CSF Assurance Program and Certification FAQs
Does a CSF Assurance assessment weight all controls equally?
Although all CSF controls placed in scope after the tailoring process must be implemented by the organization to effectively manage excessive residual risk, not all controls are assessed for a HITRUST CSF Validated or Certified Report. This is consistent with NIST guidance that allows for focused assessments to address specific issues or answer specific questions. “Organizations have maximum flexibility on how risk assessments are conducted and are encouraged to apply the guidance in this document so that the various needs of organizations can be addressed and the risk assessment activities can be integrated into broader organizational risk management processes” (NIST SP 800-30 r1, Guide for Conducting Risk Assessments, pg. ix). For purposes of certification, control selection is based on an analysis of breach data, leading practices and regulatory requirements (e.g., the HIPAA Security Rule).
With respect to the way an assessment is conducted, one control does not have more weight or importance than another. This is because, by definition, all the controls that the organization has determined it must implement—regardless of whether they were designed from a custom risk analysis or tailored from a control baseline by a supplemental analysis—must be implemented in order to manage risk to an acceptable level. But the HITRUST CSF Assurance Program only requires this level of “completeness” for purposes of certification and, even then, organizations can remove controls that do not apply to them or accept a small amount of risk for partial implementations of those that do.
HITRUST also encourages the prioritization of remediation activities based on relative risk by providing impact ratings and their relationship with each other with the inclusion of priority codes. Although examples have not yet been provided in the Risk Analysis Guide. HITRUST encourages organizations to modify the impact ratings based on an evaluation of their control environment and consider other factors, such as existing infrastructure, budget constraints and organizational culture when developing and prioritizing corrective actions.
For more information, refer to the Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection brochure and the Risk Analysis Guide for HITRUST Organizations and Assessors.
Since ISO/IEC provides an internationally recognized information security standard, can I use my ISO 27001 certification to satisfy customer and business partner requirements for a HITRUST CSF Validated or Certified Report?
The best discussion of why one would choose the HITRUST CSF over ISO 27001 and NIST SP 800-53 is provided in an earlier FAQ, but to address the question about accepting one in lieu of another, we’ll need to expand a little further.
The biggest difference between the two certifications is what they intend to certify.
In the case of ISO 27001, the focus of the certification is on the information security management system (ISMS), which includes an evaluation of the information security risk assessment and treatment processes. However, “organizations can design controls as required, or identify them from any source” (ISO 27001, § 6.1.3.b, p. 4). Further, although ISO 27001 Annex A contains a list of control objectives and controls, they are not exhaustive and additional control objectives and controls may be needed” (Ibid., § 6.1.3.c, p. 4). And although the ISO assessor must produce a “Statement of Applicability that contains the necessary controls (see 6.1.3 b and c) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A” (Ibid., § 6.1.3.d, p. 4), it doesn’t extend beyond what’s required in Annex A. Subsequently, organizations have wide latitude in the controls they specify to address the risks they identify at a level suitable to their risk appetite. ISO certification assessors also have some latitude in how they assess the effectiveness of the controls, and there is no quality control of the assessments other than a general requirement that consultants that help organizations prepare for ISO certification do not perform the certification assessment.
In effect, we’re left with the same problems that existed before the creation and implementation of the HITRUST CSF—which is actually structured on ISO 27001 and contains additional guidance from ISO 27002 and multiple other relevant authoritative sources such as HIPAA, NIST SP 800-53, CMS IS ARS, PCI DSS and the NIST Cybersecurity Framework—and its assessment through the HITRUST CSF Assurance Program: a lack of comprehensiveness and prescription in the control requirements; little or no U.S. healthcare industry context; lack of comprehensiveness related to regulations, legislation and other relevant requirements such as leading practice frameworks; and uncertain rigor and approach to the assessments including limited quality control.
The HITRUST CSF on the other hand provides a minimal baseline of comprehensive, prescriptive control requirements tailored to a healthcare organization’s specific organizational, system and regulatory risk factors. And the specific focus of HITRUST CSF Certification is on the maturity of this control baseline’s implementation using a specific, rigorous assessment approach and scoring model in order to gauge the level of excessive residual risk to ePHI in the organization. HITRUST also provides detailed assessment procedures for each control requirement, and ensures assessments are performed by an Authorized External Assessor Organization and requires each assessment undergo a quality assurance review to ensure accuracy and completeness before awarding certification.
