HITRUST Assurance Advisories are communications that notify HITRUST CSF Assurance Program stakeholders of enhancements, changes, and/or provide additional guidance regarding the HITRUST CSF Assurance Program Requirements and supporting methodologies and tools. All Assurance Advisories contain important information regarding adoption requirements, scope, and timing, which can impact HITRUST CSF Assurance Program stakeholders.

All HITRUST CSF Assurance Program stakeholders should review each Assurance Advisory to understand the potential impact on them.

Summary of HITRUST Assurance Advisories 2020 (click to expand)

Impacted Policy/Program Name

CSF Assurance Program

Date

July 14, 2020

Advisory Type

Assurance Program Communications

Policy/Program Change Details

HITRUST “CSF Implementation & Assurance Implementation Bulletins” will now be referred to simply as “Assurance Advisories” and will be classified into two distinct categories: “Assurance Change Advisories” and “Assurance Quality Advisories.”

“Assurance Change Advisories” will be used to communicate:

  • Enhancements to the MyCSF platform which significantly impact the Assurance program.
  • Significant modifications to the assessment methodology and assurance program requirements, such as modified assessment documentation requirements.
  • Introduction of a new component of the assessment methodology or a program requirement.

“Assurance Quality Advisories” will be used for:

  • Clarifying existing assessment methodology components, assurance program requirements, and expectations of assessors and assessed entities based on HITRUST’s experience in performing quality assurance reviews of assessment submissions.
  • Highlighting new, emerging, or otherwise noteworthy circumstances that may affect how assessments are conducted under the existing assessment methodology and assurance program requirements.

All advisories will continue to provide a timeline for implementation by both assessed entities and External Assessors.

Rationale

Categorizing advisories by type will provide additional clarity around changes to the Assurance program which impact assessed entities and External Assessors. Furthermore, the creation of “Assurance Quality Advisories” provides a new vehicle to share guidance and clarification regarding existing assessment methodologies and program requirements to the HITRUST community.

Timetable for implementation

Effective for all subsequent Advisories.

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

April 15, 2020

Summary

HITRUST recognizes the challenges that assessed entities may be facing in completing their HITRUST CSF Validated Assessments and the subsequent possible impact of not maintaining HITRUST CSF Certification. The HITRUST CSF® Assurance Program, upon which certification is based, incorporates a number of mechanisms to ensure the assurances provided by a HITRUST CSF Validated Report are ‘rely-able’ when the report is issued, and remain ‘rely-able’ up until the time a report expires. Therefore, given the extent of degradation in the level of assurance over time, HITRUST is unable to extend the validity of a HITRUST CSF Certification past its two-year anniversary date.

HITRUST also recognizes that any solution addressing these challenges must maintain the integrity of the HITRUST CSF Assurance Program, introduce minimal additional costs and duplication of effort, and provide a reasonable level of assurance for anyone seeking to rely upon it.

The HITRUST CSF Bridge Assessment provides an interim solution to assist organizations in addressing these challenges, allowing assessed entities to demonstrate a continued level of control effectiveness and assert continued progress towards the next HITRUST CSF Validated Assessment.

Limitations of Forward-Looking Certifications

HITRUST’s forward-looking HITRUST CSF Certification provides value by providing appropriate assurance that an assessed entity’s scoped control environment will operate as intended over a specific period of time. As control environments and threats inevitably change over time, the assurances gained by an assessment will also lessen over time. This degradation of assurance is anticipated and factored into the HITRUST CSF Assurance Program’s assessment and quality assurance methodologies and underlying risk analysis model. The interim assessment, performed at the one-year anniversary of HITRUST CSF Certification, is designed to help ensure the assurances provided by certification can be reasonably relied upon through its second year up until the point of expiration. A new HITRUST CSF Validated Assessment must then be performed in order to provide reasonable assurances for another two years.

As a result, HITRUST cannot reasonably extend HITRUST CSF Certification past its two-year anniversary date and still provide the ‘rely-ability’ fundamental to the HITRUST CSF Assurance Program. HITRUST CSF Certifications aren’t alone in this regard; few—if any—other forward-looking information assurance mechanisms can be extended for periods greater than two years while still offering the meaningful assurances that stakeholders now expect.

