With more than 20 individual processes, requirements, and standards under its umbrella, the HITRUST Alliance provides a centralized set of guidelines for professionals in the healthcare industry and beyond. Unfortunately, because it incorporates so many frameworks, many entities who take a HITRUST assessment failed their initial or secondary attempts. Thankfully, there are plenty of remediation strategies available—including retaking the test—for those who have yet to pass.
What to Do After Your HITRUST Assessment Failed
Unlike the Health Insurance Portability and Accountability Act (HIPAA), HITRUST is not a hard and fast legal requirement. Achieving certification is entirely optional. Generally, any HITRUST “requirements” are business agreement stipulations or standards in an industry or location.
So, since many institutions have fewer legal obligations to complete a HITRUST assessment, failed exams aren’t as consequential as failure to meet other compliance requirements. Still, failure to complete a Qualified Assessment (QA) can have significant business consequences, so organizations should look to remedy a failed QA as soon as possible.
This guide will break down the timeline, from immediate reactions through longer-term planning, to stay compliant.
Download Our HITRUST Compliance Checklist
What Does a HITRUST Failed QA Mean and Imply?
A failed HITRUST assessment refers to HITRUST CSF implementation and certification. It is a failure at the QA stage when the QA Analyst determines that there are too many open questions or issues to issue a full, Validated HITRUST CSF Report.
Per HITRUST, the QA process entails:
- Repeated, automated assessments of documentation pertaining to CSF implementation
- Review of a randomly selected assortment of implemented controls to verify their fidelity
- Review for the rationale and reasonableness of any controls labeled “not applicable”
- Review of maturity levels (e.g., “measured”) if applicable in the assessment
Throughout this process, it is normal for the assessor(s) to have questions or concerns. Failure happens when these questions or concerns are not appropriately addressed between the party being assessed, the external assessor who generates the report, HITRUST’s QA Analyst who validates it, and any other stakeholders involved (i.e., personnel, clientele, service providers).
Does a Failed QA Necessarily Reflect Poor Security?
HITRUST explicitly notes that a failed QA does not necessarily indicate poor security or maturity. Those kinds of results may be assessed independently of the QA Analyst’s unresolved questions. In many cases, a result indicating poor security or low maturity may be worse than a failed QA—as it is more definitive in scope—whereas a failed QA implies “uncertainty.”
HITRUST provides an inexhaustive list of reasons a QA may be failed, including:
- Self-scoring in certification range while failing to implement CSF to required degree
- Failing to demonstrate implementation to the external assessor to a satisfactory extent
- Failure to properly document the assessment per HITRUST protocols, which is the responsibility of the assessor
- Incorrectly leveraging the Control Maturity Scoring Rubric, which is the responsibility of both the entity or assessor)
Not all failed QAs are the fault of the entity being assessed; the external assessor may make errors that trigger failure. So, it’s critical to work with a quality HITRUST compliance partner.
Steps Toward Successfully Passing a HITRUST QA
To correct a failed QA and attain or maintain compliance as swiftly as possible, organizations need to begin work immediately. They must first understand how or why they failed the QA, then (optionally) select a new external assessor, service provider, or QA Analyst, and, finally, ensure that all stakeholders are made aware of what is required of them for long-term compliance.
Step 1: Gap Analysis for Failed Assessment
Immediately after being notified of the failed QA, an entity should identify any gaps that are preventing them from successfully passing the HITRUST assessment. In particular, look for:
- Missing documentation – Any documentation regarding the type, number, and characteristics of information systems and IT assets that is missing or incomplete.
- Inadequate reporting protocols – Any testing or results that do not use current HITRUST procedures, which could potentially trigger QA Analyst questions.
- New compliance requirements – Any security controls that do not meet current HITRUST requirements, up to the implementation level required for the assessment.
Once all gaps and issues are understood, the organization can begin planning to address them, either as part of this step or as a separate process. In any case, the new assessment shouldn’t be attempted until a subsequent gap analysis is conducted and indicates no remaining issues.
Step 2: Selection of New Assessors
Unfortunately, not all HITRUST assessors are created equally. You might be able to increase your odds of passing your QA by selecting a new external assessor or requesting a different QA Analyst from HITRUST. To aid your search, develop a list of questions for the assessors, like:
- How long has your employer been an Authorized HITRUST External Assessor Organization? How long have you been performing audits?
- This question gives you better insight into the history and reputation of both the organization and the external assessor. Do you want to take your chances on a new organization or analyst, or do you require an experienced professional?
- How complex is your average assessment? Which fields are you familiar with?
- If your organization’s IT and security systems are complex, or you are subject to many different compliance regulations, you’ll need an assessor commensurate with the scope of assessment. Seek out service providers with depth and breadth of experience, especially with organizations of your size and in your industry.
- How often do your clients receive failed QA reviews? Do they typically opt to retake the assessment? How long does it take for them to pass, on average?
- A history of failed QA reviews is an immediate red flag, as it could indicate a lack of experience or faulty collaboration with HITRUST. But a moderate amount of failed QAs, paired with a quick turnaround on remediation, can be a good sign. Rapid remediation indicates a capable organization with effective personnel and processes.
These are generalized questions, but more specific ones tailored to your organization’s needs and means can help you identify the ideal external assessor. For example, depending on your security maturity, it might make the most sense to work with an assessor who can also facilitate your implementation or conduct multiple assessments (e.g., gap, readiness) rather than one or the other.
Step 3: Continuous HITRUST Training
Finally, organizations need to ensure that all stakeholders, especially personnel and third-party contractors (e.g., vendors), are aware of their roles and responsibilities relative to successful HITRUST assessment. The only way to ensure this is through targeted training.