As an example of how high-level control requirements can benefit from the context, comprehensiveness and rigor of the HITRUST CSF and CSF Assurance Program, one only has to look at the joint initiative between AICPA and HITRUST on using the HITRUST CSF to support SOC 2 assessments against the Trust Principles and Criteria. This ensures a standardized set of industry-relevant control requirements are identified for each criterion, and the assessment of these controls are conducted with a specific approach and level of rigor that provides relying entities, including regulators and other third parties, with accurate, consistent and repeatable assurances.
The best treatment on why one would choose the HITRUST CSF over ISO can be found in the risk framework analysis presented by HCSC and Children’s Health Dallas Selecting a Healthcare Information Security Risk Management Framework in a Cyber World. For more information on the HITRUST RMF, refer to the HITRUST RMF Whitepaper.
How often do I need to get a HITRUST CSF assessment report to support my third-party assurance requirements?
HITRUST CSF Validated Reports with Certification are valid for two years given the successful completion of an interim review (12 months after the date of the original assessment), and that no breach or significant changes have occurred relating to the scoped control environment. Validated Reports not resulting in certification are point-in-time reports.
For more information, refer to the HITRUST CSF Assurance Program Detailed Overview.
How can I use the CSF Assurance Program for third-party risk management?
The HITRUST CSF Assurance Program is specifically designed to streamline the third-party risk management process by using a single comprehensive framework harmonizing multiple standards and leading practices to support a single assessment that may be reported out in multiple ways, e.g., to support PCI SAQ development, the issuance of SOC 2 reports against specific AICPA Trust Services Criteria, or scorecards of HIPAA or NIST Cybersecurity Framework compliance. Organizations using the CSF Assurance Program for third-party risk management experience significant reductions in cost and level of effort required to evaluate third-party reports or issue their own reports to their own stakeholders, including business partners and regulators. This is the fundamental reason why several large healthcare entities have moved from simply accepting HITRUST Validated and Certified Reports to requiring them.
Does the CSF Assurance Program support an “assess once, report many” approach?
HITRUST has recognized for some time that the current model used in the industry for third-party Assurance is fraught with inefficiencies and unnecessary costs by requiring duplicative questionnaires and assessments, which tend to distract organizations from monitoring controls and remediating identified deficiencies. Organizations can streamline the compliance process and reduce costs with a standardized approach to performing assessments and reporting security controls by utilizing the HITRUST CSF Assurance Program. The tools and methodologies organizations utilize to complete assessments as part of the HITRUST CSF Assurance Program are built around the HITRUST CSF and allow organizations to assess and report against multiple sets of requirements. The result allows assessing organizations to undergo one assessment and report to multiple entities, providing the industry with a consistent and effective standard. In fact, several large healthcare entities now require their business associates to provide a HITRUST CSF Validated or Certified Report.
Are HITRUST assessments only useful for formal certification against the CSF?
Certification is only one of the ways the HITRUST CSF can be used. Not all organizations need to pursue certification, and validation will provide assurances that specific controls are implemented, which ones are not or may have been changed, and how well they are implemented. If an organization chooses not to implement a specific control requirement or address a requirement at a particular maturity level, this is simply identified in the assessment report. Relying entities can then decide whether or not the controls implemented by the organization meet their needs.
Organizations are free to assess specific controls for other purposes, such as FISMA compliance or audits of specific risk areas like access control. Other organizations may simply choose to view the CSF as a source of industry leading practices, which they would evaluate and determine whether they are appropriate for their organization. Such an organization could still conduct a formal self-assessment or retain an Authorized External Assessor Organization to evaluate the selected controls and receive a validated assessment report.
For more information, refer to the brochure on Comparing the CSF, ISO/IEC 27001 and NIST SP 800-53 and the HITRUST CSF Assurance Program Detailed Overview.
Is the HITRUST CSF Assurance Program a one-size-fits-all approach?
