Blog

Managing Changes to Your HITRUST Certified Environment

Written by HITRUST | May 29, 2024 3:41:35 PM

For a HITRUST certification to be reliable, the corresponding report must accurately reflect the assessed scope and control environment. While each organization’s HITRUST report includes an accurate description of the environment at the time it is issued, HITRUST understands there are times when organizations must make changes to their certified environment based on business needs. For organizations to maintain an accurate reflection of the assessed scope and control environment within their HITRUST report, these changes must be reported to HITRUST. Based on the nature, timing, and impact of the change, HITRUST will provide the necessary steps for the organization to have those changes appropriately assessed. HITRUST’s goal through this process is to help each organization maintain an environment that meets the HITRUST certification requirements, and obtain a corresponding reliable and relevant certification report.

First, an organization should determine if the change is significant enough to impact its HITRUST certification. HITRUST considers a change significant when it is likely to impact the security or privacy posture of the Assessed Entity’s system(s), facility(s), or supporting infrastructure in scope of its certification. Examples of activities that might be considered a significant change include

  • Moving from an on-premises data center into a public cloud environment
  • Moving an in-scope facility to a different physical location
  • Decommissioning a data center and moving all assets to a different data center
  • Replacing in-scope platforms (e.g., moving from SAP to Oracle EBS)
  • Changing an in-scope system to use a different back-end system (e.g., using a NoSQL backend instead of a relational database)
  • Moving away from an outsourced IT model by standing up an internal IT function
  • Changes in responsibility for performance or oversight of the in-scope control activities (e.g., outsourcing, insourcing, change in service providers)
  • New functionality in an in-scope platform enabling it to be accessed from a public location
  • Acquisitions, divestitures, mergers, or other changes in control of an Assessed Entity where controls over in-scope systems are no longer being operated by the Assessed Entity that originally obtained the certified report or the entity that acquired substantially all the assets of the Assessed Entity

The aforementioned list is not comprehensive, nor does it mean that one of the above changes is definitively a significant change. There are other circumstances that can impact whether it is a significant change, notably whether the event results in a change in the security or privacy controls that were previously assessed.

An organization may, optionally, first consult with its External Assessor to discuss and receive feedback around any potential significant changes. Many External Assessors have experience working with HITRUST to understand how to properly identify a significant change and what may likely be the next steps.

Once an organization believes it has a significant change, it must notify HITRUST (support@hitrustalliance.net) to determine the next steps. HITRUST will review the circumstances, including the nature and timing of the change, to determine whether it impacts the current certification. If HITRUST confirms it is a significant change, the next steps provided by HITRUST may include

  • Request the organization engage with an External Assessor to provide a list of impacted HITRUST requirements as a result of the change. The impacted requirements would be those expected to be re-tested to validate that the HITRUST requirement continues to be met.
  • Upon HITRUST validation of the impacted HITRUST requirements, HITRUST will determine the method and timing on which these must be validated by an External Assessor. This could include testing those requirements within an interim assessment or separate assessment object.
  • In certain instances, HITRUST may request the organization to perform a new assessment. In those situations, HITRUST requirement scores not impacted by the change may be inherited from the prior assessment into the new assessment.
  • For i1 certifications, an organization may not perform a Rapid Recertification if they have a significant change. The organization would need to perform a new i1 validated assessment.

Readiness and self-assessments

As noted above, HITRUST requirements impacted by a significant change will need to be re-validated by an External Assessor to confirm they continue to meet HITRUST certification criteria. An organization can prepare for this re-validation by taking the necessary steps to ensure it continues to meet the requirements reflected in its HITRUST assessment.

HITRUST encourages each organization to work with an External Assessor to first identify whether there is an impact to the control environment. Upon identification of the impacted controls, the organization should review and assess its policies, procedures, and implementation of those controls to validate they continue to meet the HITRUST requirements. The following are potential methods an organization can use to determine whether it continues to meet the HITRUST certification requirements.

Readiness assessments

Organizations may choose to perform an r2, i1, or e1 readiness assessment within MyCSF using the standard methodology, requirements, and tools provided under the HITRUST Assurance Program. A readiness assessment is useful for organizations to identify and remediate gaps in any new or changed scope and control environments.

Within a readiness assessment, the HITRUST requirement selection is identical to a validated assessment. The organization will select the CSF version they wish to use along with the assessment type. For an r2 assessment, the Assessed Entity will complete the risk-based scoping questionnaire, which will identify the necessary requirements for the assessment. For the e1 and i1 assessments, the requirements are pre-defined based on the CSF version that was selected.

Upon assessment generation, the Assessed Entity, or its designee, enters responses for each requirement statement and determines the compliance score for each maturity level. While similar to the validated assessment approach, a readiness assessment does not require an External Assessor to validate the scores. However, some organizations choose to have an External Assessor perform that validation for additional assurance. The Assessed Entity, or its designee, also may generate and/or respond to corresponding Corrective Action Plans (CAPs)/gaps within the assessment.

Once the Assessed Entity, or its designee, has determined and entered scores for the corresponding maturity level(s) across all requirement statements, the Assessed Entity may submit the populated MyCSF object to HITRUST for report generation. This is an optional step, as Assessed Entities may choose to perform the readiness work to identify their gaps and may not require the final report. HITRUST does not perform a quality assurance review of the results of a readiness assessment. Since readiness assessments do not undergo HITRUST quality assurance reviews and may not have been validated by an External Assessor, the corresponding reports will have a lower level of assurance than a validated assessment report.

Self-assessment and attestation

Organizations may also choose to perform an assessment of its changes without using a MyCSF readiness assessment. If an organization already has a HITRUST certification, it would review its current assessment report to identify the HITRUST requirements impacted due to the change. HITRUST recommends that organizations use an External Assessor to assist with identifying those impacted requirements.

Using this method, the organization will then review and self-attest their compliance to each of the corresponding HITRUST requirements. Based on that self-attestation, the organization may be able to determine whether they continue to meet HITRUST certification requirements. However, please note that without including the corresponding scores into MyCSF, an organization may not always be able to determine whether it achieved HITRUST certification thresholds if gaps in the control environment were identified. Similar to readiness assessments, these attestations will have a lower level of assurance than a validated assessment report since they do not undergo HITRUST quality assurance review and may not have been validated by an External Assessor.

Both the readiness assessment and self-assessment methods may be useful for an organization to identify its HITRUST level of compliance and potential gaps to be remediated as a result of a significant change until it is able to perform a HITRUST validated assessment.

While a significant change is something that organizations must address within their HITRUST certifications, HITRUST is here to provide the necessary path for organizations to maintain control environment compliance along with reliable and relevant HITRUST reports. For further information on significant changes, see Chapter 15.6 Significant Changes in the HITRUST Assessment Handbook.