The HITRUST Alliance recommends utilizing several documents for training, including:
- HITRUST Risk Analysis Guide – A general, actionable overview of the HITRUST Risk Management Framework (RMF), which complements CSF implementation. Personnel who read this framework will better understand what risks are most critical to HITRUST and what responsibilities they have with respect to mitigating and preventing them.
- HITRUST Control Maturity Scoring Rubric – A collection of helpful timetables, charts, and definitions regarding the QA process. Reviewing these materials and being aware of the entire QA process and scoring protocols will help employees contribute to testing and, most importantly, avoid obscuring information or otherwise impeding assessment.
Training on these and other HITRUST-relevant materials must be conducted during onboarding, at regular intervals, and then at special occasions, such as during preparation for the next QA.
The Bigger Picture: What is HITRUST?
Originally developed exclusively for the healthcare industry, HITRUST Alliance’s CSF has since grown to encompass standards from nearly every professional industry. The CSF integrates rules and standards from many different regulatory bodies, including but not limited to:
- The Health Insurance Portability and Accountability Act (HIPAA)
- The Payment Card Industry (PCI) Data Security Standards (DSS)
- Several National Institute of Standards and Technology (NIST) guides
- California’s Consumer Privacy Act (CCPA) and Privacy Rights Act (CPRA)
- South Carolina’s Insurance Data Security Act (SCIDSA)
- Several International Organization for Standardization (ISO) guides
- Control Objectives for Information and Related Technologies (COBIT)
- The Center for Internet Security (CIS) Critical Security Controls (CSC)
Unlike HIPAA, which classifies its controls into a few, generalized and vague categories, HITRUST is much more comprehensive. The HITRUST CSF features a total of 14 separate control domains, including:
- 0.0 Information security management program
- 01.0 Access control
- 02.0 Human resources security
- 03.0 Risk management
- 04.0 Security policy
- 05.0 Organization of information security
- 06.0 Compliance
- 07.0 Asset management
- 08.0 Physical and environmental security
- 09.0 Communications and operations management
- 10.0 Information systems acquisition, development, and maintenance
- 11.0 Information security incident management
- 12.0 Business continuity management
- 13.0 Privacy practices
The HITRUST CSF is expanded further with 49 different objectives and 155 specifications. Each control has up to three implementation levels, and individual compliance-specific levels stack on top of them. This enables organizations to use the HITRUST assessment for other frameworks’ audits and certifications, mapping and exporting controls through the MyCSF assessment tool.
The Typical HITRUST Assessment Process
Currently, HITRUST Alliance provides three types of QA assessment reports, including:
- HITRUST Readiness Reports – Also known as self-assessment reports, these serve as unaudited evidence of your organization’s CSF implementation. While these are not meant for third-party assurance, they do play a vital role in the path to certification.
- Validated HITRUST CSF Reports – These reports are issued when an organization fails to meet the requirements for full certification.
- Validated HITRUST CSF Reports with Certification – Organizations that meet or exceed the requirements for certification are issued this report.
All HITRUST assessments follow a highly standardized process, including the following steps:
- Establish and identify a project coordinator and their supporting review team – This makes it easy to establish a clear chain of command for the project.
- Define the overall scope of the assessment – This step helps you identify the business units participating in the assessment. Use this step to designate a coordinator for each applicable business unit.
- Define the scope of each business unit assessment – Take note of business units with higher risk profiles, including those that store, process, or transmit sensitive data.
- Collect and examine pertinent information – Perhaps the busiest step of all, this involves gathering any records, logs, previous vulnerability or threat assessments, and any other related documentation. Your assessor will also take note of your physical workplace and system configuration settings.
- Conduct interviews with key business unit stakeholders – Individuals who were previously identified as coordinators are interviewed during this phase.
- Execute various system tests to validate controls as necessary – Penetration testing, vulnerability scanning, and other tests are performed during this phase.
- Provide recommendations as replacements for noncompliant controls – The assessor provides guidance regarding any noncompliant controls. Additionally, they might provide recommendations on improving compliant controls.
- Create the assessment report – The assessor begins to prepare and develop their report during this phase, with close attention to any noncompliant controls and their professional recommendations.
- Finalize the report and track remediation – The final phase in the assessment process requires the assessor to monitor the situation, including remediation. If your assessment report failed, it will be noted during this phase.
The Benefits of HITRUST Assessment
Successfully passing your QA exam benefits your organization in numerous ways.
- Meet industry requirements – Although HITRUST isn’t required by any industry, it consists of many frameworks that are mandatory. Ensure you’re prepared to meet any and all compliance requirements with a HITRUST QA assessment and certification.
- Bolster IT security – Because many HITRUST compliance requirements revolve around IT security, you’ll strengthen your entire network from hackers and other threats.
- Reduce long-term expenses – Meeting the standards of HITRUST can save you time and money by reducing the need for future audits and inspections. It will also cut expenses in the event of a data breach or security incident, as you’ll be able to prove that proper security measures were already in place.
- Gain public trust – With more consumers focused on data privacy, HITRUST makes it easy to demonstrate your dedication to the cause. You’ll also avoid losing their trust through a severe data breach or leak.
Achieving HITRUST Compliance
RSI Security is an authorized SCF Assessor with years of experience helping organizations attain and maintain HITRUST certification. If your recent HITRUST assessment failed, we will ensure that you’re on the right track to achieving compliance as swiftly as possible.
To find out more information, or to learn more about HITRUST implementation, contact RSI Security today.