To communicate changes and/or clarifications to existing HITRUST CSF Assurance Program Requirements, HITRUST provides regular CSF Assurance Bulletins. These bulletins contain CSF Assurance Program advisory notices, and are highly recommended for External Assessor firms, Certified CSF Practitioners, and adopting organizations.

Please review each advisory below in its entirety to assess its impact on CSF implementation and assessments.

Summary of HITRUST Assurance Advisories 2019 (click to expand)

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

January 15, 2019

Advisory Type

Assurance Requirements

Policy/Program Change Details

This bulletin is to inform HITRUST Authorized External Assessor Organizations about a change to the HITRUST CSF Assurance Program regarding the performance and documentation of the testing of control requirements for assessments.

HITRUST Authorized External Assessors are required to submit the following documentation with all validated assessments:

  • Test Plan that covers testing of all required controls. It must meet the minimum test plan requirements documented in the HITRUST CSF Assurance Program Requirements.
  • 100% of working papers. They must meet the minimum working paper requirements documented in the HITRUST CSF Assurance Program Requirements. We have attached a copy of the Assurance Program Documentation Requirements to this advisory.
  • HITRUST Authorized External Assessor Quality Checklist signed by the Engagement Executive and Assessor QA Resource. The Quality Checklist can be found in the HITRUST MyCSF and should always be downloaded from the HITRUST MyCSF to ensure use of the latest version. We have also attached a copy to this advisory.

Rationale

This change is to ensure the consistency and quality of assessment documentation, ensure compliance with the HITRUST Assurance Program requirements, and make the HITRUST QA process more efficient. The HITRUST Authorized External Assessor’s QA process should identify and address most issues prior to submission to HITRUST.

Timetable for Implementation

Effective for all validated assessments submitted on or after April 1, 2019.

For inquiries regarding this update, please contact us at support@hitrustalliance.net.

Attachments

HITRUST CSF Assurance Program Documentation Requirements

HITRUST Authorized External Assessor Quality Checklist

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

January 15, 2019

Advisory Type

Assurance Requirements

Policy/Program Change Details

This bulletin is to inform HITRUST Assessor Organizations about a change to the assurance process regarding the number of qualified (CCSFP) hours required for validated assessments.

HITRUST Certified CSF Practitioner (CCSFP) resources must comprise 50% of assessment hours. This requirement is inclusive of QA hours.

Rationale

This change is to ensure the competency and quality of resources performing validation work.

Timetable for Implementation

Effective for all validated assessments submitted on or after April 1, 2019.

For inquiries regarding this update, please contact us at support@hitrustalliance.net.

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

January 15, 2019

Advisory Type

Assurance Requirements

Policy/Program Change Details

This bulletin is to inform HITRUST Authorized External Assessor Organizations about a change to the assurance process regarding the documentation of the scope of the entity’s assessed environment.

HITRUST Authorized External Assessors must provide a verbose description of the assessed environment that includes both systems/products and facilities. This description must clearly define assessment boundaries. In addition to the verbose description, there will be a summary table that must be provided that would further clarify what is included and what is not included such that any discrepancy can be clearly resolved through the definition. We have attached an illustrative example to this advisory.

Rationale

This change is to ensure the clear communication of the environment that was assessed to readers of HITRUST CSF Validated Assessment reports.

Timetable for Implementation

Effective for all validated assessments submitted on or after April 1, 2019.

For inquiries regarding this update, please contact us at support@hitrustalliance.net.

Attachments

Scope Definition & Guidance

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

January 15, 2019

Advisory Type

Assurance Requirements

Policy/Program Change Details

This bulletin is to inform HITRUST Authorized External Assessor Organizations about changes to the qualification requirement for Engagement Executives and Assessor Quality Assurance (QA) personnel. It also reiterates the role of the Engagement Lead.

The first change is a requirement for both the Engagement Executive and the Assessor QA reviewer to be CCSFPs. Prior to this change, the Engagement Lead and either the Engagement Executive or the Quality Assurance Reviewer were required to be CCSFPs.

The second change focuses on the Assessor personnel who perform QA reviews prior to the submission of assessments to HITRUST. People in this role will be required to complete an online course and pass a test to become a Certified HITRUST Quality Professional (CHQP). This is in addition to the CCSFP requirement. Communication will go out once the online course and exam are available.

Attached to this advisory are additional details on the responsibilities of the Engagement Executive, QA Reviewer and Engagement Lead.

Rationale

This change is to ensure that Engagement Executives understand the HITRUST CSF Assurance Program and are able to perform an effective executive-level review. The requirement for Assessor QA reviewers to complete an online course is to ensure that reviewers understand the expectations of their role and can demonstrate their understanding by passing the exam.

Timetable for Implementation

Effective for all validated assessments submitted on or after April 1, 2019.

For inquiries regarding this update, please contact us at support@hitrustalliance.net.

Attachments

Responsibilities of Engagement Executives, Quality Assurance Reviewers and Engagement Leads

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

January 15, 2019

Advisory Type

Assurance Requirements

Policy/Program Change Details

This bulletin is to inform HITRUST CSF Certified Organizations and HITRUST Assessor Organizations about changes to the interim review.

The Interim Review has been replaced with an Interim Assessment. The Interim Assessment differs from what has been known as the Interim Review by requiring:

  • Full testing of selected control requirements (INCREASED TESTING REQUIREMENT);
  • Rescoring of the tested control requirements (NEW);
  • Full QA of testing by HITRUST (INCREASED LEVEL OF EFFORT); and
  • For assess-only reports, full verification that recreated assessment matches assessment used for issuing of the previous full report (NEW).

