By Andrew Hicks, Healthcare & Life Sciences Practice Director, Coalfire
In our conversations with healthcare organizations about HITRUST CSF projects, we’ve heard excellent and thorough questions regarding our capabilities, experience, and other vital information. This is the vetting process that organizations must conduct to make the best decision for partnering with a HITRUST CSF assessor firm. Here are some best practices to consider when screening various HITRUST CSF assessor firms.
- What is their hourly rate? This is a good first question; use it as a litmus test to figure out where the firm sits in the landscape. This can also provide clues as to whether the partnership will be a good fit for your organization over the long-term. HITRUST CSF certification is an area where you get what you pay for. You don’t want to have to bring in a second firm to properly scope or fix your certification project after it’s gone awry.
- How long have they been a HITRUST CSF assessor firm? Given the complex journey of a HITRUST CSF project, you’ll need to give serious consideration to the number of years the firm has been part of the assessor program. Seasoned assessor firms have learned the ins and outs of the program first-hand and can guide you accordingly.
- How many HITRUST CSF certifications have they worked on in the current year? As previously mentioned, you want to hire an experienced firm; you don’t want to work with a consultancy that is using your project to build out a service for their immature offering. While volume alone shouldn’t be the key decision point, it does give you an objective way to differentiate assessor firms.
- Of the projects they’ve worked on, how many of them are from organizations that share similar characteristics? This is an important question; you don’t want to select a firm that doesn’t have experience working with companies like your organization. Look at their background working with covered entities or business associates that may require specific technical expertise. Consider their experience with small, mid-market and enterprise organizations or other unique aspects such as working with organizations that have a limited security team size, which may require more resources.
- Are they willing to provide reference accounts? We highly recommend you conduct some reference interviews that would ideally be with organizations that share similar characteristics or face similar risk and security challenges. If they say they cannot provide specific client names due to anonymity, ask them to arrange blind interviews where you don’t know what company is on the other line.
- What is the background of the typical consultant and how many HITRUST CSF Practitioners are on staff? What is the skillset and history of the typical consultant? Will you get the same caliber of onsite consultant that was proposed in the scope of work? It is also important to get the background for the individual that’s going to manage the overall engagement. This individual will be interfacing with your leadership and will essentially be the face of the project, it is important to vet them as well. The number of practitioners lets you know the level of commitment the firm has to the HITRUST CSF program and whether they have availability to take on your project.
- What methodology do they use and is there proven success with this process? You need to understand the process that enables the firms’ consultants. Do they have a mature process for delivering HITRUST CSF certification projects? Can they demonstrate this in full detail?
- Do they provide other valuable services that complement HITRUST CSF certification? Many business associates find that using a firm that offers CPA services such as SOC reports or technical testing are a key differentiator. Time, cost and security team productivity efficiencies can be realized by coordinating these efforts.
- Are they focused on cybersecurity or is their core competency elsewhere and they offer security on the side? Many organizations that are serious about security and want to take a proactive approach to risk as opposed to getting a ‘check in the box’ compliance-type assessment want to work with a best-of-breed firm that’s 100% focused on security. These firms employ deep expertise and domain experience that’s fully focused on security and IT risk.
- Do they have a library of expertise on HITRUST CSF subject matter? Ask them for links to event sessions where they presented HITRUST CSF content. Get links to white papers, case studies, blog posts, etc. they’ve written on the subject. Look for live and archived webinars for more expert content about HITRUST CSF certification. And of course, visit websites to gather details on each assessor firm.
- Do they offer services to more than the healthcare industry? If so, this can allow you to benchmark your security maturity level against not only other healthcare organizations but other more mature industries such as financial services or retail.