Does HITRUST rely too heavily on the Authorized External Assessor Organization’s opinion of control effectiveness?
Authorized External Assessor Organizations and auditors generally determine control effectiveness regardless of what controls are specified, albeit there is usually a negotiation between them and the organization before the final report is issued.
However, external assessors actually have more leeway in assessing the effectiveness of an organization’s controls—and actually determining what those controls should be—when a framework like the HITRUST CSF is not used. Before an external assessor can become a HITRUST Authorized External Assessor organization, it undergoes a vetting process for their assessment methods and the experience and qualifications of its staff. They are also required to adhere to HITRUST guidelines for CSF assessments, and each Validated Assessment undergoes a quality review by HITRUST to ensure consistency and repeatability regardless of the Authorized External Assessor Organization doing the work.
For more information, refer to the External Assessor Datasheet.