As a reminder and consistent with HITRUST Assurance Advisory 2017-01 issued in August of 2017, Interim Assessments will be performed with the HITRUST MyCSF. There will be an Interim Assessment processing fee of $2,900. The processing fee will be waived for organizations that have an active subscription to the HITRUST MyCSF.

Rationale

This change is to ensure the consistency and quality of work performed during an Interim Assessment and increase the rigor and oversight by HITRUST; resulting in an increase in assurance level provided by the Interim Assessment and support for maintaining the HITRUST CSF Certification for the additional year.

Timetable for Implementation

Effective for all validated assessments submitted on or after April 1, 2019.

For inquiries regarding this update, please contact us at support@hitrustalliance.net.

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

March 29, 2019

Advisory Type

Assurance Requirements

Policy/Program Change Details

This bulletin is to inform External Assessor organizations about an extension to the qualification requirement for Assessor quality assurance (QA) personnel.

Assessor firm personnel who will perform the assessment QA review prior to submission to HITRUST will be required to complete an online course and pass a test to become a Certified HITRUST Quality Professional (CHQP). Only those individuals holding an active Certified CSF Practitioner (CCSFP) certification are eligible to become a CHQP. This course and test will be available online starting in May 2019.

Assessor firms have until July 31, 2019 to have a minimum of two (2) resources certified as CHQPs. All Validated Assessment submissions on or after August 1, 2019 will be required to have a QA review performed by a CHQP as evidenced by sign-offs on the Assessor Quality Checklist. Submissions after August 1, 2019 without proper CHQP involvement will be rejected by HITRUST.

This advisory only applies to the timeline for compliance with the Assessor firm QA reviewer qualification requirement. All other advisories will be enforced according to the dates listed in the advisories.

Rationale

This change is to ensure that Assessor firm personnel performing QA in support of HITRUST validated assessments understand the expectations of the role and can demonstrate this understanding by passing the exam. In addition, it ensures that all Engagement Executives have the required knowledge of the HITRUST CSF and HITRUST Assurance Program requirements.

The extension is being granted to allow Assessor firms enough time to get their resources trained after the course is made generally available by HITRUST.

Timetable for Implementation

Effective for all validated assessments submitted on or after April 1, 2019.

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

September 3, 2019

Advisory Type

Assurance Program Methodology

Policy/Program Change Details

The point values, or “weightings”, of the five levels of HITRUST’s PRISMA maturity model are changing. The below graphic shows that the Policy weight is being reduced to 15 points, the Procedure weight is being reduced to 20 points, the Implemented weight is being increased to 40 points, the Measured weight is being reduced to 10 points, and the Managed weight is being increased to 15 points.

Rationale

These updated weights better reflect the value that each maturity level brings to an organization’s risk management stance. For example, the increased weighting of the Implemented level (which is now worth double any other single level) aligns to the priority that mature organizations place on the implementation and operation of controls relative to other maturity levels.

Timetable for Implementation

The updated weights will be effective on all validated and self-assessment objects created on or after December 31, 2019. Assessment objects created prior to December 31, 2019 will continue to observe the current PRISMA attribute weights. Interim assessments performed after December 31, 2019 will observe the PRISMA weights in effect at time of performance of the original validated assessment.

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

September 3, 2019

Advisory Type

Quality

Policy/Program Change Details

An upcoming enhancement to MyCSF will introduce automated quality checking of CSF assessment objects. Users of MyCSF will have the ability to run these checks at any time prior to submission of the object to HITRUST; however, the checks will be automatically run at each “hand off” of the assessment object, such as when an assessed entity submits the object to their assessor and when the assessor submits the object to HITRUST. Over 30 distinct quality checks will be included in this upcoming MyCSF enhancement.

All potential issues identified will be presented with a description of the issue, the flagged comment or scoring, recommendations on how to address, the option to override / accept the issue and to provide an accompanying explanation. All potential issues will need to be addressed or accepted (with explanation) before the assessment can proceed to the next step.
Automated quality checks will be performed on validated assessments and self-assessments. Interim assessments will not be subject to these automated quality checks.

Rationale

This change is beneficial to the HITRUST CSF Assurance Program by:

  • Increasing the consistency of the HITRUST CSF assessment reports, as these checks are applied systematically to all validated and self-assessments in the same manner.
  • Increasing the quality of the output of HITRUST CSF assessments, as these checks will be performed against 100% of the requirement statements included in an assessment.
  • Reducing the amount of time elapsing between submission of an assessment to HITRUST and delivery of the draft report from HITRUST. Efficiencies are gained during HITRUST’s Quality Assurance review of submissions, as certain quality issues will be identified prior to submission of the validated assessment object to HITRUST.

Note that these automated quality checks have been in use for several months outside of MyCSF by HITRUST’s Compliance and Assurance teams; the move of checks into MyCSF and earlier into the assessment lifecycle will not replace the QA checks performed by HITRUST’s Assurance team against validated assessment objects.

Timetable for Implementation

This change will go live in MyCSF on December 31, 2019.

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

September 3, 2019

Advisory Type

Assurance Program Methodology

Policy/Program Change Details

HITRUST’s scoring rubric, which assists organizations and their assessors in assessment scoring level determinations, has been overhauled. Key changes include:

  • Definitions for assessment terminology, assessment examples and guidance on important concepts have been added.
  • Scoring lookup tables have been created for each of the five levels of HITRUST’s PRISMA maturity model (Policy, Procedure, Implemented, Measured, and Managed).
  • Replacement of qualitative terms such as none, some, and all with quantitative ranges.
  • Removal of ambiguous terms such as “management action” and “ad hoc”.

Rationale

The rubric’s has been enhanced to bring improved usability, added clarity, and better harmonization with the assessment guidance provided in HITRUST’s Risk Analysis Guide.

