The Health Information Trust Alliance (HITRUST) is an organization that creates and maintains a common security framework (CSF) for businesses and organizations in the healthcare sector. Founded in 2007, the Texas-based entity has a prescriptive set of controls that organizations can use in creating, accessing, storing, or exchanging sensitive or regulated data.
HITRUST certification is commonly required by organizations handling protected health information (PHI). It provides a holistic approach to managing information security risks. Considered as the gold standard for compliance in the healthcare industry, it combines commonly accepted standards such as:
- HIPAA (Health Insurance Portability and Accountability Act of 1996)
- HITECH (Health Information Technology for Economic and Clinical Health Act)
- PCI(Payment Card Industry Data Security Standard)
- COBIT (Control Objectives for Information and Related Technologies)
- NIST (National Institute of Standards and Technology)
Any company or entity creating, accessing, storing, or exchanging PHI must be compliant with the HITRUST CSF like hospitals, healthcare vendors, physician offices, pharmacies, and insurance firms, among others. The HITRUST CSF is the most widely adopted security framework in the healthcare industry with more than 80 percent of health plans, organizations, and businesses utilizing it.
Also Read : HITRUST Compliance – What You Need to Know
Benefits of HITRUST Certification
Aside from the question ‘what is HITRUST certification?’ organizations also ask what it can give to them. The common motivation for seeking HITRUST certification is to accede to a request of a client or business partner. However, there are numerous benefits that organizations can get from having HITRUST certification such as:
Improves security posture
Compared with the other compliance standards mentioned above, HITRUST is more in-depth with regards to privacy and data protection. It identifies security risks and gasps to increase security posture of an organization.
Reduces time for audit preparations
Having HITRUST certification reduces time and costs incurred in complying with multiple regulations. In most cases, HITRUST certification ensures that an organization won’t run into issues when a secondary audit is required.
Enhances organizational reputation
Perhaps the most competitive advantage of successfully going through the HITRUST certification process is the impact it has on the organization. Cybercrime and privacy breaches are now a major concern for consumers and businesses alike. An organization handling consumer data is now expected to have third-party attestation like the HITRUST.
The HITRUST CSF is a security and privacy framework that incorporates and harmonizes existing and globally recognized standards, regulations, and requirements. It scales controls according to the complexity, size, and type of an organization and more importantly, provides prescriptive requirements for clarity.
Its hierarchy is similar to ISO 27001/27001, consisting of 14 control categories that include 46 control objectives. These categories cover 149 system controls. With each of those controls are three distinct HITRUST implementation levels which an organization should meet– regulatory, organizational, and system. Overall, there are 845 requirement rules that an organization aiming for HITRUST certification must follow.
Preparing for HITRUST Certification
Make no mistake about it– HITRUST certification is an exhaustive process with no shortcuts. Audits are not only long but also very thorough. Multiple rounds of security audit tests over a
period of months are to be expected by vendors or entities aiming for HITRUST certification. In short, it is not an undertaking to be done on a whim. Entities will have to dedicate time, resources, and manpower in order to be successful.
Below are the various stages of the HITRUST certification process:
The first step towards HITRUST CSF compliance journey is the initial self-assessment. This can take anywhere between two and eight weeks depending on the size and complexity of the entity and its scoped environment. In this stage, an organization will become more familiar with the CSF requirements and identify control gaps that need to be addressed before moving into the validated assessment stage.
Also Read : HITRUST VS. HIPAA: What’s the difference?
As mentioned earlier, there are 19 categories of control requirements that entities may identify as impacting their operations. These include:
- Access control
- Audit logging and monitoring
- Business continuity and disaster recovery
- Configuration management
- Data protection and privacy
- Endpoint protection
- Education, training, and awareness
- Information protection
- Incident management
- Mobile device security
- Network protection
- Password management
- Physical and environmental security
- Portable media security
- Risk management
- Transmission protection
- Third party security
- Vulnerability management
- Wireless protection
Organizations may also conduct a self-audit by using the MyCSF tool available through the HITRUST Alliance portal, https://hitrustalliance.net/mycsf/. There are two options for using this tool– subscription which gives entities full access year-round for fee and purchase of a myCSF tool which can only be accessed for 90 days. The latter is less expensive but it is available for a limited period.
The other option is more expensive but can prove to be a more practical choice especially if the organization, vendor, or entity intends to maintain HITRUST certification on a long-term basis. Moreover, it allows users to track compliance, access information at any time, and roll custom control sets and updates into the next calendar year’s assessment.
The self-assessment stage includes gap assessment where gaps are identified and ranked by risk level, providing entities with opportunities for remediation prior to the validated assessment.
There are many gaps that organizations identify and address such as updating their security frameworks for business continuity and disaster recovery and maintaining an audit logging and monitoring system.
It is common for organizations to seek the help of an assessor during this stage. In this arrangement called facilitated self-assessment, the assessor aids through the scoping process and determines control requirements.
