In this blog, you’ll learn about the fundamental aspects of HITRUST Certification, as well as receive answers to frequently asked questions about CSF HITRUST.
This blog summarizes the HITRUST CSF (Common Security Framework) Webinar led by Gary Glover, Matt Halbleib, Lee Pierce, of SecurityMetrics; and Peter Briel from Privaxi.
There are a number of important certifications or compliance requirements your company can achieve in regard to cyber and financial security (e.g., PCI DSS). One of the more high level and detailed is HITRUST. This type of certification can really set your business apart and place you into a higher level of security.
In this blog, you’ll learn about the fundamental aspects of HITRUST Certification, as well as receive answers to frequently asked questions about HITRUST, such as:
HITRUST Common Security Framework (CSF) CSF includes multiple security frameworks under one umbrella, reducing the need for repeated compliance demonstrations to various stakeholders.
Like any robust security framework, HITRUST CSF helps reduce the risk of breaches and enhances early detection of potential threats, minimizing damage to your organization.
Obtaining HITRUST certification demonstrates your organization’s commitment to maintaining a comprehensive set of security and privacy controls tailored to your business. It signals to your partners and business associates that you prioritize data protection and have taken necessary steps to reduce risk.
Many organizations face the challenge of addressing multiple assessments, and HITRUST is beneficial as it maps to various other frameworks. However, despite its importance, many hesitate to pursue HITRUST certification due to limited resources and often only do so when required.
Large organizations often require HITRUST validation of their business associates and service providers to achieve assurance that these partners are committed to security and are taking necessary measures to secure the data entrusted to them.
HITRUST offers several types of assessments, each focusing on different controls:
Where the e1 and i1 are built with a preset set of controls, the r2 incorporates all of the controls contained in the e1 and i1, but then adds additional controls, which are determined by your completion of the factoring exercise in the MyCSF portal. This exercise consists of a questionnaire about your business’ functions and scope, along with selecting the various standards you wish to include (e.g., State of Texas, HIPAA, FedRAMP).
Choosing the right certification depends on your business needs, risk appetite, and level of maturity. Budget and resources also play a significant role in determining the necessary controls. Understanding your risk level and limitations is crucial in making the right choice.
Timing of your deliverable requirements may also inform your decision regarding which of the three assessment types would be smart.
If you’re interested in a simplified way to start your HITRUST assessment process, check out our HITRUST Preparedness Calculator. It’s one of the best ways to see where you’re at, what assessment type you need, and what to do next. Get started here.
Defining your scope is critical when trying to get HITRUST certification. It’s essential to narrow down your focus and determine what you can realistically manage. Identify which services or systems fall within the scope, then analyze what specific aspects of those services need to be included.
Given the potentially high cost and lengthy process, especially for large organizations, it’s vital to manage your scope carefully to avoid overwhelming yourself. You’ll need to consider various risk-based questions, such as:
With the r2 assessment type, the more affirmative answers, the more controls you’ll need to address to mitigate risks. Generally, it’s advisable to start simple and gradually expand your scope.
After analyzing your data, assets, and network flow, you’ll identify which of the 19 domains and their associated controls apply to your environment. Typically, this results in around 270 controls in the r2 assessment type. Documenting this information is crucial as you present it to a HITRUST Validation Assessor, like SecurityMetrics.
If part of your environment is hosted in the cloud, a key advantage is that you can inherit some controls from the environment you use, such as AWS, Azure, or other cloud-based tools that have already undergone HITRUST certification. This inheritance can significantly reduce your burden.
In order to determine your scope and apply the correct controls, you’ll need to understand your data flow, identify the systems it interacts with, and document everything. During the readiness preparation, new areas may be discovered that need to be added to the scope.
With security, you can’t protect what you have not identified.
The MyCSF portal is where you’ll engage in the HITRUST validation assessment. When you’re serious about this process, you’ll need to subscribe and schedule an assessment with the HITRUST Alliance. However, you can review your controls with an assessor before making any commitments.