Timetable for Implementation

The updated scoring rubric will be made available for download at https://hitrustalliance.net/csf-assurance-related-programs/ on or before September 20, 2019.

Observance of the new rubric will be mandatory for assessment objects submitted and accepted on or after December 31, 2019. All validated assessments that are in progress and intend to observe the old scoring rubric must be accepted by HITRUST prior to December 31, 2019. Interim assessments performed after December 31, 2019 will observe the rubric in effect at time of performance of the validated assessment.

The term “Accepted” means successful check-in of an object. Submission of a validated assessment within MyCSF is the first step towards acceptance. After submission, the Assurance team performs certain quality checks; should any of these checks fail, the submission is reverted to the Assessor for remediation. Average acceptance time of a submission to HITRUST is one to three business days.

Since only validated assessments accepted prior to December 31, 2019 will be QA’d by HITRUST in observance of the previous scoring rubric, it is strongly recommended that Assessors work with their customers to ensure submissions in MyCSF are made with enough time to allow for HITRUST acceptance.

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

September 11, 2019

Advisory Type

Assurance Program Methodology

Policy/Program Change Details

HITRUST will soon release updated guidance for placing reliance on the results of previously performed audits, assessments, and inspections. This updated guidance will be posted no later than October 17, 2019 as updates to the HITRUST CSF Assurance Program Requirements and HITRUST CSF Assessment Methodology documents.

HITRUST has historically afforded the following two approaches for “External Assessors” (previously referred to as “HITRUST Authorized External Assessors”) to rely on the results of previously performed control testing:

  1. Inheritance of the results of other HITRUST CSF Assessments, and
  2. Reliance on audit reports and certifications issued by third-party auditors (such as SOC 2 Type II reports) that meet the requirements as established by the CSF Assurance program.

These updates clarify these two options by specifying associated timing, scope, and documentation requirements. External Assessors are encouraged to take particular note of the following new requirements that must be observed when placing reliance on a third-party audit report:

  • Both the External Assessor and HITRUST Services Corp. must both be authorized recipients of the third-party audit report. Reliance cannot be placed on third-party audit reports for which neither HITRUST or the External Assessor are authorized to receive.
  • When designing a reliance strategy, the External Assessor must map the applicable / scoped HITRUST CSF requirement statements to the controls / requirements tested in the third-party audit. In the absence of this mapping, the External Assessor cannot form a meaningful reliance strategy and lacks an adequate, demonstrable basis for reliance on the third-party audit report. To support HITRUST’s QA efforts, this mapping as well as the third-party audit report must be made available to HITRUST.

Rationale

These methodology updates are expected to:

  • Help highlight any over-reliance or unwarranted reliance on the work of other auditors and External Assessors.
  • Provide needed clarity and transparency around HITRUST’s expectations around timing, scope, and documentation when reliance is placed on the work of others.

Timetable for Implementation

Observance of these new reliance documentation requirements will be mandatory for assessment objects submitted and accepted on or after December 31, 2019.

The term “Accepted” means that HITRUST has confirmed to the assessor that all required documents were included in the submission. If documents are missing, the submission is reverted back to the assessor for correction. Upon acceptance of a submission, the assessment object is added to the Assurance team’s queue to await full QA procedures. Average acceptance time of the submission process is one to three business days.

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

September 11, 2019

Advisory Type

Assurance Program Methodology

Policy/Program Change Details

HITRUST will soon release updates to the CSF Assurance Program which allows “External Assessors” (previously referred to as “HITRUST Authorized External Assessors”) to place reliance on the work of “Internal Assessors”. This updated guidance will be posted no later than October 17, 2019 as updates to the HITRUST CSF Assurance Program Requirements and HITRUST CSF Assessment Methodology documents.

The new role of “Internal Assessor” aids in the CSF Assessment process by performing in-house testing in advance of an External Assessors’ validated assessment fieldwork. Internal Assessors are in-house, contracted, or outsourced CCSFPs who are typically positioned within or engaged by an assessed entity’s Internal Audit Department but could be positioned within or engaged by any department meeting specific objectivity requirements, resource qualification requirements, and approval by HITRUST (through a defined application process).

Rationale

This methodology update creates opportunities for greater assessment efficiency and customer cost savings. This change is expected to bring several benefits to External Assessors and assessed entities. For example:

  • Assessed entities already performing robust pre-assessment testing in advance of their HITRUST CSF Validated Assessment can expect lower overall HITRUST CSF Assessment costs, as duplicate testing performed by their External Assessors can be reduced.
  • Internal personnel with deep knowledge of the organization’s internal controls (in groups such as Internal Audit, Risk Management, and Compliance) can now have a defined role in the overall HITRUST CSF Assessment process.
  • Assessed entities and their External Assessors now have more flexibility in fitting the HITRUST CSF assessment procedures into the assessed entity’s broader compliance activities.

Timetable for Implementation

Effective upon recognition as Internal Assessor assigned to an organization.

Summary of HITRUST Assurance Advisories 2017 (click to expand)

Impacted Policy/Program Name

CSF Assurance Program

Date

March 6, 2017

Advisory Type

Process Change

Advisory Details

This bulletin is to communicate a change in the assurance process regarding the processing of validated assessments and the time allowed to respond to a HITRUST Quality Assurance (QA) request.

After a validated assessment has been submitted, HITRUST responds within 24-48 hours with a QA Letter. This letter requests supporting evidence for those controls selected for QA, those controls that have been assigned a Measured/Managed score, and those controls marked as N/A. Supporting evidence should be provided within 14 days of the issuance of the QA Letter. If supporting evidence is not provided within that time frame, HITRUST will only issue a Readiness Assessment report in lieu of a validated report. No certification will be awarded.

