What with the constant and evolving threat of cybercrime, it’s become more crucial than ever for organizations to protect their proprietary and customer data. Over the past year, the average cost of cybercrime for an organization has increased from $1.4 million to $13.0 million, and the average number of security breaches rose by 11 percent, from 130 to 145. Knowing this threat, HITRUST self-assessments are one of the most important ways you can prevent security breaches and maintain HIPAA compliance.
By adopting cybersecurity frameworks such as the HITRUST CSF, your business can protect itself, prevent data loss, and limit business disruptions. But prior to applying for HITRUST CSF certification, your business must conduct a HITRUST self-assessment questionnaire. Doing so is the first vital step toward gauging the efficacy of your overall cybersecurity posture.
Want to know what that self-assessment entails? Learn all about it via this convenient checklist.
What is HITRUST CSF?
The HITRUST Common Security Framework (CSF) is a set of security controls and frameworks that are an amalgamation of several other standards, frameworks, and control points, including:
The HITRUST organization collaborated with various other technology and information security leaders to create and maintain the CSF. Its designers employed a risk-based approach in response to the various privacy, security, and regulatory challenges healthcare organizations faced in regard to HIPAA.
Today, it’s viewed by many major healthcare organizations as the gold standard for HIPAA cybersecurity. In fact, according to the HITRUST Alliance:
A growing number of healthcare organizations, including Anthem, Health Care Services Corp., Highmark, Humana, and UnitedHealth Group will now require their business associates to obtain CSF Certification as a means of demonstrating effective security and privacy practices aligned with the requirements of the healthcare industry.
In addition to this, several healthcare organizations have taken the steps necessary to become HITRUST certified themselves. Why?
- To comprehensively secure their IT environments
- To reduce their organizational risk
- To prepare for future audits
And to become HITRUST certified, you have to start with a CSF Self-Assessment.
What Is The HITRUST Self-Assessment?
A HITRUST self-assessment is simply an internally conducted CSF audit. It’s a tool organizations can use to check their preparedness for the real thing. As such, it doesn’t involve authorized external HITRUST auditors, but many organizations do choose to bring in a compliance assessor or other third-party to assist with the process.
To perform a self-assessment, you’ll need access to the MYCSF online tool provided by HITRUST. It includes several features that aid with the process, including:
- Centralized Corrective Action Plans (CAPs)
- Custom Assessments
- Evidence Support
- Track Assessments Submitted for CSF Reports
- Quality Assurance (QA) Enhancements
- Custom User Roles
- Assessment Navigation
- CSF Assessment Preview
- Aggregated Respondent Answers
- Advanced Analytics & Dashboards
- Control Inheritance
- Comprehensive Reporting
- Robust API
There are three packages available:
- Report-only option – Costs between $2,500 and $8,500 based on your net income range
- Annual subscription – Costs $10,000 per year if you have less than 25 employees
- Enterprise subscription – Costs 32,500 per year if you have 25 or more employees.
Why the HITRUST Self-Assessment Poses a Challenge
Preparing for and conducting the self-assessment requires an organizational commitment because it is so exhaustive and time consuming. According to Advize Health:
Most organizations performing the minimum level security assessment in MyCSF have a control set, including 120-140 controls. Each of these will be analyzed, a process narrative written, and corresponding evidence uploaded. These items come from various resources across an organization, which is why leadership commitment is key. Plan on each of these controls taking up to 60 minutes or more and the scope of work becomes clear.
Put simply, even a self-assessment involves considerable documentation on a variety of things, including policies, risk assessments, special configurations, and technical documentation. Recording and organizing all of this information in a logical manner is a serious task, but one that gets better each time you go through it.
The first time you undergo the CSF audit process it may take up to three to six months to prepare; however, with each successive year that timeframe shortens. That said, the timeline will largely depend on the full scope of the project.
Preparing Your HITRUST Self-Assessment Checklist
The self-assessment is your dry run for the real deal. Many of the steps you’ll take in the self-assessment process echo what will occur during the accrediting audit process. To prepare for this, there are a variety of actions you should first take. The HITRUST Alliance breaks it into eight steps:
Step 1: Project Startup
Have You Named the Project Coordinator?
Every project needs a leader.
Your project coordinator or manager will be a higher up within the company who’s been charged with guiding personnel within the organization toward achieving the named goals. In addition to managing teams, they’ll be in charge of:
- Organizing interviews
- Managing and collecting documentation
- Guiding the entire process
In order to give them ample time to prepare for what’s to come, the individual should be named at least 2 months before the testing commences.
Ensure that this is an organizational effort from the top-down. If company executives don’t take it seriously and do their best to facilitate the process, it will become exceedingly difficult to get the support and coordination you need from every department.
Note: If this is your first time performing the self-assessment, it may be smart to enlist the help of a certified HITRUST assessor who can assist all aspects of HITRUST CSF certification and assessment.
Have You Set the Management Structure and Standards?
After a project coordinator is named, they’ll need to meet with top brass and key stakeholders in order to outline the assessment’s management structure and standards. This will involve building a plan, detailing the procedures, and identifying the tools necessary to conduct the self-assessment. They will be responsible for:
- Project planning
- Interview tracking
- Documentation request tracking
- Stakeholder/Conduct Tracking
- Meeting Minutes
- Weekly Project Status
- Issue/risk tracking
Your team should conduct an assessment kick off at least three weeks before the scoping and self-assessment process begins. During this meeting, the team will overview the entire assessment process and timeline, discuss organizational goals, define the scope, and set expectations.
Step 2: Have You Defined the Organizational Scope?