HITRUST CSF Bridge Assessment

HITRUST has subsequently developed an approach that may be useful to some stakeholders under extraordinary circumstances in which a HITRUST CSF Certification holder is unable to complete their next HITRUST CSF Validated Assessment prior to the expiration of their existing HITRUST CSF Certification. A HITRUST CSF Bridge Assessment allows HITRUST CSF Certification holders to demonstrate a continued level of control effectiveness while making progress towards their next HITRUST CSF Validated Assessment.

To mitigate the excessive degradation in assurance that occurs at the end of a HITRUST CSF Certification period, 19 requirement statements will be randomly selected by the HITRUST MyCSF® platform from the entity’s previous validated assessment to serve as a HITRUST CSF Bridge Assessment. A HITRUST Authorized External Assessor will then test these requirement statements to confirm their maturity did not degrade since the previous assessment. This testing will be reviewed in an expedited manner by HITRUST and—barring indications of control degradation, significant changes in the environment, or significant QA issues—HITRUST will issue a HITRUST CSF Bridge Certificate. Once awarded this certificate, the assessed entity will have 90 days from the expiration date of the previous HITRUST CSF Certification to submit a completed validated assessment to HITRUST.

Important considerations related to HITRUST CSF Bridge Assessments:

  • A HITRUST CSF Bridge Assessment object can be created MyCSF at any time in the 60 days prior to the existing HITRUST CSF Certification’s expiration through 30 days after the expiration date of the HITRUST CSF Certification.
  • A HITRUST CSF Bridge Assessment object can be submitted to HITRUST no more than 30 days before and up to 30 days after the expiration date of the HITRUST CSF Certification.
  • The testing performed in the HITRUST CSF Bridge Assessment does not need to be performed again in the delayed validated assessment. In other words, HITRUST will not require re-testing of these 19 requirement statements.
  • HITRUST CSF Bridge Assessment submissions from HIEs, HINs, and healthcare providers will be prioritized for QA until further notice.
  • HITRUST’s anticipated processing time for a HITRUST CSF Bridge Assessment submission is two-three weeks.

HITRUST CSF Bridge Certificate

A HITRUST CSF Bridge Certificate is a forward-looking, temporary certificate issued by HITRUST that is valid for 90 days from the expiration date of the organization’s previous HITRUST CSF Certification. A HITRUST CSF Bridge Certificate adds value in providing a minimal but reasonable level of assurance that the entity’s scoped control environment is unlikely to have degraded materially since the last validated assessment and by indicating that the entity has committed to obtaining a HITRUST CSF Validated Report in the next 90 days.

Other important considerations related to HITRUST CSF Bridge Certificates:

  • A HITRUST CSF Bridge Certificate is not a replacement for a HITRUST CSF Validated Report with Certification as it does not provide an equivalent level of assurance.
  • A HITRUST CSF Bridge Certificate is also not an extension to an existing HITRUST CSF Certification (which still expires on the two-year certification anniversary).
  • The 90 days covered by the HITRUST CSF Bridge Certificate are deducted from the new HITRUST CSF Certification’s two-year validity period.

Qualification Requirements

To qualify for this, assessed entities:

  • Must have an active HITRUST CSF Validated Report with Certification,
  • Are likely to miss their validated assessment submission due-date, and
  • Haven’t missed that due date by greater than 30 days.

Not all entities holding an active HITRUST CSF Certification will need to perform a HITRUST CSF Bridge Assessment, as a HITRUST CSF Bridge Certificate is designed for missed due date scenarios due to an extant emergency or crisis, such as the current COVID-19 pandemic. For entities facing such a scenario, a HITRUST CSF Bridge Certificate may afford necessary additional time. However, entities should not assume that HITRUST CSF Bridge Certificates will be universally accepted by business partners and regulators demanding continuous HITRUST CSF Certification status. Entities should consult with their stakeholders and relying parties to determine if a HITRUST CSF Bridge Certificate will be accepted while they await receipt of a new HITRUST CSF Validated Report with Certification.

