The risk factors most common in your industry and location
These determinations feed directly into the following strategies; understanding where your organization stands with respect to its requirements is critical to achieving them efficiently.
Spotlight: How to Scope for HIPAA Compliance
Nearly all organizations in and around healthcare must safeguard patient data, or protected health information (PHI), per the Health Insurance Portability and Accountability Act (HIPAA).
In particular, scoping for HIPAA begins with determining whether your organization needs to comply—if you are a covered entity. Healthcare providers, health plan administrators, and healthcare clearinghouses all need to comply. So do business associates of said entities.
If HIPAA applies to you, you’ll need to ensure that your organization complies with:
- The Privacy Rule – Protections to prevent unauthorized use or disclosure of PHI
- The Security Rule – Specific Administrative, Physical, and Technical Safeguards to ensure the confidentiality, integrity, and security of all your electronic PHI (ePHI)
- The Breach Notification Rule – Visibility and reporting protocols to notify select parties after a data breach occurs (parties impacted, the HHS, and media outlets)
NOTE: For most covered entities, HIPAA is the bare minimum. HITRUST is a better target, not least because it addresses all of the HIPAA rules, alongside other common regulations.
#2: Perform Readiness or Self-Assessment
Once your organization has assessed its needs, in light of its security posture, it will need to perform at least one preliminary audit to see where it stands with respect to future HITRUST CSF certification. It’s critical to conduct this readiness assessment, self-directed or with the help of a service provider, to ensure that your official HITRUST audit results in success.
The assessment can be conducted with the MyCSF tool, a SaaS platform offered directly to organizations from the HITRUST Alliance. However, most organizations will want to work with an advisor to get the most out of the self-assessment suite. And some HITRUST CSF certification partners offer proprietary assessment tools independent of the MyCSF platform.
Top Consideration: HITRUST CSF Maturity Levels
The scoring of each control requirement (see below) is indexed against five Maturity Levels (with different weights) to assess the degree to which the control has been implemented:
- Policy: This level indicates that the organization has in place all policies and standards needed to cover all its operations, up to applicable requirements.
- Procedure: The next level is reached if your organization has well-documented operating procedures for all processes required to implement control requirements.
- Implemented: This level checks how well your organization has implemented the specific control requirements according to the policies and procedures in place.
- Measured: This level assesses continuous monitoring, the frequency with which regular self-assessments of control implementation and documentation are executed.
- Managed: The final maturity level assesses the organization’s performance of corrective actions taken against any weaknesses identified in control implementation.
The Policy, Procedure, and Implemented levels account for 15%, 20%, and 40% weight, respectively, totaling 75% of the total points. This means that some organizations can theoretically obtain 75 out of 100 points with only these three levels, without pursuing scores for the Measured and Managed levels, which hold 10% and 15% weights, respectively.
NOTE: HITRUST self-assessments are best considered preparatory, not final. Organizations should seek out Validated Assessments (see below) for certification and trust assurance.
#3: Implement All Required Architecture
After scoping out your requirements for a Healthcare IT audit and conducting one or more self or readiness assessments, you’ll need to acquire or develop controls to fill in any gaps you identified. Architecture implementation is most effective when conducted with integration in mind. Any new or updated assets, physical or digital, need to be connected with existing assets for seamless visibility and communication between them. And any physical or virtual components you dispose of must be properly disconnected and wiped prior to termination.
If your organization has determined that it is immediately ready to conduct a validated assessment, you may be able to skip over this step and proceed directly to #4 below.
Otherwise, you’ll need to familiarize yourself with the entire HITRUST CSF framework.
Spotlight: HITRUST CSF Control Categories
HITRUST healthcare auditing takes many forms, but it always measures an organization’s implementation of the CSF Controls. You may need to install all of them, or you may need to integrate a selection thereof; in any case, you should understand the frameworks’ scope.
In total, there are 14 Control Categories, which break down into Objectives (49). These break down further into Control References (150+). The full breakdown is as follows:
- Category 0.0: Security Management Program – One Objective, one Reference
- Category 01.0: Access Control Practices – Seven Objectives, 15 References
- Category 02.0: Human Resource Security – Four Objectives, nine References
- Category 03.0: Risk Management – One Objective, four References
- Category 04.0: Security Policies – One Objective, two References
- Category 05.0: Information Organization – Two Objectives, 11 References
- Category 06.0: Regulatory Compliance – Three Objectives, 10 References
- Category 07.0: IT Asset Management – Two Objectives, five References
- Category 08.0: Environmental Security – Two Objectives, 13 References
- Category 09.0: Communications / Operations – 10 Objectives, 32 References
- Category 10.0: System Maintenance – Six Objectives, 13 References
- Category 11.0: Incident Management – Two Objectives, five References
- Category 12.0: Business Continuity – One Objective, five References
- Category 13.0: Privacy Practices – Seven Objectives, 22 References
Beyond References, there are also Specifications for each control, which detail the exact hardware and software needs for respective Implementation Levels. These Levels occur in two series: numbered Levels (1, 2, and 3) and regulation-specific levels (e.g., Level HIPAA).