Rationale

Establishing a deadline for receiving QA materials will help ensure a timely and efficient process for generating draft reports. As evidence is supposed to be gathered throughout the assessment process, submitting artifacts in support of a QA request should be a minimal effort. Assessor organizations that have gathered evidence throughout the effort should not be impacted by this advisory. The timely processing of a client’s assessment through QA is best achieved if the QA Letter is responded to promptly. Failure to respond in a timely manner may indicate that an assessor has not collected, nor is maintaining, adequate working papers in support of their assessments. This may lead to a conclusion that adequate validation has not occurred and may therefore result in the issuance of a Readiness Assessment report.

Timetable for Implementation

Immediate: This bulletin is a clarification to the existing process and will impact all assessments submitted to HITRUST as of the date of issuance of this advisory.

Impacted Policy/Program Name

CSF Assurance Program

Date

July 31, 2017

Advisory Type

Clarification

Advisory Details

This advisory is being issued to address situations where a service organization has decided to pursue a SOC report and a HITRUST CSF Validated assessment report, and engages separate organizations to perform the work supporting the two reports. When this occurs and the HITRUST Authorized External assessor organization intends to rely on a SOC report that was performed as part of an AICPA SOC engagement, there are certain considerations which should be addressed during engagement planning.

Rationale

First, determine if you are entitled to use the SOC Report:

Since SOC reports are limited distribution reports, the service organization (unless it is a user of its own service) and its HITRUST Authorized External Assessor organization are typically not intended users (user organizations) of a SOC report issued by the service organization that contains an independent opinion provided by the service auditor. For any organization to be an intended user of a SOC report, they have to be users of the service that is covered within the service organization’s SOC report. If the user organization and its HITRUST Authorized External Assessor are not intended users of the report, they cannot directly place reliance on the SOC report for purposes of testing to support a HITRUST CSF Validated assessment.

Next, determine if you can place reliance on report if an intended user:

If, however, the user organization, and by extension its HITRUST Authorized External Assessor organization, are intended users of the SOC report, they may be able to place reliance on the SOC report. This reliance is subject to the understanding/expectation that in a HITRUST CSF assessment the control requirements are very prescriptive. So, for the assessor to rely on the SOC report, it would need evidence of that granular level of detail, both in the section that describes the controls as well as in the auditor’s section where the controls were tested and the results of those tests were disclosed. For example, simply having in the description that the service organization has password management policies and procedures and the service auditor simply stating it tested the password management system would not suffice. The report would have to contain more detail and the assessor organization would need to obtain a copy of the associated testing workpapers to support the operating effectiveness of the control for inclusion in its workpapers, which is not a probable scenario in the market place. If work papers are successfully obtained, the assessor organization must follow the professional standards that are in place when reperforming the work of others, which include but are not limited to assessing the competency, objectivity and independence of the firm performing the SOC report work. The assessor organization would also have to draw their own conclusions on the evidence obtained through the execution of their own independent procedures.

Also, during the HITRUST QA process, HITRUST will ask for testing evidence in support of the certification. Responding to this request along the lines of “relied on the SOC 2 testing” would not be sufficient. HITRUST would need evidence that the SOC 2 testing included the level of detail and rigor discussed in the previous paragraph. Besides the testing workpapers, this may require the assessor organization to perform a walk through to verify its understanding, along with a reference to the specific description/tests performed by the service auditor. It is important to understand if its client is an intended user of any SOC report to support a validated assessment engagement, a level of due diligence and independent verification in line with the published assessor guidance must be performed by the assessor organization. This would include determining if the testing that was done for the SOC reports was adequate and appropriate given the scope of the assessment report to address the HITRUST CSF requirement(s). It is also important for assessors to understand that even if they are an intended user of a SOC report as an extension of management, the intended use of that report must be appropriately understood in order for an assessor organization to rely on the report, which can be accomplished through a discussion with the service organization. Failure to abide by these rules may result in HITRUST not issuing a validated/certified report and could lead to sanctions being imposed on an assessor organization.

As a final consideration and given the sensitivity of workpapers, the CPA organization will likely be reluctant to provide access/copies of their workpapers to the HITRUST Authorized External Assessor organization. So where two different organizations are involved in producing a SOC report and a HITRUST CSF Validated assessment report, there will need to be discussions with service organization management and whether the sharing of testing procedures is an option.

Timetable for Implementation

Immediate: This bulletin is a clarification to the existing process and will impact all assessments submitted to HITRUST as of the date of issuance of this advisory.

Impacted Policy/Program Name

CSF Assurance Program

Date

August 24, 2017

Advisory Type

Process Change

Advisory Details

This bulletin is to communicate a change in the assurance process regarding the performance and processing of interim assessments.

In efforts to streamline the interim assessment process, HITRUST will be moving to an online process with the launch of MyCSF 2.0.

Rationale

Historically, assessors have had a great deal of latitude when it comes to the interim assessments for organizations that are HITRUST CSF Certified. As such, there has been a wide variance in the materials that are received in documentation of this assessment. By building the interim assessment into the MyCSF platform, HITRUST hopes to increase consistency in the documentation of results as well as provide increased efficiencies for Assessors and Assessed Entities.

Timetable for Implementation

Effective with release of MyCSF 2.0., Assessed Entities will not need to comply with the new process until they are migrated into MyCSF 2.0.

Impacted Policy/Program Name

CSF Assurance Program

Date

September 12, 2017

Advisory Type

Assurance Requirements

Advisory Details

This bulletin is to remind assessor organizations about the expectations of the assurance process regarding the performance of testing of control requirements for assessments.

