HITRUST CSF Bridge Assessment and Certificate FAQs

How does a bridge assessment affect the interim assessment due date?

The interim assessment is still due on the one-year anniversary of the certification date. A hypothetical timeline: An organization’s HITRUST CSF Certification is set to expire on 5/31/20 and this organization is awarded a HITRUST CSF Bridge Certificate. This organization submits a completed validated assessment to HITRUST prior to the CSF Bridge Certificate’s expiration which results in a HITRUST CSF Certification. The organization’s newly issued HITRUST CSF Certification is dated 6/1/20, and the interim assessment would be due to HITRUST no later than 6/1/21.

Why is the three-month period of the HITRUST CSF Bridge Certificate deducted from the organization’s next HITRUST CSF Certification?

The HITUST CSF Bridge Certificate is designed to assist organizations who need to maintain HITRUST CSF Certification but may be experiencing challenges in completing their next HITRUST CSF Validated Assessment.

The HITRUST CSF Bridge Assessment links the two HITRUST CSF Validated Assessments by offering a limited level of assurance during the period when the next HITRUST CSF Validated Assessment is being completed. This limited level of assurance is not sufficient to stand alone without the completion of a subsequent HITRUST CSF Validated Assessment where the level of assurance can only be maintained for 24 months.

What are examples of changes that are not alone typically significant enough to preclude performance of a HITRUST CSF Bridge Assessment?

Decommissioning servers, creating new user accounts, updating the business continuity plan, hiring a new CISO, patching endpoints, applying software enhancements through the organization’s SDLC, invoking a work-from-home strategy as part of business continuity activities, and/or adding a new vendor in observance of the organization’s third-party onboarding and review process.

What are examples of “significant changes” that might preclude performance of a HITRUST CSF Bridge Assessment?

HITRUST will evaluate changes on a case-by-case basis and is available to engage with assessed entities to discuss specifics. Examples of activities that might be considered significant changes include:

  • Moving from an on-premise data center into a public cloud environment,
  • Moving the organization’s physical headquarters,
  • Decommissioning a data center and moving all assets to a different data center,
  • Replacing in-scope platforms (e.g., moving from SAP to Oracle EBS),
  • Changing an in-scope system so it uses a NoSQL backend instead of a relational database,
  • Moving away from an outsourced IT model by standing up an internal IT function,
  • Decommissioning the helpdesk ticketing system, and/or
  • New functionality in an in-scope platform enabling it to be accessed from a public location.

HITRUST CSF Framework FAQs

Should my organization pause or delay the process of starting a HITRUST CSF Assessment due to these upcoming changes?

No. There is no advantage in waiting to begin your HITRUST journey. The HITRUST MyCSF SaaS platform can be leveraged at any point after changes are introduced to compare the delta in requirement statements between different framework versions, helping customers determine whether switching from v9.x of the framework to v10 (future) makes sense for your organization. Whichever you decide, beginning a HITRUST CSF Assessment utilizing v9.x now will not cause delays or derail the assessment process, but rather give your organization a head start.

What level of implementation will the HITRUST CSF incorporate for NIST SP 800-53r5 (Low, Moderate, High, and/or Privacy)?

HITRUST will integrate all controls available in NIST SP 800-53r5. The HITRUST MyCSF SaaS platform will provide the ability to sub-select one or all of the NIST 800-53r5 baselines that work for your situation – Low, Moderate, High, and/or Privacy.

Will NIST SP 800-53r5 impact the structure of the HITRUST CSF?

The enhancements planned for Q1 2021 will structurally change the HITRUST CSF; however, it will not be impacted by the inclusion of NIST SP 800-53r5 nor will it require “relearning” of the framework. Upon release in Q1 2021, customers will have the ability to sort requirement statements by specific criteria such as NIST SP 800-53r5 within the HITRUST MyCSF SaaS platform.

Will HITRUST be incorporating NIST SP 800-53r5 into the HITRUST CSF and when?

Yes. HITRUST will soon announce more details on scheduled enhancements aimed at reducing complexity while maintaining comprehensive, best-in-class risk management strategies via the HITRUST Approach. These changes are planned for Q1 2021 and include incorporating 800-53r5 in the HITRUST CSF.