Timeline

HITRUST CSF Bridge Assessments will be available starting April 15, 2020. While HITRUST reserves the right to terminate this option without notice, we intend to make these assessments available through the calendar year 2020.

Organizations interested in undergoing a HITRUST CSF Bridge Assessment should contact their HITRUST Customer Success Manager and a HITRUST Authorized External Assessor.

More Information

Please see the HITRUST CSF Bridge Assessment Overview Deck for more information.

Impacted Policy/Program Name

CSF Assurance Program

Date

March 30, 2020

Advisory Type

MyCSF Functionality

Policy/Program Change Details

HITRUST is making the following changes to the assessment scoping factor questions in MyCSF for HITRUST CSF Validated Assessments and HITRUST CSF Readiness Assessments:

  • Adding more than ten additional technical scoping factor questions to better capture inherent risk factors present in the assessed environments and tailor the HITRUST CSF requirements included in assessments accordingly.
  • Re-wording the existing technical scoping factor “Is the system(s) accessible by a Third Party?” to further clarify the definition of a third party.
  • Removing the “Are Mobile devices used in the environment?” technical scoping factor.
  • Adding additional HITRUST CSF requirements to existing technical scoping factors.
  • Adding additional information around certain factors as part of the help page.

Additionally, MyCSF will now require an assessed entity to provide a documented rationale for each technical scoping factor answered “No.” This rationale should contain sufficient detail to allow the External Assessor and HITRUST QA to evaluate the “No” answer. These rationales will also appear in the HITRUST CSF Validated Assessment Report.

Rationale

The changes related to MyCSF’s assessment scoping factors will:

  • Reduce the number of requirement statements that appear in the assessment when a factor is marked as “No.”
  • Reduce the amount of repetitive “This is not applicable because…” responses that are currently documented during assessments and reflected in HITRUST CSF assessment reports. Assessed entities will instead be asked to explain the absence of inherent risk factors once rather than multiple times throughout the assessment, thus reducing the level of effort required to complete and review the assessment.
  • Add clarity around the terminology used in assessment scoping factors.

Timetable for implementation

Effective for all new objects created on or after June 1, 2020.

6/1/20 Update:

  • The changes described in this advisory are now live in MyCSF’s production environment. Twelve newly added technical scoping factor questions (e.g., “Are hardware tokens used as an authentication method within the scoped environment?”) have been introduced.
  • These newly added scoping factor questions only serve to remove / filter requirements from being included in an assessment and do not add any requirements to the assessment. When determining which requirements to include in an assessment object, MyCSF first uses all other scoping information to identify the necessary requirements and THEN removes any requirements associated with the twelve newly added scoping factor questions when these questions are answered as “No”.
  • All HITRUST CSF assessments benefit from these newly added questions. Instead of having to explain why similar requirements aren’t applicable to the assessment multiple times (at the requirement level), assessed entities now need to explain that the associated risk factor doesn’t apply once (at the scoping level). Because of this change, HITRUST anticipates the number of requirements marked as Not Applicable on assessments to drop considerably. As an added benefit, the speed by which HITRUST’s QA takes place will improve as a result of us needing to review fewer requirements marked as Not Applicable.
  • HITRUST has made these new scoping factor questions available on all assessment objects, including those created before 6/1/20 so that they may optionally benefit from these newly added scoping factor questions. By default, the newly added questions default to a visible option of “Please choose an option” which is treated by MyCSF as “Yes”. The net effect of defaulting to a “Yes” value is the same as not having the scoping factors present at all: Because these questions are only reductive (never additive), no requirements are added or removed from any previously created assessment object without action from the assessed entity.
  • Organizations with previously created assessment objects who wish to take advantage of these newly added scoping factors, and have not yet submitted their assessment to HITRUST, are encouraged to visit the “Admin & Scoping > Factors” page, answer the newly added scoping factor questions (providing the required “No” explanations where necessary), and then press the “Refresh Assessment” button. Requirements linked to any questions answered “No” will then be removed from the assessment object.
  • No action is required for Organizations with previously created assessment objects who do not wish to take advantage of these newly added scoping factor questions.

