By Michael Parisi, Vice President of Adoption, HITRUST
“Creating a HITRUST Compliance Culture” was a robust breakout session at HITRUST Collaborate 2021 conference. Hosted by myself (Mike Parisi of HITRUST), the panel discussion featured experts from three independent external HITRUST assessors—Ryan Patrick of Intraprise Health, Greg Vetter of RSM US, and Michael Kanarellis of Wolf & Company. Based on the panel discussion, our last blog (posted on January 6, 2022): “Adopting the HITRUST CSF Framework,” covered the benefits of implementing and using the HITRUST CSF framework. In Part 2 below, the discussion focuses on initiating proven buy-in methodologies that raise awareness and instill a strong compliance culture across an entire enterprise.
Getting Your Organization to Think About IT Security
Organizations don’t want their IT team to be the only ones thinking about information security; they want their entire ecosystem to consider data protection safeguards as they decide on the right digital systems and processes to deploy and use. Risk considerations don’t only include IT, but also involve Finance, Human Resources, Procurement, Operations, and other business functions, as well as the ever-important third-party vendor supply chain, which extends the risk management culture outside of the organization.
“A framework like HITRUST enables you to protect your vendor streams of activity,” says Vetter. “If you partner with a thousand vendors, each one may have several fourth-party and fifty-party vendors that share your data, and you need assurances of security across that entire ecosystem. Working with one framework like HITRUST is much easier than sending out and processing a thousand questionnaires. It’s also much easier for vendors to get HITRUST certified.”
“HITRUST also creates a common vocabulary,” Patrick adds. “You can compare one organization to another and map a vendor’s assessment to yours. This helps you understand where they’re at in security and privacy. Everyone speaks the same language and can understand the importance of understanding the security of third, fourth, and fifth parties, and beyond.”
How to Start
Key aspects of the HITRUST journey to consider from the start are getting executive buy-in and making sure someone with organizational clout will champion the effort. It’s also essential to work with an external assessor who can guide you through the best practices to follow and the pitfalls to avoid. Completing the HITRUST journey is well worth the effort in protecting your digital assets and those of your customers and business partners that overlap with your operations. It is also an extended journey that is likely to present roadblocks along the way, each of which could make your program more robust and your culture of security more authentic.
“Don’t do your assessment and then hire a validator,” warns Patrick. “External assessors do this every day and have extensive experience. You may not understand the requirements or how to establish the scope, which is the most important part of the journey.”
Vetter recommends laying out the project roadmap and pulling in all the stakeholders, including executives, business unit leaders, and IT management. “Get them on the same page,” Vetter recommends. “Communicate why the organization is using the HITRUST CSF, what the impact will be, what each stakeholder needs to do, and the cost. By laying out the framework for everyone to see, you will eliminate confusion that could delay the project down the road.”
How to Get Organizational Buy-in
Without buy-in across the organization, the effort to build a culture of security that matures your security posture will likely derail. “Invite the C-suite as well as the business continuity and incident response teams and other areas of the company that will be impacted,” says Vetter. “Before you do a readiness review with an external assessor, discuss all the areas of the business that will come into the scope. They need to know it’s a long journey.”
As far as the person who owns the project, Patrick says, “You need a passionate champion who can influence the organization. They need to be respected, able to make decisions, and have the power to allocate resources. It’s a significant emotional event that will stress the organization, so you need someone who can prioritize the work that people need to do to push the project forward.”
End-to-End HITRUST Solution Set
Using HITRUST helps establish a culture of compliance with a proven, consistent, end-to-end approach based on an integrated suite of solutions. You not only implement the HITRUST CSF framework, but you can also subscribe to the MyCSF SaaS best-best-in-class information risk management platform to interface with the CSF for performing information risk and compliance reporting, as well as facilitating formal assessments through the HITRUST Assurance Program. The HITRUST Assess Once, Report Many™ approach allows using a single assessment to support multiple reporting options based on a standard security assessment, such as for HIPAA, AICPA Trust Services Criteria, and NIST Cybersecurity Framework Compliance.
To mitigate whatever risks are most important to your organization, the free, downloadable HITRUST Threat Catalogue helps identify and tailor specific controls in the HITRUST CSF. For strengthening your third-party risk management activities, the HITRUST Assurance XChange is designed to streamline and simplify managing and maintaining risk assessments and compliance information from third parties.
By using the fully integrated and cohesive HITRUST Approach to information risk management throughout your organization, your internal and external stakeholders will come to recognize, understand, and appreciate the benefits and consistency that HITRUST offers.
Continuing the Journey
The journey to a mature security posture does not end following the completion of the initial HITRUST assessment. The process to nurture, grow, and enhance information security programs requires ongoing attention. That’s why HITRUST updates the CSF often to keep the framework up-to-date and relevant to meet an ever-evolving threat landscape and a changing set of Authoritative Source requirements. Other frameworks remain far more static over time, which often requires manual updates by users.
The HITRUST Collaborate panel closed the session by discussing what happens after an assessment is complete. Ideally, the person or team who owned the original project will continue ongoing monitoring and measuring the operating effectiveness of the security controls and the scope. This includes monthly or at least quarterly check-ins to confirm tasks such as access control reviews and firewall rules checks.
“Keeping the same person or team in charge will also smooth the way for the interim HITRUST assessment and the next validated audit,” says Kanarellis. “You don’t want to start all over again with a fire drill and have things fall through the cracks. That’s where a strong culture comes in—it helps you continue to keep the train on the track as you contend with new controls and as new technologies come into scope.”
For more on the importance of the HITRUST CSF in establishing a strong information security program, please review:
About the Author
Michael Parisi, Vice President of Adoption, HITRUST
Michael Parisi has led over 500 controls-related engagements and has extensive experience with third-party assurance reporting including HITRUST readiness, HITRUST certification, SOC 1, SOC 2, SOC 3, Agreed Upon Procedure, and customized AT-101 engagements. Michael is deeply involved with helping customers leverage the advantages of the HITRUST Assessment XChange for third parties. He has extensive knowledge of financial reporting and regulatory standards through his external audit and consulting experience, including Sarbanes Oxley, HIPAA, NIST, CMS, and state-specific standards. He is an active member of ISACA and IAPP.