As we’ve seen in other FAQs, the CSF is not a one-size-fits-all approach due to (1) an organization’s ability to tailor the initial selection of the control baseline in accordance with defined risk factors and (2) the requirement for additional tailoring based on unique threats, their specific environment, and the use of alternate controls. HITRUST simply requires organizations to justify their decisions to eliminate or modify the baseline.
The HITRUST CSF Assurance Program is no different. The only impact tailoring may have is the ability to receive a HITRUST Validated Assessment Report with certification as controls must meet certain implementation requirements (scores) for required controls. A HITRUST Validated Assessment Report without certification will provide the same level of assurance for the selected controls, while providing the transparency needed for those controls that were modified or not selected. The HITRUST CSF Assurance Program subsequently provides a common, consistent and repeatable means of assessing all types of organizations and sharing assurances with internal and external stakeholders, including regulators.
For more information, refer to the Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection brochure.
Can assessors use sampling to improve the efficiency of the assessment?
Yes, provided it follows the guidance outlined in the HITRUST CSF Assessment Methodology brochure.
Does CSF Assurance take a compliance-based approach to information protection?
From its inception, HITRUST chose to use a risk-based rather than a compliance-based approach to information protection and help mature industry’s approach to safeguarding information. By integrating NIST’s moderate-level control baseline into the CSF, which is in turn built upon the ISO 27001:2005 control framework, HITRUST leverages the comprehensive threat analyses employed by these frameworks to provide a robust set of prescriptive controls relevant to the healthcare environment. The CSF also goes beyond the three baselines for specific classes of information and provides multiple control baselines determined by specific organizational, system, and regulatory risk factors. These baselines can be further tailored through formal submission, review, and acceptance by HITRUST of alternative controls, what PCI-DSS refers to as compensating controls, to provide the industry with additional flexibility in the selection of reasonable and appropriate controls while also providing assurance for the adequate protection of sensitive information.
Traditional risk analysis guidance (e.g., from HHS) can subsequently be modified to support the use of a comprehensive control framework—built upon an analysis of common threats to specific classes of information and common technologies—as follows:
- Conduct a complete inventory of where ePHI lives
- Perform a BIA on all systems with ePHI (criticality)
- Categorize and evaluate these systems based on sensitivity and criticality
- Select an appropriate framework baseline set of controls
- Apply an overlay based on a targeted assessment of threats unique to the organization
- Rank risks and determine risk treatments
- Make contextual adjustments to likelihood and impact, if needed, as part of the corrective action planning process
- Evaluate residual risk: likelihood based on an assessment of control maturity and impact based on relative (non-contextual) ratings
Because the HITRUST CSF provides a risk-based approach to information protection and compliance, organizations of varying risk profiles can customize the security and privacy control baselines through a variety of organizational, technical, and compliance risk factors.
For more information, refer to the Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection brochure and the Risk Analysis Guide for HITRUST Organizations and Assessors.
What methods are used to evaluate the effectiveness of CSF controls?
The HITRUST assessment methodology specifically requires:
- Authorized External Assessor Organizations to gather and examine documentation (e.g., policies, procedures, records, logs, vulnerability assessment reports, risk assessment reports)
- Examine configuration settings, physical surroundings, processes and other observable information protection practices
- Conduct interviews with the control owners
- Perform system tests to validate the implementation of controls, as applicable
Technical testing by the external assessor is encouraged but not always necessary. Reliance on third-party audit reports or testing performed by authorized third-parties is permissible in certain cases as well.
Does HITRUST rely too heavily on the Authorized External Assessor Organization’s opinion of control effectiveness?
Authorized External Assessor Organizations and auditors generally determine control effectiveness regardless of what controls are specified, albeit there is usually a negotiation between them and the organization before the final report is issued.
However, external assessors actually have more leeway in assessing the effectiveness of an organization’s controls—and actually determining what those controls should be—when a framework like the HITRUST CSF is not used. Before an external assessor can become a HITRUST Authorized External Assessor organization, it undergoes a vetting process for their assessment methods and the experience and qualifications of its staff. They are also required to adhere to HITRUST guidelines for CSF assessments, and each Validated Assessment undergoes a quality review by HITRUST to ensure consistency and repeatability regardless of the Authorized External Assessor Organization doing the work.