Date

March 16, 2020

Advisory

To help ensure the rely-ability of HITRUST CSF Validated Reports and Certifications, assessors and assessed entities must observe several requirements related to MyCSF access, training, assessments, reporting, and control implementation timing. These timing requirements are outlined in the HITRUST CSF Control Maturity Scoring Rubric, the HITRUST CSF Assurance Program Requirements, and the HITRUST CSF Assessment Methodology and include (but are not limited to):

  • External assessor’s validated assessment fieldwork window (maximum):
    • 90 calendar days prior to the date of submission of the validated assessment object to HITRUST.
  • Minimum number of days that a remediated or newly implemented control must operate prior to assessor testing:
    • 90 calendar days past the control’s implementation or remediation.
  • Maximum age of testing performed by an Internal Assessor being relied upon by an External Assessor:
    • 90 calendar days, as determined by comparing the External Assessor’s fieldwork start date of the internal assessor’s fieldwork start date.
  • Window during which HITRUST will accept grammatical changes to a draft report:
    • 30 calendar days from issuance of draft report.
  • Days allowed for Corrective Action Plans (CAPs) to be entered into MyCSF:
    • 30 calendar days from issuance of draft report.
  • Interim assessment object submission due date:
    • No later than the 1-year anniversary of the HITRUST CSF Certification (based on the HITRUST CSF Validated Report’s date).
  • Validated assessment object submission due date for re-certification efforts:
    • No later than the 2-year anniversary of the HITRUST CSF Certification (based on the organization’s previous HITRUST CSF Validated Report date).
  • Duration of MyCSF access for report-only customers:
    • 90 calendar days for validated assessments and 60 calendar days for interim assessments.
  • Validity window for the CCSFP certification:
    • Three years, subject to remaining current with required training. Practitioners are required to complete an online, annual refresher course each of the two years following classroom component completion and attend the full class again the third year to maintain the CCSFP certification. The training is due no later than the end of the month that corresponds with the certification’s original anniversary date.
  • Validity window for the CHQP certification:
    • Two years, and the full CHQP course and accompanying certification exam must be retaken no later than the end of the month that corresponds with the certification’s original anniversary date.

HITRUST acknowledges that the ability to consistently adhere to these timing-related requirements may be affected by the ongoing spread of COVID-19. While HITRUST has waived the External Assessor’s on-site requirement, HITRUST is not at this time issuing a blanket waiver for any timing requirements as doing so goes against the overall integrity of the CSF Assurance Program and the rely-ability of assessment reports.

However, HITRUST may issue discretionary, limited modifications or exceptions to these timing requirements to organizations who request them. Such requests should be sent in writing to HITRUST’s Compliance team at compliance@hitrustalliance.net. All timing extension and modification requests will be evaluated by HITRUST. Assessed entities and their assessors should not assume that all requests will be approved. For those organizations that may be delayed in obtaining a HITRUST CSF Certification or in completing a HITRUST CSF assessment, we encourage you keep all stakeholders apprised of the status of your HITRUST efforts.

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

March 5, 2020

Advisory Type

Assurance Program Methodology

In light of the recent spread of COVID-19, HITRUST encourages assessors to exercise judgement when planning assessment-related travel. Given that HITRUST assessments take place across the US as well as internationally, we acknowledge that some HITRUST assessments will be affected more than others. Assessors should work closely with their clients to adjust travel plans as deemed necessary. To provide assessors added travel flexibility, HITRUST is waiving the requirement that in-person / on-site validation procedures be performed at the assessed entity’s facilities. This temporary waiver is effective immediately.

In situations where assessors choose to leverage alternative approaches such as video conferencing to perform necessary walkthroughs and observations, assessment documentation must clearly reflect the nature, timing, and extent of the alternative approaches used.

