Do HITRUST Certification programs provide safe harbor in the event of a breach? - FAQs - 1

HITRUST CSF Framework FAQ
- Why choose the HITRUST CSF over other frameworks (NIST, ISO, etc.)?
- How do I get started adopting the HITRUST CSF framework?
- How can I obtain a copy of the HITRUST CSF?
- What is the cost to download the HITRUST CSF?
- How is the HITRUST CSF structured?
- Is the HITRUST CSF an industry standard for healthcare?
- Is the HITRUST CSF a compliance-based or risk-based framework?
- Has the HITRUST CSF been adopted internationally?
- How can my organization utilize the HITRUST CSF framework for a SOC 2 report?
- What is the relationship between the controls categories of the HITRUST CSF and the assessment domains found in MyCSF?
MyCSF FAQ
- Why should I purchase a MyCSF subscription if I just need a report?
- Can I get a free trial subscription or demo?
- What do I receive if I only purchase a report?
- What are the advantages of having a subscription to MyCSF?
- Does a subscription add value if I am not getting CSF Certified?
- Will companies still have to pay to allow their assessments to be inherited?
- Does the tool support organizations other than those in healthcare?
- Are there any performance improvements with MyCSF 2.0?
- Who will need to subscribe for inheritance, the person receiving the inheritance, or the person providing it? Right now, the payor is not the person who benefits. Is that reversed now?
- Will we have the option to convert before subscription renewal?
- Will there be a fee associated with API integration? Or a subscription level?
- Does evidence always have to be referenced to the requirement for each assessed area (e.g., implementation, measured, managed) or can we say that we observed and explained what is being done?
- I have started an interim assessment with my assessor organization. Should I stay on My CSF 1.0 until that is complete or switch over to My CSF 2.0? We have about two months for completion of the interim assessment.
- How long does it take to migrate from MyCSF 1.0 to 2.0?
- Will the number of requirements change from 1.0 to 2.0?
- Have scoping factors (e.g., environment use of mobile devices, accessible from a public location, etc.) changed between MyCSF 1.0 and 2.0?
- Will you be able to produce the targeted assessment, i.e., PCI from the HITRUST assessment, for the questions that are the same?
- We are working on a self-assessment on version 9.1 of the HITRUST CSF, what will change for us?
- What will be different for the tool administrator in comparison to MyCSF 1.0?
- Will those that just purchased a self-assessment then purchased the validated assessment be in the old version to start and the new version when they switch to the validated assessment?
- Will the new tool allow “partial” assessments to allow inheriting reusable component parts into new assessments? For example, can an object be built and assess only policies, then use that policy assessment to populate multiple system assessments?
- APIs – which GRC tools will the APIs connect to? Will it allow the import of controls into the GRC tool and export from GRC response fulfillment into MyCSF 2.0?
- Is inheritance all or nothing for each requirement or can it be weighted?
- Do you support a hierarchy so that you can respond once on common controls like HR related items with the parent company and the responses go to all the sub assessments?
- When is the HITRUST CSF v10.0 being released?
- Will organizations be able to select which assessment version they use? Will you now be able to grandfather organizations into a previous assessment version if they completed their self-assessment on that version?
- Is there a release plan for customers who aren’t subscribers, but who just purchase assessment objects as needed?
- What about modules such as policy management?
- Can I get a HIPAA specific report?
- Will the documents and commenting from MyCSF 1.0 be transferred to MyCSF 2.0?
- Will we be able to perform at-will assessment exports into an excel document or CSV?
- If we decide to use the API, how will MyCSF development environments (QA/UAT) be available?
- Can other types of assessments be done such as FISMA?
- What is the MyCSF 2.0 QA process? How will the new process be different from the current process?
- With the ability to note which document goes with which maturity, will this eliminate the spreadsheet that the assessor is asked to provide outside of the portal?
- Is there a limit to the number of active assessments?
- In the questionnaire, can you select IT supplier, Healthcare, Payer, etc.? What are the other options?
- Will HITRUST provide a webinar specifically for assessors and practitioners? How do practitioners see customer comments, the evidence cited and how will assessors and practitioners provide comments?
- Do you have more information on the BASICs program? Can any organization participate or is there certain criteria that needs to be met?
- The other types of assessments (GDPR, etc.) are only self-assessments and can’t be validated?
- Can we leverage MyCSF if we are looking to achieve HITRUST with SOC 2?
- Is attaching a w/p or policy required? I thought only the name of the evidence we collected was needed in the tool. After that, if QA’d by HITRUST, is the evidence needed?