For more information, refer to the External Assessor Datasheet.
Does the use of alternate controls diminish the value of HITRUST Certification?
Alternate (or compensating) controls, by definition, mitigate a similar type and amount of risk as the control it’s intended to replace. This is illustrated in the Risk Analysis Guide for HITRUST Organizations and Assessors by an example proposing the extension of password expiration to one year by increasing the complexity of the password. Part of that analysis is to evaluate the impact on related controls or other unintended consequences, such as the effect of extending password expiration on a key logger vulnerability. Although this is a quantitative example based on entropy calculations, other controls may require a quasi-quantitative or qualitative approach to the risk analysis.
Alternate controls may be developed and implemented by a single organization, or the alternative may be applied broadly across the industry if submitted and approved by the HITRUST Alternate Controls Review Committee. Review by the Committee ensures the control adequately addresses a similar type and amount of risk; however, alternate controls that are not approved must be evaluated by the assessor organization to verify the analysis, which is documented in the HITRUST assessment report. Thus, alternate controls provide organizations additional flexibility in selecting and implementing controls without impacting the organization’s overall risk posture or the value of CSF Certification.
For more information on alternate controls, refer to the Risk Analysis Guide for HITRUST Organizations and Assessors.
Do HITRUST Certification programs provide safe harbor in the event of a breach?
Certification is not required by any regulatory body, nor has any regulatory body sanctioned certification as a mechanism to provide safe harbor in the event of a breach. This is true not just for the HITRUST CSF but for other standards and frameworks as they apply to regulatory compliance requirements (e.g., NIST, ISO, and PCI). However, OCR recently stated that credentialing/accreditation programs like the CSF can help organizations build strong compliance programs. “OCR considers mitigation and aggravating factors when determining the amount of a civil monetary penalty, and these include the entity’s history of prior compliance. An entity with a strong compliance program in place, with the help of a credentialing/ accreditation program or on its own, would have that taken into account when determining past compliance.”
Certification is one of the best ways regulators have to determine if an organization has made a good faith effort to meet their legal and regulatory requirements (i.e., provide a mitigating factor when considering financial penalties or other punitive or corrective actions). A HITRUST Certification can convey to third parties (e.g., regulators, auditors, business partners, customers) in a standard, structured and clear way that controls are in place, to what level they are applied, and how they were chosen, including any risk management decisions for risk acceptance or the use of alternate (i.e., compensating) controls.
For more information on risk vs. compliance, refer to the HITRUST whitepaper Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection.
How does a CSF assessment meet the HIPAA requirement for a risk analysis, and can it be used to support an OCR audit?
HITRUST bases its framework on how risk management is defined, i.e., the process of managing risk to organizational operations, organizational assets or individuals resulting from the operation of an information system (the definition of which is quite broad), and includes (1) the conduct of a risk assessment, the implementation of a risk mitigation strategy, and employment of techniques and procedures for the continuous monitoring of the security state of the information system.
The conduct of a risk assessment and the implementation of a risk mitigation strategy (through the application of security controls) is generally the focus of OCR audits. Note the terms risk assessment and risk analysis are considered synonymous by the U.S. government, so the risk assessment is for all intents and purposes the risk analysis required under the HIPAA Security Rule.
HHS describes the risk analysis process as follows:
- Scope the assessment to include all ePHI
- Identify & document all assets with ePHI
- Identify & document all reasonably anticipated threats to ePHI
- Assess all current security measures
- Determine the likelihood of threat occurrence
- Determine the potential impact of a threat occurrence
- Determine the level of risk
- Document assigned risk levels and corrective actions
Using this process would require the complete enumeration of threat-vulnerability pairs and the design of controls to address these pairs, an exercise that is typically beyond the capability of many organizations, especially in the private sector. In fact, the U.S. government doesn’t use this approach either.
Instead, federal civilian agencies rely on the application of a control-based risk management framework developed by NIST, the controls for which are specified for three different levels of sensitivity and criticality of information: low, moderate and high. The assumption is that NIST has performed the underlying threat and vulnerability assessments necessary to support a “standard” risk analysis for these common types of information for common types of threats against a common type of organization (in this case, a federal agency).