Scoping helps you determine which systems, layers, units, and facilities will be a part of the assessment. This due diligence helps ensure that a comprehensive review is conducted. Aspects that will need to be identified include:
- Business units – Units or departments within organizations that operate distinctly from one another will need individual audits. In addition to identifying these, the project coordinator needs to list key contacts within each unit, including:
- Department head(s)
- System owners
- Information security personnel
- Risk/compliance personnel
- Human resource personnel
- General users
- Physical facilities – All relevant and critical physical facilities that are a part of your IT environment need to be named. Determining whether or not they’re in-scope depends on several factors including:
- The housing of users of the system(s) within the assessment scope
- Whether sensitive information is stored on, accessed by, or transmitted from devices within the facility
- Whether unauthorized users could gain physical access to the facility, resulting in a breach of sensitive information
- Regulatory factors – There are a number of regulatory factors tied to compliance requirements such as FISMA, PCI, HIPAA, and PDPA.
Step 3: Have You Defined System Scope?
The next aspect of scoping you’ll need to determine are the information systems within the organization that are considered areas of higher risk. It’s critical that you define the systems, devices, and technologies that store, access, or transmit sensitive data.
Common system factors that increase a systems risk and thus necessitate greater controls include:
- Accessible from the internet, by a third party, or publicly
- Stores, processes, or transmits sensitive information
- Uses mobile devices
- Exchanges data with a business partner or third party
- The total number of users
- The total number of daily transactions
- Total number of interfaces to other systems
Once this has been completed, your project coordinator will need to document all the potentially relevant materials, including procedures, standards, and policies that are in place to support your organization’s various system processes. This will then be followed up by stakeholder interviews in order to ascertain which organizational and systemic controls are in place.
After your team has conducted all of the prep work, they can start assessing the organization’s controls using a three step process:
Examine – The various policies, guidelines, procedures, standard, and records to evaluate whether the necessary controls are in place.
Interview – The key figures (management, personnel, system owners) to help verify that procedures and controls are observed .
Test – System configurations to validate that the CSF controls are in place and working as intended.
Step 4: Have You Examined the Documentation and Practices?
Once you’ve conducted rigorous testing, you can measure your compliance for all controls. By examining this documentation, you can verify that your organization is complying with the CSF requirements.
On top of this, it is necessary that your team checks, reviews, and analyzes various information security practices to support the effectiveness of your controls. Examples of verification include observing the physical and environmental security by checking on the efficacy of:
- Entry controls
- Locked doors
- Emergency power cut-off switches
Step 5: Have You Conducted Interviews?
If you have previously set meetings with the key stakeholders, now’s the point for these to take place. The purpose for these interviews is to gather more information about how the system and organizational CSF controls are followed. Per the HITRUST Alliance, the following steps should be taken to ensure that you ask the right questions:
Obtain and review any documentation relevant to the subject area. For instance, if you will be asking about a server’s security policies, ensure that you have reviewed the overall policy regarding system security. Based on the interviewee’s role and responsibilities, identify, and ask all related questions.
Once you’ve adequately prepared, you can then hold the interviews, documenting the results as you go. Doing so will help ensure that you’re taking every necessary step to protect your IT environment.
Step 6: Have You Performed Technical Testing?
Technical testing of the controls is the only way to really gauge the efficacy of your cybersecurity perimeter. It can help expose vulnerabilities — both small and large — or gaps in your policies and procedures. Tests involve configuration setting validation, penetration testing, and vulnerability assessment.
There are more than 135 CSF controls, all of which are divided into 19 security domains:
- Access Control
- Audit Logging & Monitoring
- Business Continuity & Disaster Recovery
- Configuration Management
- Data Protection & Privacy
- Education, Training & Awareness
- Endpoint Protection
- Incident Management
- Information Protection Program
- Mobile Device Security
- Network Protection
- Password Management
- Physical & Environmental Security
- Portable Media Security
- Risk Management
- Third-Party Security
- Transmission Protection
- Vulnerability Management
- Wireless Protection
Depending on your organization’s complexity and risk systems, there are three different levels of HITRUST implementation:
- Level 1 – Minimum security requirement for any system, and is the baseline for the industry necessary to meet HIPAA’s Security Rule requirements.
- Level 2 – Includes all of the controls of Level 1 with additional strength. This is only required for organizations with systems that have increased complexity or regulatory factors.
- Level 3 – Typically, this is limited to large enterprises, and necessitates the successful implementation of all 135 controls.
Step 7: Have You Documented Your Findings?
After all the controls have been tested and analyzed, the assessment team must document it’s findings based on the results. This will include:
- Identifying and selecting alternate controls
- Requesting alternate controls
This self-examination portion of the process allows your organization to identify control deficiencies or gaps and then propose remediating solutions.
Step 8: Have You Reported Your Findings and Taken Remediating Actions
Once all of the documentation is completed, the assessment team needs to report its findings to the board and other key stakeholders, alongside recommendations for fixing the areas of noncompliance.
Management must then review the report and decide on specific actions to take in order to reduce their security exposure and organizational risk.
From there, you must perform a detailed Corrective Action Plan Management, fixing vulnerabilities and re-testing their efficacy.
Becoming HITRUST Certified
The HITRUST self-assessment is just the first critical step toward becoming certified as HITRUST compliant. But it is an essential part of the process and will help you prepare for the HITRUST certification audits.
Because this can be such a laborious and convoluted process — especially if this is your organization’s first time going through it — it may be wise to enlist the help of a HITRUST CSF Assessor.
This is where we at RSI Security can assist.
We’re a certified HITRUST CSF Assessor and full-service security service provider. So, if you need guidance, we’re ready to help your organization to take every step necessary to become HITRUST CSF certified.
Download Our HITRUST Compliance Checklist
Assess where your organization currently stands with being HITRUST compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.