Some HITRUST assessments measure a specific selection of Controls; others assess a random selection deemed representative of a strong security posture. Prior to your official audit, you should ensure that all relevant controls are installed to the requisite Levels.
#4: Optimize Ongoing Security Maintenance
Once your organization has installed its HITRUST CSF Controls up to requisite levels, it may be tempting to jump straight into an assessment. But before doing that, you should set up protocols for seamless maintenance of your security infrastructure to avoid a critical failure that would jeopardize your assessment. You’ll need to monitor your controls over an extended period to ensure they function as expected, and that requires visibility.
The best approach to oversight is third-party program advisory services.
An observer from outside your organization will provide objective, unbiased guidance on maintenance. Another consideration is optimizing top-down control by recruiting a traditional Chief Information Security Officer (CISO) or outsourcing a Virtual CISO (vCISO).
#5: Execute a HITRUST Validated Assessment
The last step to successful healthcare auditing involves selecting the appropriate HITRUST assessment, finding a vendor to conduct the audit, and conducting the assessment. While a self-assessment may be appropriate for your short-term needs, it is not sufficient for full CSF certification. Most organizations will find that a Validated Assessment is the best option to satisfy the requirements of their business partners and gain a competitive advantage.
Comparison: i1 vs. r2 Validated Assessments
There are two types of Validated Assessments currently available for organizations seeking certification. They offer lower and higher trust assurance, respectively, and involve different scopes of implementation and testing. The recently-debuted assessment modules include:
- HITRUST i1 Validated Assessments – Straightforward audits based on just over 200 total Specifications and one Maturity Level that grant certification for one year.
- HITRUST r2 Validated Assessments – Complex audits comprising up to 2000 Specifications, across all Maturity Levels, that grant certification for two years.
Depending on your organization’s size and the data you process, an i1 may be sufficient, but the more challenging r2 model offers significantly more assurance, optimizing security ROI.
The HITRUST Approach to Healthcare Cybersecurity
HITRUST healthcare auditing can be daunting; the CSF is one of the most robust and complex frameworks an organization must implement. However, it is also one of the most flexible and scalable approaches to cybersecurity, in healthcare and across any industry.
The HITRUST Approach centers on the concept of “Assess once, report many.” This is the most fundamental benefit of HITRUST CSF implementation, aside from the unparalleled security assurance an audit produces. Once your organization installs and assesses its controls, it will be able to map them onto other applicable regulations and report to their governing authorities seamlessly. For this reason, it’s well worth the relatively high entry costs.
Pain Point: Mitigating HITRUST CSF Risk Factors
To determine the risk exposure of your organization, the HITRUST CSF describes three risk factors that can affect your audit. These risk factors can be used to determine the right implementation level for each security control in the scope of your assessment:
- Organizational Factors – These pertain to the size of your organization, both in terms of geographical space and the volume and diversity of business operations and personnel. A larger, more spread-out workforce or a preponderance of third-party affiliations can open up vulnerabilities in terms of networks and individual awareness.
- Regulatory Factors – These involve the specific regulations that your organization needs to comply with and the threats that could jeopardize your compliance. For example, individual files may be subject to overlapping regulations, such as PHI pertaining to EU citizens, which is simultaneously subject to HIPAA and EU GDPR.
- System Factors – These encompass your organization’s specific IT infrastructure in terms of the number, kind, diversity, sensitivity, and general vulnerability of assets you preside over. Special considerations such as the presence of personal (BYOD) devices on organizational networks must be taken into account for data privacy.
These concerns overlap, and they are by no means exhaustive. They’re a primary reason why steps #1 and #4 above are essential. Working with a trusted audit partner like RSI Security will help you mitigate these concerns and optimize your healthcare IT audits.
Seamless Healthcare Audits with RSI Security
RSI Security is a certified CSF assessor; our experts have compiled decades of experience supporting organizations with HITRUST assessments and healthcare security more broadly.
Our suite of full-service security services covers all of the steps suggested above.
We’ll begin with an intake consultation to begin scoping your implementation, then perform a fuller readiness assessment and install any outstanding architecture. Next, we’ll set your internal personnel up for successful long-term maintenance of all required practices before conducting one or more HITRUST validated assessments at your preferred certification level.
Contact RSI Security today to rethink your healthcare auditing processes!