We will continue to work closely with assessors to monitor the effectiveness of alternative walkthrough and observation approaches and the ongoing necessity of this waiver. An additional advisory will be posted at a later date to reinstate the on-site fieldwork requirement.

Summary of HITRUST Assurance Advisories 2019 (click to expand)

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

January 15, 2019

Advisory Type

Assurance Requirements

Policy/Program Change Details

This bulletin is to inform HITRUST Authorized External Assessor Organizations about a change to the HITRUST CSF Assurance Program regarding the performance and documentation of the testing of control requirements for assessments.

HITRUST Authorized External Assessors are required to submit the following documentation with all validated assessments:

  • Test Plan that covers testing of all required controls. It must meet the minimum test plan requirements documented in the HITRUST CSF Assurance Program Requirements.
  • 100% of working papers. They must meet the minimum working paper requirements documented in the HITRUST CSF Assurance Program Requirements. We have attached a copy of the Assurance Program Documentation Requirements to this advisory.
  • HITRUST Authorized External Assessor Quality Checklist signed by the Engagement Executive and Assessor QA Resource. The Quality Checklist can be found in the HITRUST MyCSF and should always be downloaded from the HITRUST MyCSF to ensure use of the latest version. We have also attached a copy to this advisory.

Rationale

This change is to ensure the consistency and quality of assessment documentation, ensure compliance with the HITRUST Assurance Program requirements, and make the HITRUST QA process more efficient. The HITRUST Authorized External Assessor’s QA process should identify and address most issues prior to submission to HITRUST.

Timetable for Implementation

Effective for all validated assessments submitted on or after April 1, 2019.

For inquiries regarding this update, please contact us at support@hitrustalliance.net.

Attachments

HITRUST CSF Assurance Program Documentation Requirements

HITRUST Authorized External Assessor Quality Checklist

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

January 15, 2019

Advisory Type

Assurance Requirements

Policy/Program Change Details

This bulletin is to inform HITRUST Assessor Organizations about a change to the assurance process regarding the number of qualified (CCSFP) hours required for validated assessments.

HITRUST Certified CSF Practitioner (CCSFP) resources must comprise 50% of assessment hours. This requirement is inclusive of QA hours.

Rationale

This change is to ensure the competency and quality of resources performing validation work.

Timetable for Implementation

Effective for all validated assessments submitted on or after April 1, 2019.

For inquiries regarding this update, please contact us at support@hitrustalliance.net.

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

January 15, 2019

Advisory Type

Assurance Requirements

Policy/Program Change Details

This bulletin is to inform HITRUST Authorized External Assessor Organizations about a change to the assurance process regarding the documentation of the scope of the entity’s assessed environment.

HITRUST Authorized External Assessors must provide a verbose description of the assessed environment that includes both systems/products and facilities. This description must clearly define assessment boundaries. In addition to the verbose description, there will be a summary table that must be provided that would further clarify what is included and what is not included such that any discrepancy can be clearly resolved through the definition. We have attached an illustrative example to this advisory.

Rationale

This change is to ensure the clear communication of the environment that was assessed to readers of HITRUST CSF Validated Assessment reports.

Timetable for Implementation

Effective for all validated assessments submitted on or after April 1, 2019.

For inquiries regarding this update, please contact us at support@hitrustalliance.net.

Attachments

Scope Definition & Guidance

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

January 15, 2019

Advisory Type

Assurance Requirements

Policy/Program Change Details

This bulletin is to inform HITRUST Authorized External Assessor Organizations about changes to the qualification requirement for Engagement Executives and Assessor Quality Assurance (QA) personnel. It also reiterates the role of the Engagement Lead.

The first change is a requirement for both the Engagement Executive and the Assessor QA reviewer to be CCSFPs. Prior to this change, the Engagement Lead and either the Engagement Executive or the Quality Assurance Reviewer were required to be CCSFPs.

The second change focuses on the Assessor personnel who perform QA reviews prior to the submission of assessments to HITRUST. People in this role will be required to complete an online course and pass a test to become a Certified HITRUST Quality Professional (CHQP). This is in addition to the CCSFP requirement. Communication will go out once the online course and exam are available.