Consistent with the ‘flexibility of approach’ provided under 45 CFR § 164.306(b), HITRUST leverages the same type of approach in the HITRUST CSF the federal government uses. By using the international security standard, ISO 27001, as the basis of the CSF control structure and incorporating relevant regulations, standards and leading practices such as HIPAA, ISO 27002, and NIST SP 800-53, respectively, and some state-level and international requirements, the CSF provides a comprehensive set of harmonized controls relevant to the healthcare industry. With the assistance of the healthcare industry, these requirements were further refined and separated into three levels of implementation and specific categories for special types of organizations or information (e.g., CMS contractors or FTI custodians). Their selection is then dependent upon specific organizational, system and regulatory risk factors, which results in multiple control overlays as defined by NIST, and the overlay becomes the initial control baseline for that organization.
HITRUST modified the HHS risk analysis process to accommodate this control framework-based approach as follows:
- Conduct a complete inventory of where health information ‘lives’
- Perform an impact analysis on all systems with health information (criticality)
- Categorize & valuate systems based on sensitivity & criticality
- Select an appropriate framework baseline set of controls
- Apply an overlay and/or tailor based on a targeted risk analysis
- Evaluate residual risk using control maturity & impact ratings
- Rank risks and determine risk treatments
- Make contextual adjustments to likelihood & impact, if needed, as part of the corrective action planning process
HITRUST also encourages organizations to further tailor their control selection (their overlay) based on risks unique to the organization with respect to the criteria for the selected baseline, identify gaps in the protections specified and risks managed by the baseline controls, and then select or design additional controls or enhancements as needed.
It’s important to note that what has been discussed here is relevant to the risk analysis required by HIPAA and of course the implementation of an organization’s entire information protection program. However, this is not the same as the security assessment used by HITRUST for the purposes of certification and the sharing of assurances with third parties. NIST allows for targeted assessments to address specific questions an organization may have, which in the case of HIPAA compliance would mean assessing the CSF requirements that map the Security Rule’s standards and implementation specifications.
However, HITRUST’s goal—and the goal of many, if not most—healthcare organizations is to achieve the best trade-off between the costs incurred in examining all the controls that support the Security Rule requirements and the level of assurance around the state of compliance that the assessment provides. Obviously assessing all the controls in the CSF would provide the highest level of assurance but cost the most, and assessing none of the controls would cost the least but provide no assurance. HITRUST’s subset of controls required for CSF Certification provide a “sweet spot” between cost and assurance by addressing each and every one of the Rule’s requirements, including the requirement for risk analysis through the use of the HITRUST risk management framework to help specify an organization’s target profile based on their organizational, system and regulatory risk factors.
DHHS specifically references HITRUST and the CSF with respect to risk management and risk assessment in its Guidance on Risk Analysis Requirements under the HIPAA Security Rule. And although OCR does not endorse “any particular credentialing or accreditation program,” an OCR spokesperson stated the following: “We certainly encourage covered entities and business associates to build strong compliance programs internally. Many of these credentialing/accreditation programs can help them do so. OCR considers mitigation and aggravating factors when determining the amount of a civil monetary penalty, and these include the entity’s history of prior compliance. An entity with a strong compliance program in place, with the help of a credentialing/accreditation program or on its own, would have that taken into account when determining past compliance.”
Implementation of the CSF as the basis for an organization’s information protection program and subsequent use of HITRUST CSF Validated or Certified Assessments has also been accepted by OCR as evidence of their compliance with the HIPAA Security Rule, assuming the assessment addresses the appropriate scope relevant to OCR’s audit or investigation. The HITRUST CSF and CSF Assurance Program have also been used in resolution agreements with OCR.
For more information on risk analysis, refer to the Risk Analysis Guide for HITRUST Organizations and Assessors. A complete mapping of the HITRUST CSF to the HIPAA Security, Data Breach and Privacy Rules can be found in a spreadsheet provided in HITRUST’s downloadable CSF package via the License Agreement landing page. The article from which the OCR spokesperson was quoted can be found on the Healthcare Information Security Website.