The subject matter expert can assist in identifying security controls that a customer needs to authorize, which business units are impacted, the covered controls and affected subsidiaries, among others. The scope can be determined by several factors like the location and type, facilities, systems, infrastructure, and transactions of the business. If the entity’s scope is incorrectly identified or outlined, the organization may have too few or too many requirements for certification.
2. Validated Assessment
The next step in HITRUST certification is the validated assessment to be performed by a certified CSF assessor. The assessment methodology of the CSF Assurance program is used and controls are scored using the maturity approach to control implementation.
Assessment should be performed by an independent third-party or certified CSF assessor. Auditors may differ in their auditing processes during this stage. HITRUST, however, requires assessors and auditors to come on-site for at least half of the auditing time.
During a validated assessment, the certified CSF assessor evaluates each control requirement to provide an independent, third-party validation of the organization’s HITRUST CSF compliance. This stage follows a rigorous assessment process with each control requirement evaluated or scored across the following criteria:
Within these levels, entities define their level of compliance as:
- Fully compliant
- Mostly compliant
- Partially compliant
- Somewhat compliant
Each criterion has a corresponding weight level– 25% for policy, procedure, and implementation and 15% and 10% for measured and managed, respectively. An interesting note is that 75 percent of the overall score comes from just three criteria. This emphasizes that the most important thing is for controls to be documented in a policy and procedure. It should also be noted that measured and managed levels are for more mature organizations with systems in place for measuring performance of a control.
This also underscores the need for organizations to focus on the said three areas. If they can show that their policies and procedures are documented and their controls implemented to meet those requirements, then their controls will be scored or assessed as compliant.
Scoring is performed individually. Partial scoring is also allowed depending on the level of compliance. It is also possible for an organization to attain a successful score after being evaluated only against three criteria– policy, procedure, and implementation.
Upon receipt of the submitted domain, the certified CSF assessor can start validating the self-assessment. On-site assessment may include review of all supporting documents, interviews of key workers, sampling and technical testing like penetration testing and vulnerability scans although this is not always necessary. Assessors also handle submission of documents like representation letter, participation letter, and overview of the scoping document.
If the assessments agree, the auditor will record the agreement in the tool and then document procedures performed in order to validate the assessment. In the event that the assessor disagrees with the organization’s self-assessment ratings, he or she may submit a control in the MyCSF tool with comments.
Variance between the self and validated assessments are less likely to happen if the assessor assisted in the self-assessment stage and the organization heeded his/her recommendations in addressing all the gaps. But entities should expect the validated assessment stage to be drawn-out if they did not perform a thorough self-assessment.
Upon completion of the validated assessment, the assessor typically performs a strict quality assurance review prior to submission to HITRUST. The entity applying for HITRUST certification should be able to show proof that it is operating in accordance with its policies and procedures.
Then HITRUST reviews and conducts a quality assurance check on the validated assessment. This alone can take months to complete. HITRUST then issues the CSF certification specific to the factors outlined in the scoping process.
The certification is valid for two years provided that there are no significant changes in the scoped control environment and security breaches.
In case of a security breach, the organization is required to perform appropriate analysis to determine which technical controls failed. The entity will also be required to undergo annual assessment up to two years after the occurrence of the breach. It is possible for HITRUST to decertify an organization in the event of failure or misrepresentation of a control.
Because CSF certification is an annual task, certified entities will have to repeat the process next year and so forth. Annual reviews of policies and procedures initially assessed against are recommended for organizations. However, certified organizations will find succeeding audits to be easier and less expensive.
Costs of HITRUST Certification
Cost is one of the critical factors that organizations take into consideration prior to undertaking HITRUST certification assessment. It can be broken down into two categories– direct and indirect costs. As the CSF has become more complex, the costs of undertaking HITRUST certification have also gone up.
Direct costs cover fees to the auditor or certified assessor and to HITRUST. Entities should expect to spend in the range of $60,000 and $120,000 although it is possible that larger organizations spend much higher than that.
Smaller organizations who don’t have enough budget for such undertaking may opt for an initial self-audit. The use of myCSF self-assessment tool can cost about $2,500 for 90 days. Submission of the self-audit report for scoring would cost an organization another $3,750.
Indirect costs are more difficult to measure. Most organizations measure this according to the cost of each work hour. Conservative estimates peg the cost of each work hour to be at least $100 per hour. But indirect costs may even be higher if other factors such as costs of wages and benefits and lost business opportunities from assessment, audit, and certification are taken into consideration.
In short, pursuing HITRUST certification would cost an organization around $100,000 depending on its size and scoped environment. While it may be a steep price to pay, the benefits of HITRUST certification would be enough to justify the costs. Companies like hospitals, insurers, pharmacies, physician offices, and healthcare vendors would benefit from being HITRUST certified. It will help them stand out from the competition and gain more business in the long run.
Partnering with a certified HITRUST assessor like RSI Security is thus important. RSI Security has qualified security advisors who can help organizations get started with their journey towards HITRUST certification.