Many companies sit at the intersection of multiple sectors. This can be a lucrative position, but it also requires surveying the specific cybersecurity risks across industries. To address the needs of these companies, HITRUST Alliance published the Common Security Framework (CSF). However, to accommodate companies struggling to meet compliance requirements after the COVID-19 pandemic, the HITRUST bridge assessment can be the difference between lapsing in protection and recovering fully.
Let’s take a closer look.
What is a HITRUST Bridge Assessment?
HITRUST CSF compliance is exceptionally comprehensive. Even previously certified institutions may struggle to meet validation deadlines — especially given the pandemic and its aftermath. Bridge assessments aren’t a replacement for full compliance. Instead, they are available to help these organizations extend their window and eventually achieve complete recertification.
In this blog, we’ll break down everything you need to know about the HITRUST bridge assessment and overall HITRUST CSF compliance. Topics covered below include:
- What the bridge assessment is, along with how (and why) to take advantage of it
- Where the bridge assessment leaves off, or what you’ll need for full compliance
- Why and how to verify or certify full compliance
By the time we’re done, you’ll be well-positioned to move forward into bridge assessment in the short term, then full compliance in the long term. But first, let’s review what exactly HITRUST is.
What is HITRUST, and Why is it Important?
Companies’ concerns about “HITRUST” usually refer to compliance with the HITRUST CSF specifically. But the CSF itself is just one part of the overall HITRUST Approach, a much more holistic system or program of data protection, information risk management, and compliance.
The HITRUST Approach includes all solutions HITRUST offers (the CSF, Risk Management Frameworks, etc.). Its principles constitute a cyclical set of steps toward robust cybersecurity:
- Identify and Define – Focused on monitoring for, defining, and analyzing risks
- Specify – Focused on determining which solutions are appropriate for defined risks
- Implement and Manage – Focused on mitigation and resolution of security incidents
- Assess and Report – Focused on logging, analyzing, and correcting vulnerabilities
This approach is crucial, not least because of its simplicity. As you’ll see below, implementing the HITRUST frameworks themselves can be complex and challenging. Simplicity at the top level allows for a streamlined approach without compromising the quality and integrity of security.
Similarly, the Bridge Assessment program is a means toward simplification to make recertification slightly more accessible, especially in the crisis many companies are facing.
Leveraging HITRUST Bridge Assessment
HITRUST implemented the Bridge Assessment early in 2020 to assist companies struggling to achieve timely reassessment. HITRUST’s press release for the Bridge program notes that, due to the immediate and long-term impacts of the COVID-19 pandemic, many businesses have had trouble submitting their CSF Validated Assessments before deadlines.
Companies facing these troubles are prone to many other consequences.
On the one hand, HITRUST is a primary means by which many companies comply with other legally mandated frameworks. On the other hand, a lapse in compliance often portends lax cybersecurity as a whole, meaning these companies are at risk of being exposed to the dangers of cybercrime.
The Bridge Assessment and resulting HITRUST CSF Bridge Certificate comprise an ideal solution for companies in a bind. It is not an “extension” of existing certification, nor is it a “replacement” for traditional certification. Due to the less intensive assessment procedure, Bridge Certification provides a lesser level of assurance. It’s a means to prove companies’ controls are unlikely to have degraded after certification, and full compliance is soon to come.
But Bridge Assessment is by no means simple to achieve. Let’s take a close look at the process and requirements through which companies can accomplish CSF Bridge Certification.
How the HITRUST Bridge Assessment Works
Companies may be eligible for Bridge Assessment (and Certification) for 90 days after the expiration of their previous CSF Certification period. Furthermore, according to HITRUST’s guide to the Bridge Assessment, the Bridge Certification process breaks down as follows:
- Step 1 – Obtaining a HITRUST CSF Bridge Assessment object within the myCSF toolkit; this requires registration at an initial cost of $3,000 (and later fees in some cases)
- Step 2 – Assessment from a HITRUST Authorized External Assessor, comprising a selection of 19 requirement statements selected from the overall HITRUST controls
- If the controls had already been tested for validated assessment, they might count toward Bridge Assessment without requiring a retest (with restrictions)
- Step 3 – The company’s management and the Authorized External Assessor must confirm three criteria:
- Confirm no reportable breaches have occurred since the previous CSF Certification
- Confirm no significant changes to security since the previous CSF Certification
- Confirm intention to complete full CSF Certification before Bridge expires
- Step 4 – Performance of a “fast track” Quality Assurance Review, by a first-party HITRUST official, on the assessment submitted by the Authorized External Assessor
- Step 5 – Issuance of official HITRUST CSF Bridge Certificate to the organization
- Step 6 – Submitting a completed, validated assessment to HITRUST before the end of the Bridge Certificate’s expiration date (90 days after the prior Certificate’s expiration date)
- Any time covered by Bridge Certification is subtracted from the subsequent HITRUST CSF Certification (i.e., three months of the entire 24-month period)
Ultimately, the relationship between the Bridge Certification and CSF Certification is forgiving in some ways and demanding in others. Having CSF controls firmly established facilitates Bridge Assessment and bypasses rigorous analysis. But taking advantage of Bridge Certification won’t net you any “extra” month of coverage since they are subtracted from your next period.
Understanding HITRUST CSF Certification
As noted above, Bridge Certification is not an extension or replacement for compliance. You’ll still need to implement all CSF controls beyond the 19 assessed for the Bridge Certificate. Colloquial nicknames for the Bridge Assessment, such as “HITRUST gap assessment,” belie the importance of understanding CSF to avoid gaps in your overall HITRUST coverage.
