Understanding the HiTrust Certification Process

Written by
Understanding the HiTrust Certification Process

Healthcare organizations and their business associates need to prove that they maintain the integrity, confidentiality, and accessibility of protected health information (PHI) and electronic PHI (ePHI). However, if you’re trying to establish security controls in a way that meets the requirements of the Health Insurance Portability and Accountability Act (HIPAA), you might find yourself overwhelmed. The HITRUST Alliance established the HITRUST Cybersecurity Framework (CSF). Understanding the HITRUST certification process can allow you to become compliant in ways that best align with your organizational needs.

HiTrust Assessment & Certification Process

Who is the HITRUST Alliance?

The Health Information Trust Alliance, abbreviated as HITRUST Alliance, incorporates a variety of leaders from across the healthcare industry. Uniquely situated to assess the information security risks facing the healthcare industry, they work to enable collaboration with cybersecurity and risk management leaders to create ways to manage and assess risks to health information.

Why choose HITRUST CSF?

The HITRUST CSF brings together the healthcare relevant requirements from ISO, NIST, PCI, HIPAA, and other information security standards to help create a fully integrated single standard for the healthcare industry.

While all of the standards enable HIPAA compliance, ISO, NIST, and PCI do not adequately respond to unique healthcare information protection requirements. In the HITRUST CSF comparison whitepaper, the organization reviewed the ways in which its framework could fill in the gaps facing healthcare providers and their business associates.

For example, HIPAA compliance requires ISO 27001 based review, but ISO 27001 only enables third-party assurance. Meanwhile, NIST SP 800-53 is not ISO 27001 based but provides a prescriptive framework allowing for controlled tailoring, compliance-based control, certification, assessment guidance, and tool support.

The HITRUST CSF is an ISO 27001 based common security framework focusing on healthcare specific standards. Its prescriptive nature allows for controlled scaling and tailoring while also creating a compliance-based control framework allowing for organizational certification and third-party assurance. It provides tool support and assessment guidance.

Is HITRUST risk-based or compliance based?

The HITRUST CSF is a risk-based model. However, as part of the risk management process, organizations need to implement the specified controls to mitigate residual risk. In other words, you’re taking a compliance-based approach to risk management.

While this sounds counter-intuitive, the process allows you to start with the individual risks inherent in your business operations and then tells you specific controls you need to implement to mitigate those risks.

What is a HITRUST Assessment?

HITRUST offers varying levels of engagement with the CSF. The engagement level then dictates the type of assessment required to meet your organizational needs.

HITRUST defines the engagement levels as:

  • Self-Assessment: organizations who only want to review their controls and do not intend to obtain a CSF Validated assessment or seek CSF Certification.
  • Validated Assessment: Organizations who want to perform the Self-Assessment and then get a CSF Validated Assessment or intend to become CSF Certified.
  • Adopter: Organizations who want to use the HITRUST CSF to establish their privacy and security controls.

Each engagement level requires you to access different CSF provided tools and work with different levels of overarching program assurance.

What is the difference?

Smaller organizations may choose to complete the CSF Self-Assessment process for internal tracking and monitoring. Those organizations should definitely purchase a CSF Assessment Report and may find subscribing to the MyCSF program useful.

However, becoming CSF Validated or CSF Certified requires purchasing the CSF Assessment Report, engaging a CSF Assessor Organization, and may find subscribing to MyCSF useful.

How do I complete a CSF Self-Assessment?

The Self-Assessment process starts with the risk-based questionnaire that indicates your organization’s maturity level across a series of categories. These categories include:

  • Having a policy or standard
  • Processes and procedures to support the policy
  • Implementation of the policy
  • Management tests and measures operation
  • Corrective actions are taken as needed

Within these categories, organizations define their level of compliance as

  • Non-compliance
  • Somewhat compliant
  • Partially compliant
  • Mostly compliant
  • Fully compliant

Once you’ve completed the self-assessment, you forward the questionnaire to HITRUST.

Who needs to be CSF Validated or CSF Certified?

Business Associates may find that being CSF Validated or Certified enable them to provide the documentation necessary to gain customer trust. While SOC reports often provide this as well, CSF Validation or Certification proactively align to HIPAA specific requirements.

What is the difference between HITRUST CSF Certification and Validation?

Both validation and certification required you to find a HITRUST CSF Assessor. The HITRUST Certification process starts with the Self-Assessment then brings in a HITRUST CSF Assessor to review and validate the effectiveness of the controls.

A CSF Assessor engages in an on-site review using HITRUST’s MyCSF Tool. You will answer the assessment questions within the tool, and then the Assessor will compare the supporting documentation as well as engage in testing. The report your CSF Assessor generates is the CSF Validated Report.

That Validation report then goes to HITRUST for certification. Once HITRUST certifies the report, your certification remains active for 24 months, unless you report a breach to the Department of Health and Human Services. In the case of a breach, you must perform the appropriate analysis, including forensics to determine what technical controls failed.

In the event of a control failure or misrepresentation of a control, HITRUST may decertify your organization.

Any HITRUST CSF Certified organization experiencing a data breach will be required to undergo an annual assessment for the two years after the breach occurs.

How ZenGRC Enables HITRUST Certification

If you are not currently HITRUST Certified, you can use ZenGRC to enable a gap analysis to determine how your current controls align to HITRUST CSF. If you are presently NIST and ISO compliant, you can document your controls based on those, and then engage in an analysis to determine additional controls necessary for HITRUST certification.

SInce ZenGRC provides real-time visibility into your compliance and risk posture, your CISO can assign remediation tasks and work to prevent breaches to maintain certification.

Finally, ZenGRC acts as a single-source-of-truth enabling an easier validation and testing experience. With all your documentation stored in a single location, you can more easily provide your CSF Assessor with the information supporting your risk-based analysis and control decisions.

For more information or to schedule a demo, contact us today.