If I’m HITRUST CSF certified, does that mean I’m HIPAA-compliant?
To be HIPAA-compliant, an organization must conduct a risk analysis and implement a reasonable and appropriate set of information safeguards—aka information security controls—to provide for the adequate protection of ePHI against all reasonably anticipated threats. In practice, organizations that want to demonstrate HIPAA compliance must generally show that they have addressed each standard and implementation specification in the Security Rule, including risk analysis.
Unfortunately, the HIPAA Security Rule’s numerous standards and implementation specifications for administrative, technical and physical safeguards, despite what the terms imply, lack the prescription necessary for actual implementation by a healthcare organization. However, this approach was necessary as no two healthcare organizations are exactly alike, which means no single set of information protection requirements could possibly apply across the entire industry. In other words, one size truly does not fit all.
Regardless, this lack of prescription, along with a general lack of guidance from HHS on how organizations should interpret “reasonable and appropriate safeguards” and “adequate protection” resulted in wildly varying information protection programs amongst healthcare entities, including those of similar size and scope. Yet all these organizations likely believed they were “HIPAA compliant” because they had done something around each of the HIPAA standards and implementation specifications. By checking the box against the general requirements in the Rule’s implementation specifications, organizations subsequently checked the box—albeit inappropriately—for the risk analysis without actually conducting one.
OCR has publicly stated that it would not accept an assessment based on the original OCR Audit Protocol, which addressed each of the Security Rule’s standards and implementation specifications, as a valid risk assessment as required under the Rule. Further, an analysis of NIST SP 800-66’s mappings to NIST SP 800-53 indicates that the Security Rule’s standards and implementation specifications do not map to many of the controls in the baseline, which indicates that the Rule’s standards and implementation specifications do not address all reasonably anticipated threats as required by the Rule.
The position that simply focusing on the HIPAA standards and implementation specifications will not yield a valid risk analysis also appears to be supported by HHS, which states in their Guidance on Risk Analysis Requirements under the HIPAA Security Rule that “Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule.” Implementing the standards and specifications will not ensure compliance with the risk analysis requirement; but a risk analysis will help ensure compliance with the standards and implementation specifications.
Subsequently, we address the risk analysis requirement in a separate FAQ and compliance with the remaining requirements here.
To fully address the Rule’s standards and specifications, organizations must design or select multiple information security controls to provide the level of prescription necessary for implementation in the system or within the organization. For example, HIPAA § 164.312(a)(2)(iii) states organizations should “implement electronic procedures that terminate an electronic session after a pre-determined time of inactivity.” It’s left to the organization to decide how much time must lapse before terminating the session. But what’s appropriate? Five minutes? Ten? Thirty? Another example is HIPAA § 164.312(b), which requires organizations to “implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” What types of mechanisms are appropriate? What type of activity should be logged? Who should have access to the logs? How long are the logs retained? An organization must ask and answer these types of questions thoroughly for each standard and implementation specification if they are to adequately address the threats for which these safeguards were designed.
The HITRUST CSF helps healthcare organizations address these questions by providing an extensive mapping of the CSF controls to the HIPAA Security Rule’s standards and implementation specifications, many of which are mapped to multiple controls. And the CSF controls themselves consist of multiple, specific requirements contained in multiple levels. By implementing the HITRUST CSF control requirements that are applicable to an organization based on its specific organizational, system and regulatory risk factors, each and every standard and implementation specification in the Security Rule is addressed in a very complete and robust way.
To provide the most complete assurances that the HIPAA Security Rule’s standards and implementation specifications have been addressed, organizations may conduct a comprehensive assessment of all their applicable CSF requirements in MyCSF, HITRUST’s online, GRC-based assessment tool. However, organizations may also use a baseline assessment used for CSF Certification as part of the HITRUST CSF Assurance Program to provide reasonable assurances the organization has satisfied the Rule’s requirements. This is because the assessment addresses 65 high-risk controls (out of a total of 135 for security) that map to each and every standard and implementation specification in the Rule.
