By Ken Vander Wal, Chief Compliance Officer, HITRUST.
One of the frequent questions we get from organizations is, “Do we need a comprehensive security assessment or can we ‘get by’ with a baseline security assessment? Having worked in the world of public accounting for a number of years, the answer you will often get back is, “It all depends.” Well what does it depend on? It primarily depends upon your goal. Do you want to reduce risk, demonstrate compliance, or both?
The HITRUST CSF is a security framework with 135 security specifications. Organizations should be focusing on implementing a complete/comprehensive security program. To do so, all 135 control specifications are applicable. The comprehensive security assessment option within the HITRUST MyCSF governance, risk and compliance tool will provide the organization assurances that it has considered all 135. It will also provide added assurance that the organization has considered all addressable and required implementation specifications in the HIPAA Security Rule. And lastly, it will allow an organization to leverage the recently released guidance around AICPA SOC 2 and HITRUST CSF certification reporting – more on this later. Performing a comprehensive assessment will achieve the goals of reducing risk and demonstrating compliance.
So what assurances are provided in a baseline security assessment? HITRUST established a list of priority controls based on an analysis of breach data for the industry and input obtained from over 100 security professionals in healthcare. By implementing these controls, organizations mitigate threats and exposures that are most likely to result in a breach. In terms of HIPAA compliance, a baseline security assessment can be used to minimally address each HIPAA Security Rule standard and implementation specification, including the standard on risk analysis. Additionally, a baseline security assessment assists an organization with prioritizing and focusing its efforts in the short term. It is not to suggest that the other controls do not need to be implemented. A baseline security assessment report, whether a self-assessment or a third-party validated assessment, is based upon this subset of controls (66 control specifications in the HITRUST 2016 CSF v8). An organization must implement these 66 control specifications to qualify for HITRUST CSF Certification. However, it is not to suggest that this is all an organization needs to do. As noted above, a comprehensive security program should consider all the applicable HITRUST CSF controls – not just those required for certification.
As was recently announced, the AICPA and HITRUST collaborated to develop and publish a set of recommendations to streamline and simplify the process of leveraging the HITRUST CSF and CSF assurance programs for SOC 2®. This collaboration resulted in an option for a service auditor to express an opinion on whether the controls at the service organization being examined are suitably designed and operating effectively to meet the HITRUST CSF requirements in addition to the applicable trust services principles and criteria. It provides the service organization with a service auditor’s examination report that includes (1) an opinion on the fairness of the presentation of the description based on the description criteria in the AICPA SOC 2® guide, and (2) an opinion on the suitability of the design and operating effectiveness of the controls based on the applicable trust services criteria and the HITRUST CSF requirements. Since the opinion is based on all the HITRUST CSF requirements for security, it requires an assessment of all 135 security specifications. This is most efficiently accomplished by performing a comprehensive security assessment.
As one further item of note, a comprehensive assessment can be used to obtain HITRUST certification. Although all the controls might have been assessed, only those 66 required for certification would be scored and used as a basis for issuing a validated or certified report.
So what assessment report is right for your organization? It all depends. A baseline security assessment provides a reasonable amount of assurance for a reasonable cost. A comprehensive security assessment provides a higher level of assurance as it relates to the overall information security protection program.
Ken Vander Wal is Chief Compliance Officer at HITRUST. He is a Certified Public Accountant, Certified Information Systems Auditor, and a member of the American Institute of Certified Public Accountants and Information Systems Audit and Control Association.