MyCSF FAQs

Does MyCSF 2.0 give organizations access to their vendors and their HITRUST certifications (or lack thereof)?

No. This functionality is part of the HITRUST Assessment XChange. For more information on the XChange, contact jacob.bustos@hitrustax.com.

Can the tool link to supporting documents rather than copy?

Yes. MyCSF 2.0 maintains a library of documentation and relationships between the documentation and its related control requirements and maturity domains.

Is attaching a w/p or policy required? I thought only the name of the evidence we collected was needed in the tool. After that, if QA’d by HITRUST, is the evidence needed?

There are several changes that will be announced relating to the Assurance Program requirements. These are independent of the HITRUST CSF and MyCSF and are designed to increase the consistency and integrity of the assurance process.

Can we leverage MyCSF if we are looking to achieve HITRUST with SOC 2?

The only way to efficiently tailor an assessment and generate the control requirements is in MyCSF. Organizations that are undergoing a SOC2 that is based on the HITRUST CSF can leverage MyCSF to make the process more efficient. This is the case even if only pursuing the SOC2 and not HITRUST CSF Certification.

CSF Assurance Program FAQs

How can I confirm an organizations certification status?

If you are in possession of a HITRUST report or letter PDF and are seeking verification that the PDF is authentic please contact support@hitrustalliance.net. You will be asked to provide a copy of the PDF in question and evidence showing you received it from the organization.

What is the process for an organization to achieve HITRUST CSF Certification?

Before starting the Certification process, HITRUST recommends a self-assessment or readiness assessment be performed to prepare organizations for the validated assessment. To begin the Certification process, please select a HITRUST Assessor. Once you select an Assessor, you will need to purchase a validated assessment from HITRUST. Complete the validated assessment using the MyCSF tool and then the Assessor will perform the validation/audit work. Please note access to the MyCSF is granted for 90 days. Once the Assessor work is complete, please submit to HITRUST for review. HITRUST will create a report and, depending on the scores in the report, will issue a letter of certification.

Reference: CSF Assurance Program Requirements

How many organizations have completed a HITRUST CSF Assessment?

38,000 CSF Assessments have been performed in the last three years with 15,000 CSF Assessments in 2015 alone. HITRUST anticipates a continued demand for CSF Certification due to third-party assurance requirements from several major health organizations and requests for combined SOC 2 + HITRUST reports.

For more information, refer to the HITRUST Key Programs and Services overview.

If I’m HITRUST CSF Certified, does that mean I’m HIPAA compliant?

In principle yes, but it is not black and white. To be HIPAA-compliant, an organization must conduct a risk analysis and implement a reasonable and appropriate set of information safeguards—aka information security controls—to provide for the adequate protection of ePHI against all reasonably anticipated threats. In practice, organizations that want to demonstrate HIPAA compliance must generally show that it has addressed each standard and implementation specification in the Security Rule, including risk analysis. Organizations must therefore design or select multiple information security controls to provide the level of prescription necessary for implementation in the system or within the organization.

HITRUST helps organizations select these controls via its extensive mapping of the CSF controls to the HIPAA Security Rule’s standards and implementation specifications. Many of the HIPAA requirements are mapped to multiple controls, and the CSF controls themselves consist of multiple, specific protection requirements contained in multiple levels. By implementing the HITRUST CSF control requirements that are applicable to an organization based on its specific organizational, system and regulatory risk factors, each and every standard and implementation specification in the Security Rule is addressed in a very complete and robust way.

However, CSF certification is based on an assessment of a subset of the controls an organization is expected to implement. These controls were selected based on an analysis of past breach data and the need to address each and every standard and implementation specification in the HIPAA Security Rule. NIST supports the use of such targeted assessments to answer specific questions like this, and the use of a targeted assessment for CSF certification ensures relying organizations receive reasonable assurances at a reasonable cost.