The validation process of the HITRUST CSF Assurance Program requires validation of all control requirements (100%) that are generated in an assessment based on the Assessed Entity’s risk factors. In addition, the expectation is that this testing be performed on site with a few exceptions. The exceptions are:

  • Reliance on a third-party attestation in lieu of testing
  • Inheritance of scores from a current validated assessment
  • In cases where an organization deploys a virtual workforce (work from home) where making a visit is impractical.

HITRUST reserves the right to expand the QA process to include additional controls (up to 100%) and support for scores on a case-by-case basis at its sole discretion

Rationale

This reminder is being issued due to feedback that some Assessors may be performing most, if not all, testing remotely, and that testing may not include 100% of the control requirements in an assessment. HITRUST takes the integrity of the assurance program seriously and will take steps to ensure that program requirements are being met in all cases.

Timetable for Implementation

Already effective per HITRUST CSF Assurance Program requirements.

Summary of HITRUST Assurance Advisories 2016 (click to expand)

Impacted Policy/Program Name

CSF Assurance Program Requirements

Publication Date

January 12, 2016

Effective Date

Immediate: This bulletin is to clarify existing policy.

From

Ken Vander Wal, Chief Compliance Officer, HITRUST

Advisory Type

Requirement Clarification

Policy/Program Clarification Details

This bulletin clarifies the treatment of controls required for Certification in situations where certain controls are outsourced to a third party, and the impact of outsourced controls on a HITRUST CSF validated assessment.

Organizations may not transfer risk or the obligation to obtain satisfactory assurances relating to HITRUST CSF controls. It is the assessed entity’s responsibility to ensure that all assessed controls, either supported directly or through use of a third party, are in place and functioning according to HITRUST CSF requirements.

Under no circumstances are outsourced controls or those supported by a third party considered “Not Applicable” when performing a CSF Assessment. All controls must be tested by an approved External Assessor, or the External Assessor must determine the controls have been satisfactorily tested by another independent party consistent with HITRUST CSF Assurance Program requirements. For example, External Assessors may be able to rely on a current CSF Certification report, CSF Validated Report, or a current SOC 2 report that is based on the HITRUST CSF criteria.

Rationale

HITRUST has seen a growing trend in the outsourcing of certain HITRUST CSF controls. In many instances, the validated assessment is submitted with the outsourced controls listed as “Not Applicable” or the External Assessors are being provided assessments performed with limited understanding of the scope, methodology, or assurance of the accuracy relating to the controls in question. HITRUST has been returning these assessments back to the External Assessor in order to perform the required testing and score the controls in question. HITRUST is releasing this bulletin to clarify the HITRUST CSF Assurance Program requirements related to the outsourcing of controls. This should allow External Assessors to more clearly communicate this requirement to their clients and prevent costly re-work related to outsourced controls.

Timetable for Implementation

Immediate: This bulletin is to clarify existing policy.

Impacted Policy/Program Name

CSF Assurance Program Requirements

Publication Date

January 12, 2016

From

Ken Vander Wal, Chief Compliance Officer, HITRUST

Advisory Type

Requirement Change

Policy/Program Change Details

This change will require submission of all corrective action plans that are REQUIRED for certification within 30 days of the posting of the corresponding draft report. Failure to submit the required corrective action plans within the 30 day timeframe will result in the report being issued final as VALIDATED and not CERTIFIED. The Letter of Certification included in the report will be replaced with a Letter of Validation.

Rationale

HITRUST’s policy is to issue a final report no later than 30 days after the draft report is posted. HITRUST cannot issue a final report in cases where there are REQUIRED corrective actions as a condition of CERTIFICATION without the required corrective action plans. HITRUST has been experiencing long delays and/or failures in receiving required corrective actions in a timely manner. This has had an adverse effect on HITRUST’s ability to achieve its desired SLA with regard to processing of these reports. It is believed that this new policy will encourage organizations to be more diligent and submit corrective action plans within the allotted timeframe.

Timetable for Implementation

Effective Date: January 15, 2016

Enforcement Date: April 1, 2016

Impacted Policy/Program Name

CSF Assurance Program Requirements

Date

January 12, 2016

Advisory Type

Requirement Change

From

Ken Vander Wal, Chief Compliance Officer, HITRUST

Policy/Program Change Details

This change adds CSF control 01.t Session Time-out to the CSF controls REQUIRED for certification with the 2016 CSF version 8 release. Failure to include CSF control 01.t after the 2016 release will prevent organizations from submitting their assessments for HITRUST validation and certification. This addition increases the total number of CSF controls required for HITRUST CSF certification from 64 to 65.

Rationale

HIPAA § 164.312(a)(2)(iii), an addressable implementation specification that requires organizations to “implement electronic procedures that terminate an electronic session after a pre-determined time of inactivity,” is currently supported by CSF control 01.h, Clear Desk and Clear Screen Policy, for the purpose of HITRUST CSF certification. Although CSF control 01.h requires the use of a protected screen and keyboard locking mechanism if a user is logged into a computer or terminal, CSF control 01.t more specifically addresses the intent of the language in the HIPAA specification.

Timetable for Implementation

Effective Date: Assessments generated with Version 8 of the HITRUST CSF

Enforcement Date: Assessments generated with Version 8 of the HITRUST CSF

Impacted Policy/Program Name

CSF Assurance Program Requirements

Date

January 12, 2016

Advisory Type

Requirement Change

Policy/Program Change Details

This change adds CSF control 01.e, Review of User Access Rights, to the CSF controls REQUIRED for certification with the 2016 CSF version 8 release. Failure to include CSF control 01.e after the 2016 release will prevent organizations from submitting their assessments for HITRUST validation and certification. This addition increases the total number of CSF controls required for HITRUST CSF certification from 65 to 66 after the addition of 01.t, Session Time-out, per HAA 2016-003.