Attached to this advisory are additional details on the responsibilities of the Engagement Executive, QA Reviewer and Engagement Lead.

Rationale

This change is to ensure that Engagement Executives understand the HITRUST CSF Assurance Program and are able to perform an effective executive-level review. The requirement for Assessor QA reviewers to complete an online course is to ensure that reviewers understand the expectations of their role and can demonstrate their understanding by passing the exam.

Timetable for Implementation

Effective for all validated assessments submitted on or after April 1, 2019.

For inquiries regarding this update, please contact us at support@hitrustalliance.net.

Attachments

Responsibilities of Engagement Executives, Quality Assurance Reviewers and Engagement Leads

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

January 15, 2019

Advisory Type

Assurance Requirements

Policy/Program Change Details

This bulletin is to inform HITRUST CSF Certified Organizations and HITRUST Assessor Organizations about changes to the interim review.

The Interim Review has been replaced with an Interim Assessment. The Interim Assessment differs from what has been known as the Interim Review by requiring:

  • Full testing of selected control requirements (INCREASED TESTING REQUIREMENT);
  • Rescoring of the tested control requirements (NEW);
  • Full QA of testing by HITRUST (INCREASED LEVEL OF EFFORT); and
  • For assess-only reports, full verification that recreated assessment matches assessment used for issuing of the previous full report (NEW).

As a reminder and consistent with HITRUST Assurance Advisory 2017-01 issued in August of 2017, Interim Assessments will be performed with the HITRUST MyCSF. There will be an Interim Assessment processing fee of $2,900. The processing fee will be waived for organizations that have an active subscription to the HITRUST MyCSF.

Rationale

This change is to ensure the consistency and quality of work performed during an Interim Assessment and increase the rigor and oversight by HITRUST; resulting in an increase in assurance level provided by the Interim Assessment and support for maintaining the HITRUST CSF Certification for the additional year.

Timetable for Implementation

Effective for all validated assessments submitted on or after April 1, 2019.

For inquiries regarding this update, please contact us at support@hitrustalliance.net.

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

March 29, 2019

Advisory Type

Assurance Requirements

Policy/Program Change Details

This bulletin is to inform External Assessor organizations about an extension to the qualification requirement for Assessor quality assurance (QA) personnel.

Assessor firm personnel who will perform the assessment QA review prior to submission to HITRUST will be required to complete an online course and pass a test to become a Certified HITRUST Quality Professional (CHQP). Only those individuals holding an active Certified CSF Practitioner (CCSFP) certification are eligible to become a CHQP. This course and test will be available online starting in May 2019.

This advisory only applies to the timeline for compliance with the Assessor firm QA reviewer qualification requirement. All other advisories will be enforced according to the dates listed in the advisories.

Rationale

This change is to ensure that Assessor firm personnel performing QA in support of HITRUST validated assessments understand the expectations of the role and can demonstrate this understanding by passing the exam. In addition, it ensures that all Engagement Executives have the required knowledge of the HITRUST CSF and HITRUST Assurance Program requirements.

The extension is being granted to allow Assessor firms enough time to get their resources trained after the course is made generally available by HITRUST.

Timetable for Implementation

Assessor firms have until July 31, 2019 to have a minimum of two (2) resources certified as CHQPs. All Validated Assessment submissions on or after August 1, 2019 will be required to have a QA review performed by a CHQP as evidenced by sign-offs on the Assessor Quality Checklist. Submissions after August 1, 2019 without proper CHQP involvement will be rejected by HITRUST.

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

September 3, 2019

Advisory Type

Assurance Program Methodology

Policy/Program Change Details

The point values, or “weightings”, of the five levels of HITRUST’s PRISMA maturity model are changing. The below graphic shows that the Policy weight is being reduced to 15 points, the Procedure weight is being reduced to 20 points, the Implemented weight is being increased to 40 points, the Measured weight is being reduced to 10 points, and the Managed weight is being increased to 15 points.