DHHS specifically references HITRUST and the CSF with respect to risk management and risk assessment in its Guidance on Risk Analysis Requirements under the HIPAA Security Rule, and OCR has stated entities with a strong compliance program in place, with the help of a credentialing/accreditation program or on its own, would have that taken into account when determining past compliance. Implementation of the CSF as the basis for an organization’s information protection program and subsequent use of CSF validated or certified assessments has been previously accepted by OCR as evidence of its compliance with the HIPAA Security Rule, assuming the assessment addresses the appropriate scope relevant to OCR’s audit or investigation. The CSF and CSF Assurance Program has also been used in past resolution agreements with OCR.

Accepting HITRUST CSF Certified Assessment Reports FAQs

What if my customer or vendor risk management outsourcer wants a proprietary questionnaire answered or assessment executed even though I am a HITRUST CSF assessed entity?

A HITRUST Certification Report covers 40 authoritative sources. The HITRUST CSF provides comprehensive coverage of general security requirements and provides prescriptive controls (safeguards), i.e., the control requirements should be detailed enough to support implementation in the intended environment and adequately address relevant threat(s). In many cases where a customer is asking for a proprietary questionnaire to be filled out or an independent assessment performed, the areas of interest from that customer may have already been addressed and assessed through a HITRUST CSF Assessment. In our experience, putting in some time to educate the customer on what is covered within the scope of a HITRUST assessment and providing them the authoritative source mapping will result in the customer accepting the HITRUST CSF Assessment in place of their proprietary programs. In some instances, performing a cross-reference mapping of the customer’s questionnaire to the HITRUST CSF Assessment that was performed, provides the customer with the necessary assurance requested and eliminates the need for a separate questionnaire. We suggest taking these actions first and if those are not successful you can reach out to HITRUST for additional support and suggestions.

Email HITRUST Support:
support@hitrustalliance.net

Reference Documents:
Leveraging the HITRUST CSF
Comparing the CSF, ISOIEC 27001 and NIST SP 800-53
HITRUST CSF and NIST OLIR Program

My customer is asking for an assessment scope different from what my organization currently has, either partially or fully. What do I do in this instance?

In cases where there is a gap in scope, it is recommended that the customer requests the organization to conduct a GAP analysis, expand or adjust the scope of their assessment as needed, and complete an assessment against the controls in question or missing based on the additional systems and organizational elements in the modified scope. Most customers will accept whatever has been assessed to date while waiting for the expanded assessment to be executed. HITRUST recommends organizations start by performing a HITRUST CSF Readiness Assessment with their CSF assessor over the missing scope to satisfy the customer demands while working on the remainder of the HITRUST CSF Validated Assessment.

My customer has an issue with the perception of the assessor that performed my organization’s HITRUST CSF Validated Assessment. How do I address their concern?

HITRUST Authorized External Assessors are organizations that have been approved by HITRUST for performing assessments and services associated with the HITRUST CSF Assurance Program and the HITRUST CSF, a comprehensive risk management framework that incorporates the existing security and privacy requirements of organizations. Authorized External Assessors are critical to HITRUST’s efforts to provide trained resources to organizations of varying size and complexity to assess compliance with security and privacy control requirements and document corrective action plans that align with the HITRUST CSF. All Authorized External Assessors are treated equally by HITRUST. This means that every assessor, regardless of their size and portfolio of capabilities, must go through a rigorous onboarding and ongoing quality review process. As part of HITRUST’s due diligence, a review of each organization and individual practitioner is performed to ensure quality standards are met. Each individual must also attend a live virtual training course and pass an exam to become a Certified CSF Practitioner. Although some assessors may have performed more assessments than others, that does not mean that all assessors are not held to the same level of quality standards. As with any professional services firm relationship, each client’s experience may be different in the marketplace. We encourage organizations that find themselves in this position to direct their customers to the information regarding the HITRUST Assessor Program and direct them to HITRUST for any specific questions regarding the program or any concerns related to specific assessor through the HITRUST Ethics Hotline:

English: USA and Canada: 844-940-0033
Spanish: USA and Canada: 800-216-1288
Website: www.lighthouse-services.com/hitrustalliance

There are rare instances when customers may demand that an organization use a specific assessor or chose from a select list of assessors to perform their validated assessment. Unfortunately, this is outside of HITRUST’s control and will need to be negotiated directly with the customer.