Rationale

HITRUST has received numerous inquiries from healthcare organizations over the past several years about including the review of user access rights in the controls required for certification. “Recertification” of user access is a common if not ubiquitous item on internal and external audits and an essential component of privilege management. Recertification helps prevent “access creep” for workforce members that transfer from one position to another within an organization, as well as provide the organization with another check on the validity of initial privileges granted to new workforce members and additional assurance that access for terminated workforce members has been revoked. Ensuring that only current workforce members have access helps reduce the overall attack surface for malicious cyber threat actors and further inhibits the ability of these malicious actors to escalate user privileges and subsequently maintain them if an account is successfully compromised.

Timetable for Implementation

Effective Date: Assessments generated with Version 8 of the HITRUST CSF

Enforcement Date: Assessments generated with Version 8 of the HITRUST CSF

Impacted Policy/Program Name

CSF Assurance Program Requirements

Date

August 3, 2016

Advisory Type

Requirement Change

Policy/Program Change Details

This advisory reminds External Assessor Organizations of the addition of CSF control 01.e, Review of User Access Rights, and CSF control 01.t, Session Time-out, to the CSF controls REQUIRED for certification with the 2016 CSF version 8 release. (See HAA 2016-003 and -004.) Failure to include CSF controls 01.e and 01.t will prevent organizations from submitting their assessments for HITRUST validation and certification against the CSF version 8 release. These two additional requirements increase the total number of CSF controls required for HITRUST CSF certification from 64 to 66.

Rationale

See HAA 2016-003 and HAA 2016-004.

Timetable for Implementation

Effective Date: 1 July 2016

Impacted Policy/Program Name

CSF Assurance Program Requirements

Date

August 3, 2016

Advisory Type

Requirement Change

Policy/Program Change Details

HITRUST policy has been to increase the number of control required for CSF certification over time: 45 controls were required in 2009 for the initial release of the HITRUST CSF, and 66 controls are now required for certification against the v8 release. HITRUST has decided to accelerate the process of adding controls required for CSF certification and incorporate all 135 CSF security controls in CSF Categories 0 thru 12 within five (5) years. HITRUST organizations and assessors should plan for significant increases in the number of control requirements assessed for certification in all future releases until such time as all 135 controls are addressed.

Rationale

The level of due diligence required to obtain satisfactory assurances around an entity’s information protection program has changed significantly in recent years and—along with increased use of the HITRUST CSF to support scorecards against external frameworks such as the NIST Framework for Improving Critical Infrastructure Cybersecurity, combined HITRUST CSF and AICPA SOC 2 reporting, and cyber-insurance underwriting—HITRUST recently committed to its Board of Directors to integrating all the HITRUST CSF control requirements into the certification process within five (5) years.

Timetable for Implementation

Immediate: This bulletin is to clarify existing policy.

Impacted Policy/Program Name

CSF Assurance Program Requirements

Date

August 3, 2016

Advisory Type

Modification

Policy/Program Change Details

Organizational risk factors were revised as follows:

Note the CSF implementation level that would be selected for an applicable CSF control is determined by one and only one of the multiple risk factors listed in the table for each healthcare vertical in the order of preference indicated. System risk factors generally only impact implementation level selection for system controls; however, regulatory factors can force selection of a higher implementation level for either organizational or system controls as previously discussed. Geographic scope (e.g., multi-state) is also retained.

Rationale

In August of 2014, as part of this ongoing maintenance of the CSF, HITRUST chartered an industry working group to examine the current risk factors and make recommendations for improvement if needed. Upon review, the working group determined that modifications to the volume of business in the organizational factors were needed.

The consensus of working group members was that a significant determinant of relative risk amongst organizations is the number of individual records that they hold and/or process, regardless of the class (or vertical) in which the organization resides. The rationale is based primarily on common use of the average cost of a breach per individual record compromised to estimate the costs of a specific breach. Further, the total number of individual records that could potentially be compromised then provides an estimate of the organization’s maximum exposure in the event of such a catastrophic breach.

However, since in HITRUST’s experience not all healthcare organizations can provide a precise estimate of the total number of individual records they hold, the working group decided to provide an alternative risk factor based on the number of individual records processed annually.

Timetable for Implementation

Effective Date: July 1, 2016 (when used with the CSF v8 Release or later)

Impacted Policy/Program Name

CSF Assurance Program Assessments

Date

August 3, 2016

Advisory Type

Clarification

Policy/Program Change Details

HITRUST will continue to accept and process validated assessments under CSF v7 until December 31, 2016 which is six (6) months after the release of CSF v8. It should be noted that once a new version of the CSF is released, any new assessments or changes to existing assessments will cause the assessment to update to the current/latest version of the CSF.

Rationale

HITRUST recognizes any increase in requirements, even one as small as 10% in the HITRUST CSF v8 release, may not have been considered when preparing for a CSF validated assessment. This grace period allows organizations that purchased assessments based on the CSF v7 controls or that may have already begun their assessments with CSF v7 to complete them.

Timetable for Implementation

Effective Date: July 1, 2016

Enforcement Date: December 31, 2016

Impacted Policy/Program Name

CSF Assurance Program

Date

August 3, 2016

Advisory Type

Clarification

Policy/Program Change Details

HITRUST continues to recommend that “readiness assessments” be conducted for an organization’s entire HITRUST CSF-based information protection program, i.e., against all 135 security controls as scoped to their environment rather than only those controls required for CSF certification.