Rationale

These updated weights better reflect the value that each maturity level brings to an organization’s risk management stance. For example, the increased weighting of the Implemented level (which is now worth double any other single level) aligns to the priority that mature organizations place on the implementation and operation of controls relative to other maturity levels.

Timetable for Implementation

The updated weights will be effective on all validated and self-assessment objects created on or after December 31, 2019. Assessment objects created prior to December 31, 2019 will continue to observe the current PRISMA attribute weights. Interim assessments performed after December 31, 2019 will observe the PRISMA weights in effect at time of performance of the original validated assessment.

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

September 3, 2019

Advisory Type

Quality

Policy/Program Change Details

An upcoming enhancement to MyCSF will introduce automated quality checking of CSF assessment objects. Users of MyCSF will have the ability to run these checks at any time prior to submission of the object to HITRUST; however, the checks will be automatically run at each “hand off” of the assessment object, such as when an assessed entity submits the object to their assessor and when the assessor submits the object to HITRUST. Over 30 distinct quality checks will be included in this upcoming MyCSF enhancement.

All potential issues identified will be presented with a description of the issue, the flagged comment or scoring, recommendations on how to address, the option to override / accept the issue and to provide an accompanying explanation. All potential issues will need to be addressed or accepted (with explanation) before the assessment can proceed to the next step.
Automated quality checks will be performed on validated assessments and self-assessments. Interim assessments will not be subject to these automated quality checks.

Rationale

This change is beneficial to the HITRUST CSF Assurance Program by:

  • Increasing the consistency of the HITRUST CSF assessment reports, as these checks are applied systematically to all validated and self-assessments in the same manner.
  • Increasing the quality of the output of HITRUST CSF assessments, as these checks will be performed against 100% of the requirement statements included in an assessment.
  • Reducing the amount of time elapsing between submission of an assessment to HITRUST and delivery of the draft report from HITRUST. Efficiencies are gained during HITRUST’s Quality Assurance review of submissions, as certain quality issues will be identified prior to submission of the validated assessment object to HITRUST.

Note that these automated quality checks have been in use for several months outside of MyCSF by HITRUST’s Compliance and Assurance teams; the move of checks into MyCSF and earlier into the assessment lifecycle will not replace the QA checks performed by HITRUST’s Assurance team against validated assessment objects.

Timetable for Implementation

This change will go live in MyCSF on December 31, 2019.

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

September 3, 2019

Advisory Type

Assurance Program Methodology

Policy/Program Change Details

HITRUST’s scoring rubric, which assists organizations and their assessors in assessment scoring level determinations, has been overhauled. Key changes include:

  • Definitions for assessment terminology, assessment examples and guidance on important concepts have been added.
  • Scoring lookup tables have been created for each of the five levels of HITRUST’s PRISMA maturity model (Policy, Procedure, Implemented, Measured, and Managed).
  • Replacement of qualitative terms such as none, some, and all with quantitative ranges.
  • Removal of ambiguous terms such as “management action” and “ad hoc”.

Rationale

The rubric’s has been enhanced to bring improved usability, added clarity, and better harmonization with the assessment guidance provided in HITRUST’s Risk Analysis Guide.

Timetable for Implementation

The updated scoring rubric will be made available for download at https://hitrustalliance.net/csf-assurance-related-programs/ on or before September 20, 2019.

Observance of the new rubric will be mandatory for assessment objects submitted and accepted on or after December 31, 2019. All validated assessments that are in progress and intend to observe the old scoring rubric must be accepted by HITRUST prior to December 31, 2019. Interim assessments performed after December 31, 2019 will observe the rubric in effect at time of performance of the validated assessment.

The term “Accepted” means successful check-in of an object. Submission of a validated assessment within MyCSF is the first step towards acceptance. After submission, the Assurance team performs certain quality checks; should any of these checks fail, the submission is reverted to the Assessor for remediation. Average acceptance time of a submission to HITRUST is one to three business days.

Since only validated assessments accepted prior to December 31, 2019 will be QA’d by HITRUST in observance of the previous scoring rubric, it is strongly recommended that Assessors work with their customers to ensure submissions in MyCSF are made with enough time to allow for HITRUST acceptance.

