Summary
HITRUST recognizes the challenges that assessed entities may be facing in completing their HITRUST CSF Validated Assessments and the subsequent possible impact of not maintaining HITRUST CSF Certification. The HITRUST CSF® Assurance Program, upon which certification is based, incorporates a number of mechanisms to ensure the assurances provided by a HITRUST CSF Validated Report are ‘rely-able’ when the report is issued, and remain ‘rely-able’ up until the time a report expires. Therefore, given the extent of degradation in the level of assurance over time, HITRUST is unable to extend the validity of a HITRUST CSF Certification past its two-year anniversary date.
HITRUST also recognizes that any solution addressing these challenges must maintain the integrity of the HITRUST CSF Assurance Program, introduce minimal additional costs and duplication of effort, and provide a reasonable level of assurance for anyone seeking to rely upon it.
The HITRUST CSF Bridge Assessment provides an interim solution to assist organizations in addressing these challenges, allowing assessed entities to demonstrate a continued level of control effectiveness and assert continued progress towards the next HITRUST CSF Validated Assessment.
Limitations of Forward-Looking Certifications
HITRUST’s forward-looking HITRUST CSF Certification provides value by providing appropriate assurance that an assessed entity’s scoped control environment will operate as intended over a specific period of time. As control environments and threats inevitably change over time, the assurances gained by an assessment will also lessen over time. This degradation of assurance is anticipated and factored into the HITRUST CSF Assurance Program’s assessment and quality assurance methodologies and underlying risk analysis model. The interim assessment, performed at the one-year anniversary of HITRUST CSF Certification, is designed to help ensure the assurances provided by certification can be reasonably relied upon through its second year up until the point of expiration. A new HITRUST CSF Validated Assessment must then be performed in order to provide reasonable assurances for another two years.
As a result, HITRUST cannot reasonably extend HITRUST CSF Certification past its two-year anniversary date and still provide the ‘rely-ability’ fundamental to the HITRUST CSF Assurance Program. HITRUST CSF Certifications aren’t alone in this regard; few—if any—other forward-looking information assurance mechanisms can be extended for periods greater than two years while still offering the meaningful assurances that stakeholders now expect.
HITRUST CSF Bridge Assessment
HITRUST has subsequently developed an approach that may be useful to some stakeholders under extraordinary circumstances in which a HITRUST CSF Certification holder is unable to complete their next HITRUST CSF Validated Assessment prior to the expiration of their existing HITRUST CSF Certification. A HITRUST CSF Bridge Assessment allows HITRUST CSF Certification holders to demonstrate a continued level of control effectiveness while making progress towards their next HITRUST CSF Validated Assessment.
To mitigate the excessive degradation in assurance that occurs at the end of a HITRUST CSF Certification period, 19 requirement statements will be randomly selected by the HITRUST MyCSF® platform from the entity’s previous validated assessment to serve as a HITRUST CSF Bridge Assessment. A HITRUST Authorized External Assessor will then test these requirement statements to confirm their maturity did not degrade since the previous assessment. This testing will be reviewed in an expedited manner by HITRUST and—barring indications of control degradation, significant changes in the environment, or significant QA issues—HITRUST will issue a HITRUST CSF Bridge Certificate. Once awarded this certificate, the assessed entity will have 90 days from the expiration date of the previous HITRUST CSF Certification to submit a completed validated assessment to HITRUST.
Important considerations related to HITRUST CSF Bridge Assessments:
- A HITRUST CSF Bridge Assessment object can be created MyCSF at any time in the 60 days prior to the existing HITRUST CSF Certification’s expiration through 30 days after the expiration date of the HITRUST CSF Certification.
- A HITRUST CSF Bridge Assessment object can be submitted to HITRUST no more than 30 days before and up to 30 days after the expiration date of the HITRUST CSF Certification.
- The testing performed in the HITRUST CSF Bridge Assessment does not need to be performed again in the delayed validated assessment. In other words, HITRUST will not require re-testing of these 19 requirement statements.
- HITRUST CSF Bridge Assessment submissions from HIEs, HINs, and healthcare providers will be prioritized for QA until further notice.
- HITRUST’s anticipated processing time for a HITRUST CSF Bridge Assessment submission is two-three weeks.
HITRUST CSF Bridge Certificate
A HITRUST CSF Bridge Certificate is a forward-looking, temporary certificate issued by HITRUST that is valid for 90 days from the expiration date of the organization’s previous HITRUST CSF Certification. A HITRUST CSF Bridge Certificate adds value in providing a minimal but reasonable level of assurance that the entity’s scoped control environment is unlikely to have degraded materially since the last validated assessment and by indicating that the entity has committed to obtaining a HITRUST CSF Validated Report in the next 90 days.
Other important considerations related to HITRUST CSF Bridge Certificates:
- A HITRUST CSF Bridge Certificate is not a replacement for a HITRUST CSF Validated Report with Certification as it does not provide an equivalent level of assurance.
- A HITRUST CSF Bridge Certificate is also not an extension to an existing HITRUST CSF Certification (which still expires on the two-year certification anniversary).
- The 90 days covered by the HITRUST CSF Bridge Certificate are deducted from the new HITRUST CSF Certification’s two-year validity period.
Qualification Requirements
To qualify for this, assessed entities:
- Must have an active HITRUST CSF Validated Report with Certification,
- Are likely to miss their validated assessment submission due-date, and
- Haven’t missed that due date by greater than 30 days.
Not all entities holding an active HITRUST CSF Certification will need to perform a HITRUST CSF Bridge Assessment, as a HITRUST CSF Bridge Certificate is designed for missed due date scenarios due to an extant emergency or crisis, such as the current COVID-19 pandemic. For entities facing such a scenario, a HITRUST CSF Bridge Certificate may afford necessary additional time. However, entities should not assume that HITRUST CSF Bridge Certificates will be universally accepted by business partners and regulators demanding continuous HITRUST CSF Certification status. Entities should consult with their stakeholders and relying parties to determine if a HITRUST CSF Bridge Certificate will be accepted while they await receipt of a new HITRUST CSF Validated Report with Certification.
Timeline
HITRUST CSF Bridge Assessments will be available starting April 15, 2020. While HITRUST reserves the right to terminate this option without notice, we intend to make these assessments available through the calendar year 2020.
Organizations interested in undergoing a HITRUST CSF Bridge Assessment should contact their HITRUST Customer Success Manager and a HITRUST Authorized External Assessor.
More Information
Please see the HITRUST CSF Bridge Assessment Overview Deck for more information.
11/18/2020 Update: HITRUST has determined that the bridge assessment option will remain available until further notice. If this option is terminated, an advisory on the removal of this option will be communicated.