HITRUST has an Assessor Council with whom HITRUST interacts as it relates to the CSF Assurance Program. Within the membership of the Assessor Council, there is a quality subcommittee that meets regularly to provide input regarding the requirements of assessors when performing assessments and help ensure the consistency and quality of the procedures being performed by assessors. This, combined with internal HITRUST quality assurance procedures, should provide some assurance that assessors are performing engagements in accordance with the Authorized External Assessor requirements.

Why does my customer want to perform on-site audits/assessment procedures even after accepting my HITRUST CSF Assessment/Certification and what can I do to prevent or minimize the impact of this?

In most scenarios, a HITRUST CSF Certification or Validated Assessment report is accepted in place of proprietary on-site audits and reporting requests. Scenarios do exist where contracts enable a customer to request a performance of its own on-site audit procedures. Often times the scope of these procedures or areas of focus may be on specific requirements outside the scope of a HITRUST CSF assessment. Other times, after a HITRUST CSF assessment has been received and reviewed, the customer may decide to dive further into certain areas covered by the assessment if corrective actions plan or gaps have been identified or if the maturity scores of a particular domain are below the customer’s expectations. In these scenarios, we have found that the scope of the procedures is more targeted at those areas of focus as opposed to a full audit. We encourage assessed entities to work with their customers to make sure that there is an understanding of what has been covered within the scope of the assessment. The scope of proprietary audit procedures should be negotiated only to extend to those areas of focus necessary for the customer to achieve the desired level of assurance.

Third-Party Assurance FAQs

If my Cloud Service Provider is HITRUST CSF Certified, does that mean my environment is as well?

No. If a Cloud Service Provider (CSP) is HITRUST CSF Certified, it does not mean your environment hosted by that CSP is also certified for the following reasons:

  • There could be control gaps, so it is still incumbent that you perform thorough due diligence to evaluate how the CSP’s HITRUST CSF Certification addresses the security and privacy requirements associated with your own organization’s risk profile and/or regulatory and customer compliance needs.
  • While there are a subset of controls that only the CSP is responsible for (for example, environmental security within a production datacenter), there are controls that remain only your responsibility as the accountable party governing the data entrusted and how your users appropriately access and operate that cloud-hosted environment; further, there remain a significant portion of controls that are shared, and therefore you remain partially responsible for full coverage of control effectiveness.

For more information, you can download the HITRUST Shared Responsibility Matrix included in the HITRUST CSF download package and refer to the detailed set of common use-case scenarios defined in the HITRUST Shared Responsibility Model. For guidance on how to communicate the value of offering your cloud services hosted on a HITRUST CSF Certified environment, please contact HITRUST Support at support@hitrustalliance.net.

Can any CPA firm issue a joint SOC 2/HITRUST CSF Certified report?

No. While a CPA firm can perform a SOC 2 based on the HITRUST CSF, per the requirements of the HITRUST CSF Assurance Program, only authorized assessors can issue reports that grant HITRUST CSF certification. We currently have a growing list of over 75 assessor firms. Many of these are CPA firms. If the current firm you use for your SOC 2 is not on the list, we would encourage you to ask what their plans are related to becoming an authorized HITRUST CSF assessor. Some may already be going through the process.

References: Risk Management Frameworks, CSF Assurance Program Requirements, and Risk Analysis Guide

Is a current SOC 2 acceptable for meeting the third-party assurance requirements?

It depends. The accepting organization will need to make a determination based on the scope of the examination and the trust service criteria being reported upon. While the current SOC 2 may be granted a waiver and accepted in the first year, it will be necessary to base future SOC 2 reports on the HITRUST CSF in order to fulfill the requirements of the program.

Can I provide my ISO 27001 certification in lieu of CSF certification for third-party assurance?

Organizations accepting ISO 27001 in lieu of CSF certification must still go through the traditional and demonstrably laborious process of comparing and contrasting what’s in the ISO report with what it expects from the comprehensive, prescriptive and often granular requirements of the CSF. While an improvement over custom assessment questionnaires and the now legacy SAS 70, the relying organization would still need to identify any gaps between the two reports (which will almost surely exist), go through the process of requesting additional information from the ISO-certified entity, and then evaluate the response(s).