If you’re new to this process, SecurityMetrics can guide you through the initial steps before you decide on your scope or the type of assessment you need. Ultimately, you’ll need to purchase access to the HITRUST Alliance’s MyCSF Portal and work with experts on the readiness side to ensure all necessary policies and procedures are implemented.
You must provide evidence in the portal that you’re fulfilling the required controls. Clients must also score themselves on how well they meet these controls, with guidance available from HITRUST documentation.
Once self-assessment is complete, SecurityMetrics will review and validate the information before final submission.
After identifying your controls, the preparation phase begins, focusing on readiness and remediation. During this phase, you’ll break down each domain, assess your current status, leverage existing work, and conduct a gap analysis to identify and address any deficiencies.
Privaxi and SecurityMetrics work together with security engineers and compliance teams to identify gaps and integrate necessary changes throughout the program’s lifecycle.
With the added service of HITRUST readiness and remediation, provided by Privaxi, the work inside the MyCSF portal can largely be carried out by Privaxi, sparing you from many of the tasks you would normally have to shoulder yourself. For example, Privaxi can help with evidence collection, evidence scoring, and policy and procedure writing, as well as many other tasks for HITRUST Certification preparation..
As we manage all aspects of HITRUST—from scoping to validation, SecurityMetrics and Privaxi help secure your business while maintaining real-time visibility into your operations. Our expertise in AWS, Azure, Google Cloud, and on-premises solutions allows us to tailor strategies that meet your compliance needs and prepare your company for future challenges.
Once all information and evidence are uploaded, and self-assessment is complete, the assessor will review everything before submitting it to the HITRUST Alliance.
It’s important to note that any new systems or processes must be in place for 90 days (60 days for policies and procedures) before they’re considered compliant by HITRUST. This is a crucial detail, as prematurely submitting a new implementation could lead to rejection.
The process includes a thorough documentation review, and if any issues arise, HITRUST may request revisions. Once everything is satisfactory, a draft report is submitted for client approval. If approved, HITRUST issues the official certification report.
For r2 assessments, certification is valid for two years, provided you maintain your processes during an interim assessment in the second year.
For i1 assessments, certification is valid for two years, provided you maintain your processes during a sampling assessment in the second year, called the “Rapid Recertification”.
After submitting your assessment, HITRUST will review it, potentially asking for clarifications or corrections.
Once everything is finalized, HITRUST will issue a Corrective Action Plan (CAP) report. This report may indicate a successful pass or outline areas needing improvement before final certification.
Remember, certifications require ongoing maintenance; they are not a one-time effort. You’ll need to maintain compliance with specific control elements continuously.
Hackers don’t take breaks, and time is on their side. Staying vigilant with the support of SecurityMetrics and Privaxi helps protect your organization from evolving threats.
With how complex and detailed the HITRUST certification process can be, SecurityMetrics knew that it needed a partner that could meet our expectations for industry expertise and excellent customer support. That’s why we partnered with Privaxi. As you navigate this journey, you’ll find a unified team on our end, working hand in hand to keep your process seamless and painless.
Our team of assessors and experts has your back at every step, ready to answer any questions or address concerns. And no matter how long it takes, we’re here to help!
SecurityMetrics has over 22 years of experience in security audits, penetration testing, and general consulting. We specialize in compliance and security services, helping organizations reduce risk, protect data, and meet compliance standards.
SecurityMetrics has over 20 years of experience in validating various compliance frameworks . This proven track record is leveraged as we help our HITRUST clients navigate the certification process. Our commitment to clear communication and thoroughness helps alleviate clients’ fears and ensures a successful outcome.
SecurityMetrics focus on building long-term relationships, guiding clients through the assessment process, and ensuring they are well-prepared for future compliance challenges. Reach out to our team of experts to begin your HITRUST journey today.
Originally a managed security service provider, Privaxi now also offers HITRUST readiness and remediation assessments.
Privaxi specializes in compliance, security, and managed IT services to help your organization reduce risk, protect data, and meet compliance standards.
Security and compliance aren’t optional. They are critical to your organization’s success. Given our industry-defining approach, we are the leading provider of tailor-made security and compliance services for small and medium-sized businesses.
.svg)