- For organizations that have already started their assessment, will their current identified requirements be automatically populated into the new MyCSF tool to ensure no mismatch between HITRUST provided requirements and ones generated by the tool?
- Can we inherit controls from our existing assessments to new objects in MyCSF 1.0?
- Is the back end of MyCSF 2.0 still RSAM? If so, will it impact the speed of processing?
- Can the tool link to supporting documents rather than copy?
- Does MyCSF 2.0 give organizations access to their vendors and their HITRUST certifications (or lack thereof)?
- Will assessors be converted?
- Will assessors be provided access to MyCSF 1.0 for interim reviews beyond 3/31/19?
- Will a similar demo be done for assessors to understand the capabilities for assessors?
CSF Assurance Program FAQ
- What is the HITRUST CSF Assurance Program?
- What are the various types of CSF Assessments?
- Is a HITRUST certification assessment more expensive than comparable assessments?
- What is the length of time it takes to become HITRUST CSF Certified?
- Who will accept HITRUST CSF Assurance Reports?
- If I’m HITRUST CSF Certified, does that mean I’m HIPAA compliant?
- How many organizations have completed a HITRUST CSF Assessment?
- What is the process for an organization to achieve HITRUST CSF Certification?
- How can my organization utilize the CSF framework for an AICPA SOC 2 report?
- How can I confirm an organizations certification status?
Third Party Assurance FAQ
- How can I use the CSF Assurance Program for third-party risk management?
- How often do I need to get a report?
- How many questions, and how long will it take?
- How do I understand the CSF Assessment report I have received?
- What types of questions are there, and what information will we need to provide?
- Can I provide my ISO 27001 certification in lieu of CSF certification for third-party assurance?
- Is a current SOC 2 acceptable for meeting the third-party assurance requirements?
- Can any CPA firm issue a joint SOC 2/HITRUST CSF Certified report?
- How is HITRUST and covered entities engaging with the HITRUST Third Party Assurance?
External Assessor Program FAQ
- How does my firm become a HITRUST Assessor?
- What are the costs associated with the Assessor program?
- What is the difference between a HITRUST practitioner and a HITRUST External Assessor?
- Do I need to attend HITRUST training every year to maintain my status as a HITRUST Practitioner?
- What is the difference between a HITRUST External Assessor and a Certified CSF Practitioner (CCSFP)?
HITRUST Threat Catalogue FAQ
- How do I explain the HITRUST Threat Catalogue™ to my executives?
- Why did HITRUST map the threats to HITRUST CSF v10 and not the CSF v9.x?
- How does the HITRUST Threat Catalogue make the HITRUST CSF better or improve its ability to help manage risk?
- Can I get involved in the working group and, if so, how?
- When will cyber threat intelligence be linked to the threats in the catalogue?
- Will all the threats to personal data be listed in the HITRUST Threat Catalogue?
- How will the HITRUST Threat Catalogue evolve over time?
- How does the HITRUST Threat Catalogue help me perform a risk analysis?
- Will the HITRUST Threat Catalogue help me with HIPAA compliance?
- How does threat intelligence linked to the HITRUST CSF help me better protect health information?
- How will HITRUST use threat intelligence to update the requirements in the HITRUST CSF?
- What would prompt HITRUST to issue additional HITRUST CSF implementation guidance?
- How often will the HITRUST Threat Catalogue be updated?
Frequently Asked Questions About the HITRUST® Risk Management Framework
- The HITRUST CSF FAQ
- CSF Assurance Program and Certification FAQ
- HITRUST and the NIST Cybersecurity Framework FAQ
HITRUST CSF and SOC 2® Frequently Asked Questions
- Does a SOC 2 + HITRUST CSF examination assess all 135 or only the controls required for HITRUST certification?
- What is the difference between a HITRUST CSF Certification and a service auditor’s report expressing an opinion on the fairness of the system description, suitability of design, and operating effectiveness of controls based on The HITRUST CSF?
HITRUST CSF and NIST CSF Frequently Asked Question
- Why should my organization get a certification relating to the NIST Cybersecurity Framework?
- How can an organization communicate it has obtained a HITRUST certification for the NIST Cybersecurity Framework?
- Does NIST recognize HITRUST as a certifying organization?
- What makes HITRUST a valid organization for issuing a certification for the NIST Cybersecurity Framework certification?
- Is HITRUST’s certification for the NIST Cybersecurity Framework separate from HITRUST CSF Certification?
- What controls are included in both a HITRUST CSF Certification and HITRUST’s certification for the NIST Cybersecurity Framework?
- What is the difference between the HITRUST Scorecard of the NIST Cybersecurity Framework and the HITRUST CSF Certification?
- Is the HITRUST certification for the NIST Cybersecurity Framework just for healthcare?
- Who do I contact to better understand HITRUST’s certification for the NIST Cybersecurity Framework?
- If I am HITRUST CSF Certified, am I also certified for the NIST Cybersecurity Framework?