Rationale

This will help ensure both the approved HITRUST Authorized External Assessor and the assessed organization are always aware of the status of the information protection program and can readily support a CSF controls assessment, regardless of type (e.g., a security assessment used for certification or a comprehensive security assessment used to generate a regulatory scorecard).

Timetable for Implementation

Immediate: This bulletin is to clarify existing policy.

Impacted Policy/Program Name

CSF Assurance Program Requirements

Date

August 3, 2016

Advisory Type

Guidance

Policy/Program Change Details

This advisory clarifies the treatment of controls required for certification in situations when certain controls are outsourced to a third party and they are inherited by the assessed entity.

Organizations may not transfer risk or the obligation to obtain satisfactory assurances relating to HITRUST CSF controls. It is the assessed entity’s responsibility to ensure that all assessed controls, either supported directly or through use of a third party, are in place and functioning according to HITRUST CSF requirements.

All controls must be tested by an approved External Assessor, or the External Assessor must determine the controls have been satisfactorily tested by another independent party consistent with HITRUST CSF Assurance Program requirements. Where the testing involves inheriting the control from another HITRUST CSF Validated Assessment, the assessor should obtain the current status of the relied upon HITRUST CSF Validated Assessment to ensure it is still valid and in good standing. If that is the case, no further testing of the control should be required.

Rationale

HITRUST has seen a growing trend in the outsourcing of certain HITRUST CSF controls. Often this involves a hosting or third-party service provider arrangement. In order to keep the assessment process as efficient as possible, HITRUST has introduced the concept of inheriting validated controls from a hosting or service provider. This should streamline the validation that takes place for an organization that uses a participating hosting provider by only testing the controls the assessed entity is responsible for and not having to re-test controls that were previously validated by the host provider. The inheritance feature should also transfer the scores for these controls which will eliminate the manual transfer of scores and provide greater consistency of results. HITRUST is releasing this advisory to clarify the HITRUST CSF Assurance Program requirements related to the inheritance of controls.

Timetable for Implementation

Effective Date: Immediate

Impacted Policy/Program Name

CSF Assurance Program Requirements

Date

September 21, 2016

Advisory Type

Requirement Change

Policy/Program Change Details

Any assessment that is generated or updated after October 1, 2016, will include an Assessor timesheet. This timesheet must be filled out prior to submitting the assessment to HITRUST for processing. MyCSF will prevent submission if the timesheet is not completed. The timesheet will require assessors to list the name, CCSFP number (if applicable), and hours worked on the assessment for each assigned resource. This includes all resources that worked on the assessment and not just CCSFP resources. It will also require a resource be designated as the assessment lead and another as quality assurance reviewer.

Rationale

HITRUST CSF Assurance Program requirements stipulate that at least a third of hours worked on an assessment be performed by a CCSFP. In addition, Assessor organizations are required to demonstrate internal quality assurance processes as part of the approval to become an assessor organization. HITRUST will leverage this new functionality in MyCSF to ensure that all validated CSF assessments are performed consistent with the CSF Assurance Program and Approved Assessor Firm requirements.

Timetable for Implementation

Effective Date: October 1, 2016

Enforcement Date: Any new or refreshed assessments after October 1, 2016

Impacted Policy/Program Name

External Assessor Access to MyCSF

Date

December 15, 2016

Advisory Type

Policy Change

Policy/Program Change Details

This bulletin is to communicate some changes in policy regarding the access levels and functional capability of External Assessors within the MyCSF tool.

The first policy change deals with the test (scoping) objects available to External Assessors. External Assessor test objects will be moved to and created in the MyCSF Demo environment. The number of assessment objects in the Demo environment will be determined by the participation tier of the Assessor firm with large assessors receiving 50, medium assessors 25 and small assessors 10 test objects. These objects will expire after nine months and will no longer be exportable.

A related policy change removes the capability to export content from the Production MyCSF environment (test objects that might have previously been used to do this are now in the Demo environment) unless they are working with a client that has purchased that capability. External Assessors requiring an electronic copy of an assessment to evidence the work that was performed, may request an electronic PDF copy be published to the MyCSF portal for archival purposes. Requests for archive copies of assessments can be made to support@hitrustalliance.net.

The last policy change addresses those engagements where External Assessors are assisting a client with a Readiness Assessment. Assessors can now be assigned to the Self-Assessment objects of their clients without the need for a client email address and additional MyCSF user ID.

Rationale

HITRUST has had numerous requests from External Assessors regarding increasing the number of test objects and having the ability to preview forthcoming releases of the HITRUST CSF. Implementation of this policy will afford Assessors the preview capability they desire and increase the number of assessment objects, while better enforcing the MyCSF test objects intended use. Test objects in MyCSF assigned to External Assessors are limited to internal use only and are afforded to allow for scoping and pricing of potential assessment engagements.

These changes will also allow External Assessor firms to better assist their clients with readiness assessments without having to create multiple IDs in MyCSF.

Timetable for implementation

March 1, 2017

View the Frequently Asked Questions for this advisory.

Summary of HITRUST Implementation Advisories 2016 (click to expand)

Topic

Malware

Subject

HHS FACT SHEET: Ransomware and HIPAA

Date

August 25, 2016

Advisory Type

Clarification

Summary

One of the biggest current threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyber-attacks on electronic health information systems, such as through ransomware. The FBI has reported an increase in ransomware attacks and media have reported a number of ransomware attacks on hospitals.

To help healthcare entities better understand and respond to the threat of ransomware, the HHS Office for Civil Rights has released new Health Insurance Portability and Accountability Act (HIPAA) guidance on ransomware. The new guidance reinforces activities required by HIPAA that can help organizations prevent, detect, contain, and respond to threats, including:

  • Conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and establishing a plan to mitigate or remediate those identified risks;
  • Implementing procedures to safeguard against malicious software;
  • Training authorized users on detecting malicious software and reporting such detections;
  • Limiting access to ePHI to only those persons or software programs requiring access; and
  • Maintaining an overall contingency plan that includes disaster recovery, emergency operations, frequent data backups, and test restorations.