In total, the HITRUST CSF comprises 156 “Control References” to implement, spread across its 49 “Objective Names” and 14 “ Control Categories.” These are influenced by, and often directly adapted from, the requirements of other compliance frameworks. The NIST Cybersecurity Framework, HIPAA, HITECH, and PCI Data Security Standard are some of the primary sources.
The full text of the CSF is available for free download, but only for organizations that sign a qualifying license agreement. In practice, this means few organizations have access to the text itself. But don’t worry: below, we’ll provide a synopsis of all the controls your business will need to implement for compliance, sourced directly from HITRUST CSF v.9.4.1.
Breakdown of the HITRUST CSF Framework
While the HITRUST framework also provides Specifications, Mapping, and other guidance for each Reference, the References themselves are most analogous to individual Controls. All in all, the Control Categories, Objective Names, and Controls References break down as follows:
- Control Category 0.0: Information Security Management – Governing top-level controls for effective security management, across one objective and one Control Reference
- Control Category 0.1: Access Control Security – Governing measures taken to restrict access to sensitive information, across seven Objectives and 25 Control References
- Control Category 0.2: Human Resources Security – Governing approaches to personnel management and security, across four Objectives and nine Control References
- Control Category 0.3: Risk Management Policy – Governing approaches to monitoring, analyzing, and mitigating risks, across one Objective and four Control References
- Control Category 0.4: Security Policy – Governing minimum required specifications for maintaining a robust security policy, across one Objective and two Control References
- Control Category 0.5: Information Security Organization – Governing management of internal and external data, across two Objectives and 11 Control References
- Control Category 0.6: Regulatory Framework Compliance – Governing mapping and implementation of all required controls, across three Objectives and ten Control References
- Control Category 0.7: Asset Management Security – Governing management of inventory and related responsibilities, across two Objectives and five Control References
- Control Category 0.8: Physical and Environmental Security – Governing restrictions for access to devices and entire areas, across two Objectives and 13 Control References
- Control Category 0.9: Communications and Operations Security – Governing security precautions for network traffic, across ten Objectives and 32 Control References
- Control Category 0.10: Information Systems Management – Governing acquisition, maintenance, and development of IT, across six Objectives and 13 Control References
- Control Category 0.11: Security Incident Management – Governing security incident reporting, response, and recovery, across two Objectives and five Control References
- Control Category 0.12: Business Continuity Management – Governing processes implemented for continuity of services, across one Objective and five Control References
- Control Category 0.13: Privacy Security Practices – Governing general principles and approaches to privacy at all levels, across seven Objectives and 21 Control References
Implementation of all controls across all Categories is not enough to guarantee complete verification or certification. Your business will need to submit a self-assessment (in addition to third-party validation), depending on the target level of compliance assurance sought by the company.
Achieving Full HITRUST Certification
Compliance requires reporting on (and potentially verifying) your implementation of all CSF controls. At the most basic level, and outside of Bridge-related compliance, companies can choose to self-assess their performance by submitting the Self-Assessment Report, available from HITRUST directly or through subscription to the MyCSF toolkit. In addition, other self-service tools include the HITRUST Academy and HITRUST Readiness Assessment.
There are two levels to consider to achieve full compliance: validation and certification.
According to HITRUST’s guide to CSF Assessments, both require working with an Authorized External Assessor. Both also require submitting a HITRUST CSF Validated Assessment Report. If the Report meets HITRUST’s score requirements, your company may qualify for Certification. If it doesn’t, you may still be eligible for Validation. Validation lasts for one calendar year, while certification lasts for two years (pending the submission of an Interim Assessment after one year).
Unlike the Bridge Assessment, a HITRUST CSF Interim Assessment does not subtract or in any other way negatively impact the total number of months your certification lasts.
How Compliance Advisory Services Can Help
As noted above, full compliance (verification or certification) requires a third-party’s assistance for at least the final assessment stage. Given the challenges of implementing all the necessary controls, it’s in many organizations’ best interests to work with a service provider from the first touchpoint of the process.
To that end, here at RSI Security, we offer a suite of HITRUST advisory services, including:
- Guidance with and facilitation of HITRUST Self Assessment
- HITRUST gap assessment to identify weaknesses or oversights
- Comprehensive Verification, Interim, Bridge, and full Certification
- Troubleshooting and long-term maintenance of CSF implementation
- Marketing support for publishing and capitalizing on compliance
- Integrated third-party risk management (TPRM) program
- Targeted healthcare and health adjacent advisory
- Mapping to other cybersecurity frameworks
With over a decade of experience helping companies achieve HITRUST compliance, as well as compliance with other regulatory frameworks, we are well-positioned to help you get Certified.
Professional Certification and Cyberdefense
The talented team of experts here at RSI Security is happy to help your company with all of its compliance and cybersecurity planning and implementation — no matter the nature and size of your business. We’ll tailor a suite of IT and security services to meet your needs and means.
For many companies, compliance with a robust regulatory framework like HITRUST is a one-size-fits-all solution to their cybersecurity concerns. For many others, however, compliance is just the start of the cybersecurity journey.
And for all cybersecurity needs, there’s us.
To see how valuable a HITRUST bridge assessment can be for your company, contact RSI Security today!
Download Our HITRUST Compliance Checklist
Assess where your organization currently stands with being HITRUST compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.