- If I am already HITRUST CSF Certified, how do I get a copy of my certification for the NIST Cybersecurity Framework?
- Will HITRUST Assessors be assessing against the NIST Cybersecurity Framework?
- Is a HITRUST CSF assessment a requirement for certification against the NIST Cybersecurity Framework, or can I just obtain a HITRUST certification for the NIST Cybersecurity Framework? If so, what is the cost?
- What’s included in HITRUST’s certification report for the NIST Cybersecurity Framework?
- How long is HITRUST’s certification for the NIST Cybersecurity Framework valid?
- Can I get certified against the NIST Cybersecurity Framework even if I don’t meet the requirements for HITRUST CSF certification?
- What happens if I don’t meet the requirements for certification against the NIST Cybersecurity Framework?
- What are HITRUST’s requirements for certification of an organization’s information security program against the NIST Cybersecurity Framework?
- Is an interim review required to maintain your HISTRUST CSF Certification for the NIST Cyber Security Framework?
Interim Review FAQ
- My interim assessment is coming up, how do I get started?
- How is the existing validated assessment utilized for the interim review?
- Is there a fee for HITRUST to process the interim assessment?
- Do I have to perform my interim assessment in MyCSF?
- Will it be the same level of access as we get for full assessment submission?
- Must the submission be performed by the assessed organization or the assessor firm as the full assessment or can the scores/comments be directly entered by one login and submitted?
- Will the interim submission that will be conducted on the HITRUST portal be same/similar as full assessment or will it show only selected sample questions to be scored and validated?
- Will the validation of all maturity scores and related evidence be examined by HITRUST or will that only apply to scores that are measured and managed scores?
- How will the interim assessment process be different from the interim review memorandum previously used?
- How do you submit an assessment if you were certified against CSF v9.0 or prior versions?
- Does the 90-day rule for evidence apply for interim assessments
- Do you have to submit complete scoring for each requirement statement?
- Do you need evidence for every requirement statement and domain like on a validated assessment?
- How do we know which requirements will be sampled, and can we get advance notice of which ones will be included?
- If we have already completed the evidence sampling and review with our HITRUST assessor firm, do we need to use the memorandum interim submission or the HITRUST MyCSF interim submission?
- Does the interim assessment need to be submitted by the yearly certification date, or is there an allowance for submission up to 60 days late
Control Maturity and Continuous Monitoring and Assessment FAQ
- How does the definition of a mature organization correspond to the scores required for HITRUST CSF® Certification?
- What HITRUST maturity scores should senior management or Boards of Directors mandate for their organization?
- What evidence do you have that controls with high maturity will not change or degrade?
- How are HITRUST report findings different than those from vendors like Security Scorecard and Bitsight?
- What credit do customers of HITRUST get for achieving mature scorecards? When will this take effect?
- Will businesses that require HITRUST Assessments for their third-party risk management programs expect their vendors to obtain higher maturity scores?
- What is the role of continuous monitoring in the HITRUST scoring process?

Download as PDF

Certification is not required by any regulatory body, nor has any regulatory body sanctioned certification as a mechanism to provide safe harbor in the event of a breach. This is true not just for the HITRUST CSF but for other standards and frameworks as they apply to regulatory compliance requirements (e.g., NIST, ISO, and PCI). However, OCR recently stated that credentialing/accreditation programs like the CSF can help organizations build strong compliance programs. “OCR considers mitigation and aggravating factors when determining the amount of a civil monetary penalty, and these include the entity’s history of prior compliance. An entity with a strong compliance program in place, with the help of a credentialing/ accreditation program or on its own, would have that taken into account when determining past compliance.”

Certification is one of the best ways regulators have to determine if an organization has made a good faith effort to meet their legal and regulatory requirements (i.e., provide a mitigating factor when considering financial penalties or other punitive or corrective actions). A HITRUST Certification can convey to third parties (e.g., regulators, auditors, business partners, customers) in a standard, structured and clear way that controls are in place, to what level they are applied, and how they were chosen, including any risk management decisions for risk acceptance or the use of alternate (i.e., compensating) controls.

For more information on risk vs. compliance, refer to the HITRUST whitepaper Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection.

Feedback

Post your comment on this topic.