Some of the other topics covered in the guidance include: understanding ransomware and how it works; spotting the signs of ransomware; implementing security incident responses; mitigating the consequences of ransomware; and the importance of contingency planning and data backup. The guidance makes clear that a ransomware attack usually results in a “breach” of healthcare information under the HIPAA Breach Notification Rule. Under the Rule, and as noted in the guidance, entities experiencing a breach of unsecure PHI must notify individuals whose information is involved in the breach, HHS, and, in some cases, the media, unless the entity can demonstrate (and document) that there is a “low probability” that the information was compromised.

Ransomware is a type of malware (malicious software) that encrypts data with a key known only to the hacker and makes the data inaccessible to authorized users. After the data is encrypted, the hacker demands that authorized users pay a ransom (usually in a cryptocurrency such as Bitcoin to maintain anonymity) in order to obtain a key to decrypt the data. Ransomware frequently infects devices and systems through spam, phishing messages, websites, and email attachments and enters the computer when a user clicks on the malicious link or opens the attachment.

Organizations need to take steps to safeguard their data from ransomware attacks. HIPAA covered entities and business associates are required to develop and implement security incident procedures and response and reporting processes that are reasonable and appropriate to respond to malware and other security incidents.
The guidance can be found at: http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf.
[The entirety of the Advisory Summary is quoted from Jocelyn Samuels, Director, Office for Civil Rights, retrieved from an 11 Jul 2016 blog on the HHS Website at https://www.hhs.gov/blog/2016/07/11/your-money-or-your-phi.html.]

Related CSF Controls

HITRUST CSF Controls related to the requirements referenced in the Fact Sheet include but are not limited to 0.a, 01.a thru 01.y, 02.e, 03.a thru 03.d, 05.f, 06.d, 07.a, 08.j, 09.j, 09.k, 09.l, 09.o, 09.q, 09.aa, 09.ab, 10.m, 11.a thru 11.e, and 12.a thru 12.e.

HITRUST Comments / Recommendations

The HHS Fact Sheet describes ransomware attack prevention and recovery in the context of the HIPAA Security Rule. HHS’ guidance subsequently begins with the information security management program, specifically with the broad risk analysis required under the Rule that provides the basis for control design and/or selection. Although this would include all the controls implemented by an organization, HHS stresses antimalware protection and detection, user training, incident reporting, and access controls, all of which are covered in detail by the HITRUST CSF.

HHS also stresses that the risk analysis is intended to address all ePHI in the organization and all reasonably anticipated threats, not just those addressed by the HIPAA Security Rule’s standards and implementation specifications. This has general applicability beyond the scope of the Fact Sheet’s focus on ransomware and is yet another indication that simply addressing the Rule’s standards and implementation specifications does not, in and of itself, satisfy the risk analysis requirement. And this is why some CSF controls do not map directly to the HIPAA Security Rule, as they address threats not specifically addressed by the Rule. “The Security Rule simply establishes a floor, or minimum requirements, for the security of ePHI; entities are permitted (and encouraged) to implement additional and/or more stringent security measures above what they determined to be required by Security Rule standards” [emphasis added].

The Fact Sheet describes specific types of activities, e.g., robust data backup and disaster recovery planning, that will help mitigate the ransomware threat—the relevant CSF controls for which are identified in this advisory (above)—and identifies a series of five (5) steps that are consistent with the NIST Framework for Improving Critical Infrastructure Cybersecurity’s Core Functions: identify, protect, detect, respond and recover, which emphasize a cyber resilience rather than the traditional “protect and defend” approach to information security risk management. Leveraging the HITRUST risk management framework (RMF), including the HITRUST CSF and CSF Assurance Program, to implement this approach along with other recommendations from the NIST cybersecurity framework is the subject of the Healthcare Sector Cybersecurity Framework Implementation Guide, one of seven critical infrastructure sector guides available on the DHS US-CERT Cybersecurity Framework Website. How the HITRUST RMF addresses cyber resilience is the subject of a Deloitte article entitled, The Healthcare Cyber Shift: From prevention to threat detection and response.

Given that NIST IR 7298 r2 includes a security event that potentially jeopardizes the confidentiality of an information system in its definition of a security incident, it is no surprise that HHS takes the position that the mere presence of ransomware constitutes a potential breach of ePHI. Subsequently, HHS stresses in the Fact Sheet that a breach must be assumed until the organization can demonstrate a low probability of compromise as required by the HIPAA Data Breach Notification Rule, 45 C.F.R. 164.402(2). The Fact Sheet also provides clarification around the circumstances in which encryption would or would not prevent a ransomware incident from being a reportable breach under the Rule.

HITRUST recommends implementing organizations (1) review all relevant controls identified in this advisory to ensure they are fully implemented and adequately address the ransomware threat; (2) in particular, review their incident response procedures to ensure the steps outlined in the Fact Sheet for responding to a ransomware attack are addressed, especially the requirement to conduct post-incident activities; (3) ensure their user training specifically addresses the indicators of a ransomware attack provided in the Fact Sheet; and (4) verify their incident response procedures include a formal, documented risk analysis that specifically addresses the four (4) factors required by the HIPAA Data Breach Notification Rule, 45 C.F.R. 164.402(2)(i)-(iv), as well as the exceptions provided for data encryption as described in the Fact Sheet.

Additional Information / References

For more information, contact: support@hitrustalliance.net.