Companies in the healthcare industry are attractive targets for cybercrime, so they need to comply with HIPAA and HITECH frameworks. But many of these companies also need to comply with other codes, such as PCI-DSS. Luckily, the HITRUST Alliance’s Common Security Framework (CSF) simplifies implementation across all of them. Thus, a HITRUST Self Assessment Questionnaire is the first step toward streamlined compliance and cybersecurity.
Let’s discuss.
What is a HITRUST Self-Assessment Questionnaire?
To achieve full compliance with the HITRUST CSF, you will need to complete more than just a Self Assessment. But the Self-Assessment Questionnaire is a valuable tool for getting started with implementation — it is also an excellent tool for saving time and money on the journey toward Certification, as it makes later testing easier for you and your (required) third-party assessors.
This article will break down everything you need to know, including:
- A deep dive into HITRUST Self-Assessment and other forms of assessment
- A comprehensive overview of what it takes to implement all HITRUST controls
By the time we’re done, you’ll be ready to self-assess or fully verify your HITRUST compliance. But first, let’s address the elephant in the room: does your business even need to comply?
Does Your Company Need to Self-Assess?
There is no legal requirement for HITRUST compliance anywhere in the US. However, in many cases, businesses may face de facto requirements with respect to industry standards or client expectations. HITRUST offers optimum protection against a wide variety of risks, so compliance can provide a competitive advantage over other companies that don’t implement its safeguards.
Moreover, depending on the nature of your business, several elements of HITRUST are required for legal operation. For example, businesses in the healthcare industry need to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). And any such companies that also process credit card transactions need to comply with the Payment Card Industry Data Security Standard. Mapping across these and others can create challenges.
HITRUST combines these and other frameworks into one. It might not be a strict requirement for your business, but it can offer an efficient solution for all your other compliance obligations.
Understanding HITRUST Self-Assessment
Overall, HITRUST Self Assessment involves far more than just completion of the HITRUST Self- Assessment Questionnaire. The primary requirement comprises signing up for the MyCSF tool, the platform from which you’ll fill out the questionnaire, score your Assessment, and browse analytical insights into your readiness for full Certification. However, all that visibility doesn’t come cheap. Registration costs $2500 per 90 days, and the test itself costs $3750.
Another important cost factor to keep in mind is that Assessment, even just Self-Assessment, can be expected to last well over 90 days, meaning multiple registrations may be required.
Self-Assessment itself is straightforward — it requires simply testing the extent to which all Control References are installed and maintained (see below). Importantly, your Self-Assessment thereof doesn’t validate these practices. For that, you’ll need external verification for full Certification.
Other Levels of HITRUST CSF Assessment
For companies seeking full compliance with the HITRUST CSF, completing the Self-Assessment Questionnaire process is far from the last step. Full compliance periods require CSF validation or certification, depending upon scores. Typically, they last for one or two years. To achieve them, the other primary forms of CSF Assessment, per HITRUST, include the following:
- Validated Assessment – An Authorized External Assessor tests the implementation of all controls, then reports findings to HITRUST for a Quality Assurance Review; Certification is granted for two years, pending an Interim Assessment after one year
- Interim Assessment – An Authorized External Assessor tests implementation and maintenance of controls at the one-year mark of Certification, extending it for a year
Besides, another important form of assessment has been adopted via the “Bridge” program to facilitate coverage for businesses struggling to meet recertification deadlines due to COVID-19:
- Bridge Assessment – An Authorized External Assessor performs a special Bridge Assessment for qualifying companies, extending a form of Certification for 90 days following the end of the last period (to be subtracted from the next Certified period)
Across these assessment methods, the core of compliance still requires implementing and maintaining all of the HITRUST CSF controls. So, let’s take a look at what exactly that entails.
Implementing the HITRUST Approach
The most important parts of a HITRUST Self-Assessment checklist are the Control Categories (14), Objective Names (49), and Control References (156) that make up the CSF. Your Self — and eventually Validated — Assessment depends primarily on implementing the following:
- Control Category 0.0: Information Security Management –
- One Objective Name governing top-level controls for policy maintenance
- One Control Reference specifying requirements for policy and implementation
- Control Category 0.1: Access Control Security –
- Seven Objective Names restricting access to data through authentication
- 25 Control References specifying password strength, session length, etc.
- Control Category 0.2: Human Resources Security –
- Four Objective Names governing general approach to personnel management
- Nine Control References specifying approaches to recruitment, hiring, etc.
- Control Category 0.3: Risk Management Policy –
- One Objective Name governing programmatic approach to risk mitigation
- Four Control References specifying monitoring and analytical requirements
- Control Category 0.4: Security Policy –
- One Objective Name governing baseline definitions of security and privacy
- Two Control References specifying requirements for timely updates to the policy
- Control Category 0.5: Information Security Organization –
- Two Objective Names governing organization of internal and external parties
- 11 Control References defining respective responsibilities, privileges, etc.
- Control Category 0.6: Regulatory Framework Compliance –
- Three Objective Names governing approaches to legal and audit requirements
- Ten Control References specifying controls for individual compliance rules
- Control Category 0.7: Asset Management Security –
- Two Objective Names governing inventory control and responsibilities
- Five Control References setting rules for classification, ownership, etc.
- Control Category 0.8: Physical and Environmental Security –
- Two Objective Names restricting physical and proximal access to sensitive data
- 13 Control References defining boundaries and use of devices and spaces
- Control Category 0.9: Communications and Operations Security –
- Ten Objective Names governing requirements for secure wireless network traffic
- 32 Control References specifying controls to monitor and control communications
- Control Category 0.10: Information Systems Management –
- Six Objective Names governing overall hardware and software security
- 13 Control References establishing controls for apps, encryption, etc.
- Control Category 0.11: Security Incident Management –
- Two Objective Names governing detection and response to events
- Five Control References specifying defense protocols, contingencies, etc.
- Control Category 0.12: Business Continuity Management –
- One Objective Name ensuring the seamless continuation of services
- Five Control References defining testing and planning to that end
- Control Category 0.13: Privacy Security Practices –
- Seven Objective Names governing personal accountability standards
- 21 Control References specifying individual practice requirements
Implementing the CSF and other Risk Management Frameworks in the HITRUST Approach can be highly challenging.
That’s where we can help.
Professional Assessment and Cyberdefense with RSI Security
RSI Security is an Authorized External Assessor ready to work with you on HITRUST implementation and compliance elements. Our comprehensive suite of HITRUST services includes everything from tailored planning and implementation of required controls to robust training and analysis for your staff.
Additionally, we help with guidance through Self and Validated Assessment itself.
We know firsthand how vital, albeit challenging, compliance can be. But we also know that it’s hardly the end of your cybersecurity journey — instead, it’s just the start of your cyberdefense. We can help with everything it takes to keep your stakeholders safe, whether it’s HITRUST Self Assessment Questionnaire or a new cybersecurity architecture. Contact RSI Security today!
Download Our HITRUST Compliance Checklist
Assess where your organization currently stands with being HITRUST compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.