For more information on the use of targeted assessments like the baseline assessment for CSF Certification, refer to the FAQ on risk analysis. For additional information on risk vs. compliance-based assessments, refer to the guide to Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection. A complete mapping of the HITRUST CSF to the HIPAA Security, Data Breach and Privacy Rules can be found in a spreadsheet provided in HITRUST’s downloadable CSF package via the License Agreement landing page.
How many organizations have completed a HITRUST CSF assessment?
38,000 CSF assessments have been performed in the last three years with 15,000 CSF assessments in 2015 alone. HITRUST anticipates a continued demand for CSF Certification due to third-party assurance requirements from several major health organizations and requests for combined CSF-SOC 2 reports.
For more information, refer to the HITRUST C-level overview.
Is a HITRUST CSF Validated Assessment more expensive than comparable assessments?
No, and this is a common misconception. In many cases the overall assessment costs associated with information security and privacy assessments conducted under the HITRUST CSF Assurance Program are less than other comparable third-party assessments. The alignment between the HITRUST CSF and CSF Assurance programs allows a single CSF assessment report to support multiple objectives, such as a HIPAA risk assessment, an assessment and certification against the NIST Cybersecurity Framework, and AICPA SOC 2® reports. In addition, the same report can be accepted by multiple external parties (such as business partners, government agencies), thereby reducing the costs in comparison with the multiple assessments organizations must normally support.
For a fair comparison of costs, one should consider various factors such as:
- Scope of the assessment: Are both assessments reviewing the same scope?
- Applicability of the control requirements to the environment: Are the controls requirements applicable to the organization or scope of assessment? Are they prescriptive and do they take into account relevant risk factors?
- Ability to audit: Does the framework have audit procedures to ensure consistency of assessment?
- Level of assurance: How well does the assessment and evaluation process ensure the control requirements are fully implemented?
- Caliber of organization performing assessment: Is the assessment being performed by a third party? What are the qualifications of the firm performing the assessment?
What is the process for an organization to achieve HITRUST CSF Certification?
The organization should first determine the business drivers for attempting certification which should include identifying key stakeholders, defining scope, and selecting an Authorized External Assessor Organization. HITRUST recommends a Readiness Assessment be performed to prepare organizations for the Validated Assessment. Organizations can involve Authorized Internal and External Assessor Organizations as part of the Readiness Assessment. Based upon the results of the Readiness Assessment the organization should develop a remediation plan and work with their Authorized External Assessor Organization to define timing of the Validated Assessment. Prior to beginning the Validated Assessment the organization will need to purchase a Validated Assessment object from HITRUST if they are not a subscriber. The organization will need to complete the Validated Assessment using the MyCSF tool and then the Authorized External Assessor Organization will be required to perform the validation/audit work. Once the Authorized External Assessor Organization’s work is complete, they submit the assessment to HITRUST for review. HITRUST will perform quality assurance procedures, create a report and, depending on the scores in the report, will issue a Letter of Certification.
For more information, refer to the HITRUST CSF Assurance Program Requirements brochure.
What types of assessments are available in the HITRUST CSF Assurance Program?
HITRUST offers two types of CSF Assessments – a self-assessment and a validated assessment.
- Self-assessments allow organizations to assess themselves using HITRUST’s standard methodology, requirements, and tools provided under the CSF Assurance Program.
- Validated assessments are conducted by a HITRUST Approved External Assessor. The CSF Assurance Program’s assessment methodology is used and the controls are scored using HITRUST’s maturity approach to control implementation. Assessments meeting or exceeding the current CSF Assurance Program requirements receive a HITRUST validated report, which can include certification based upon maturity scoring.
What is the HITRUST CSF Assurance Program?
The HITRUST CSF Assurance Program is a common, standardized methodology to effectively and consistently measure compliance and risk via simplified information collection and reporting, consistent testing procedures and scoring, and demonstrable efficiencies and cost-containment; and additional assurances around the accuracy, consistency and repeatability of assessments due to the use of pre-qualified professional services firms-all of which is designed to meet the unique regulatory and business needs of the healthcare industry. In short, it is a risk-based approach to selecting HITRUST CSF controls for assessment, including management oversight of the assessment. The HITRUST CSF Assurance Program delivers simplified compliance assessment and reporting that addresses multiple federal, state and industry requirements for both covered entities and their business associates.