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

September 11, 2019

Advisory Type

Assurance Program Methodology

Policy/Program Change Details

HITRUST will soon release updated guidance for placing reliance on the results of previously performed audits, assessments, and inspections. This updated guidance will be posted no later than October 17, 2019 as updates to the HITRUST CSF Assurance Program Requirements and HITRUST CSF Assessment Methodology documents.

HITRUST has historically afforded the following two approaches for “External Assessors” (previously referred to as “HITRUST Authorized External Assessors”) to rely on the results of previously performed control testing:

  1. Inheritance of the results of other HITRUST CSF Assessments, and
  2. Reliance on audit reports and certifications issued by third-party auditors (such as SOC 2 Type II reports) that meet the requirements as established by the CSF Assurance program.

These updates clarify these two options by specifying associated timing, scope, and documentation requirements. External Assessors are encouraged to take particular note of the following new requirements that must be observed when placing reliance on a third-party audit report:

  • Both the External Assessor and HITRUST Services Corp. must both be authorized recipients of the third-party audit report. Reliance cannot be placed on third-party audit reports for which neither HITRUST or the External Assessor are authorized to receive.
  • When designing a reliance strategy, the External Assessor must map the applicable / scoped HITRUST CSF requirement statements to the controls / requirements tested in the third-party audit. In the absence of this mapping, the External Assessor cannot form a meaningful reliance strategy and lacks an adequate, demonstrable basis for reliance on the third-party audit report. To support HITRUST’s QA efforts, this mapping as well as the third-party audit report must be made available to HITRUST.

Rationale

These methodology updates are expected to:

  • Help highlight any over-reliance or unwarranted reliance on the work of other auditors and External Assessors.
  • Provide needed clarity and transparency around HITRUST’s expectations around timing, scope, and documentation when reliance is placed on the work of others.

Timetable for Implementation

Observance of these new reliance documentation requirements will be mandatory for assessment objects submitted and accepted on or after December 31, 2019.

The term “Accepted” means that HITRUST has confirmed to the assessor that all required documents were included in the submission. If documents are missing, the submission is reverted back to the assessor for correction. Upon acceptance of a submission, the assessment object is added to the Assurance team’s queue to await full QA procedures. Average acceptance time of the submission process is one to three business days.

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

September 11, 2019

Advisory Type

Assurance Program Methodology

Policy/Program Change Details

HITRUST will soon release updates to the CSF Assurance Program which allows “External Assessors” (previously referred to as “HITRUST Authorized External Assessors”) to place reliance on the work of “Internal Assessors”. This updated guidance will be posted no later than October 17, 2019 as updates to the HITRUST CSF Assurance Program Requirements and HITRUST CSF Assessment Methodology documents.

The new role of “Internal Assessor” aids in the CSF Assessment process by performing in-house testing in advance of an External Assessors’ validated assessment fieldwork. Internal Assessors are in-house, contracted, or outsourced CCSFPs who are typically positioned within or engaged by an assessed entity’s Internal Audit Department but could be positioned within or engaged by any department meeting specific objectivity requirements, resource qualification requirements, and approval by HITRUST (through a defined application process).

Rationale

This methodology update creates opportunities for greater assessment efficiency and customer cost savings. This change is expected to bring several benefits to External Assessors and assessed entities. For example:

  • Assessed entities already performing robust pre-assessment testing in advance of their HITRUST CSF Validated Assessment can expect lower overall HITRUST CSF Assessment costs, as duplicate testing performed by their External Assessors can be reduced.
  • Internal personnel with deep knowledge of the organization’s internal controls (in groups such as Internal Audit, Risk Management, and Compliance) can now have a defined role in the overall HITRUST CSF Assessment process.
  • Assessed entities and their External Assessors now have more flexibility in fitting the HITRUST CSF assessment procedures into the assessed entity’s broader compliance activities.

Timetable for Implementation

Effective upon recognition as Internal Assessor assigned to an organization.

For more information, contact: support@hitrustalliance.net.