For a HITRUST certification to be reliable, the corresponding report must accurately reflect the assessed scope and control environment. While each organization’s HITRUST report includes an accurate description of the environment at the time it is issued, HITRUST understands there are times when organizations must make changes to their certified environment based on business needs. For organizations to maintain an accurate reflection of the assessed scope and control environment within their HITRUST report, these changes must be reported to HITRUST. Based on the nature, timing, and impact of the change, HITRUST will provide the necessary steps for the organization to have those changes appropriately assessed. HITRUST’s goal through this process is to help each organization maintain an environment that meets the HITRUST certification requirements, and obtain a corresponding reliable and relevant certification report.
First, an organization should determine if the change is significant enough to impact its HITRUST certification. HITRUST considers a change significant when it is likely to impact the security or privacy posture of the Assessed Entity’s system(s), facility(s), or supporting infrastructure in scope of its certification. Examples of activities that might be considered a significant change include
The aforementioned list is not comprehensive, nor does it mean that one of the above changes is definitively a significant change. There are other circumstances that can impact whether it is a significant change, notably whether the event results in a change in the security or privacy controls that were previously assessed.
An organization may, optionally, first consult with its External Assessor to discuss and receive feedback around any potential significant changes. Many External Assessors have experience working with HITRUST to understand how to properly identify a significant change and what may likely be the next steps.
Once an organization believes it has a significant change, it must notify HITRUST (support@hitrustalliance.net) to determine the next steps. HITRUST will review the circumstances, including the nature and timing of the change, to determine whether it impacts the current certification. If HITRUST confirms it is a significant change, the next steps provided by HITRUST may include
As noted above, HITRUST requirements impacted by a significant change will need to be re-validated by an External Assessor to confirm they continue to meet HITRUST certification criteria. An organization can prepare for this re-validation by taking the necessary steps to ensure it continues to meet the requirements reflected in its HITRUST assessment.
HITRUST encourages each organization to work with an External Assessor to first identify whether there is an impact to the control environment. Upon identification of the impacted controls, the organization should review and assess its policies, procedures, and implementation of those controls to validate they continue to meet the HITRUST requirements. The following are potential methods an organization can use to determine whether it continues to meet the HITRUST certification requirements.
Organizations may choose to perform an r2, i1, or e1 readiness assessment within MyCSF using the standard methodology, requirements, and tools provided under the HITRUST Assurance Program. A readiness assessment is useful for organizations to identify and remediate gaps in any new or changed scope and control environments.
Within a readiness assessment, the HITRUST requirement selection is identical to a validated assessment. The organization will select the CSF version they wish to use along with the assessment type. For an r2 assessment, the Assessed Entity will complete the risk-based scoping questionnaire, which will identify the necessary requirements for the assessment. For the e1 and i1 assessments, the requirements are pre-defined based on the CSF version that was selected.
Upon assessment generation, the Assessed Entity, or its designee, enters responses for each requirement statement and determines the compliance score for each maturity level. While similar to the validated assessment approach, a readiness assessment does not require an External Assessor to validate the scores. However, some organizations choose to have an External Assessor perform that validation for additional assurance. The Assessed Entity, or its designee, also may generate and/or respond to corresponding Corrective Action Plans (CAPs)/gaps within the assessment.
Once the Assessed Entity, or its designee, has determined and entered scores for the corresponding maturity level(s) across all requirement statements, the Assessed Entity may submit the populated MyCSF object to HITRUST for report generation. This is an optional step, as Assessed Entities may choose to perform the readiness work to identify their gaps and may not require the final report. HITRUST does not perform a quality assurance review of the results of a readiness assessment. Since readiness assessments do not undergo HITRUST quality assurance reviews and may not have been validated by an External Assessor, the corresponding reports will have a lower level of assurance than a validated assessment report.
Organizations may also choose to perform an assessment of its changes without using a MyCSF readiness assessment. If an organization already has a HITRUST certification, it would review its current assessment report to identify the HITRUST requirements impacted due to the change. HITRUST recommends that organizations use an External Assessor to assist with identifying those impacted requirements.
Using this method, the organization will then review and self-attest their compliance to each of the corresponding HITRUST requirements. Based on that self-attestation, the organization may be able to determine whether they continue to meet HITRUST certification requirements. However, please note that without including the corresponding scores into MyCSF, an organization may not always be able to determine whether it achieved HITRUST certification thresholds if gaps in the control environment were identified. Similar to readiness assessments, these attestations will have a lower level of assurance than a validated assessment report since they do not undergo HITRUST quality assurance review and may not have been validated by an External Assessor.
Both the readiness assessment and self-assessment methods may be useful for an organization to identify its HITRUST level of compliance and potential gaps to be remediated as a result of a significant change until it is able to perform a HITRUST validated assessment.
While a significant change is something that organizations must address within their HITRUST certifications, HITRUST is here to provide the necessary path for organizations to maintain control environment compliance along with reliable and relevant HITRUST reports. For further information on significant changes, see Chapter 15.6 Significant Changes in the HITRUST Assessment Handbook.