While an organization could conceivably support ISO certification as a ‘first step” in the assurance process, it could not and should not rely solely on ISO certification. At some point the ISO-certified organization must demonstrate that the complete set of CSF control requirements relevant to their organization have been implemented appropriately if it is to ascertain what residual risk(s) remain. And since this is best accomplished through the CSF Assurance Program, it just makes sense—from both an economic and resource perspective—to simply require a CSF validated or certified assessment from the onset.

References: Risk Management Frameworks, CSF Assurance Program Requirements, and Risk Analysis Guide

External Assessor Program FAQs

What is the difference between a HITRUST External Assessor and a Certified CSF Practitioner (CCSFP)?

A Certified CSF Practitioner is an individual that has completed the required training, passed an exam, and meets the experience requirements for a practitioner. A HITRUST External Assessor is a firm that has met all the requirements to become authorized to perform HITRUST CSF validated assessments.

Do I need to attend HITRUST training every year to maintain my status as a HITRUST Practitioner?

HITRUST practitioners will complete the onsite training during the first year. The second and third year they are required to complete a refresher. The CSF Practitioner Refresher Course is a self-paced online course available for download from the HITRUST Academy. The 4th year the process starts over with the onsite class.

What is the difference between a HITRUST practitioner and a HITRUST External Assessor?

HITRUST External Assessors are designated organizations qualified to provide assessments for clients seeking HITRUST Certification. HITRUST practitioners are either members of a HITRUST Assessor organization that have obtained this status through the HITRUST training class to assist organizations with certifications or independent consultants that have completed the HITRUST training class and assist organizations with self-assessments or implementing the CSF in their environment.

What are the costs associated with the Assessor program?

There are three costs associated with the HITRUST External Assessor Program:

  1. Application fee (one-time payment of $2,500)
  2. Training fee: Five people must complete the Certified CSF Practitioner (CCSFP) Training Course – $3,000 per individual. Additionally, two of those five people must complete the Certified HITRUST Quality Professional (CHQP) Course online – $2,000 per individual. Both the CCSFP and CHQP Courses are offered via the HITRUST Academy.
  3. Annual Program Fee (Tier rates based upon overall revenue from the prior year)

For exact pricing information and more details regarding the External Assessor Program, please contact csfassessor@hitrustalliance.net..

HITRUST Threat Catalogue FAQs

How often will the HITRUST Threat Catalogue be updated?

We anticipate updates to occur annually, shortly after each HITRUST CSF release, or when significant changes in the threat environment would warrant an interim release.

What would prompt HITRUST to issue additional HITRUST CSF implementation guidance?

A HITRUST Implementation Advisory would be issued if there is additional clarification around how HITRUST CSF requirements should be implemented to effectively address one or more threats—or as an interim measure until more stringent or enhanced control requirements can be published in the next scheduled release of the HITRUST CSF.

How will HITRUST use threat intelligence to update the control specifications in the HITRUST CSF?

The threat landscape is constantly changing, as are the technologies and tools that organizations rely upon to support their business missions. Consequently, an organization’s information protection program must change and adapt. Threat intelligence is one of several mechanisms by which HITRUST ensures the continued sufficiency of the HITRUST CSF.

How does threat intelligence linked to the HITRUST CSF help me better protect sensitive information?

By linking granular threats identified in active threat intelligence to higher-level threats contained in the HITRUST Threat Catalogue and related HITRUST CSF control specifications, organizations will gain greater insight into how well they are addressing extant and emerging threats by evaluating how well they’ve implemented related HITRUST CSF controls in their environment. More so, leveraging threat intelligence that can be correlated via the HITRUST Threat Catalogue’s mappings to the control specifications will allow organizations to determine likelihood and impact in order to further tailor their information protection program and manage their risk.

HITRUST Risk Management Framework FAQs

Is an interim review required to maintain your HITRUST CSF Certification for the NIST Cyber Security Framework?

No, the interim review requirement only applies to the HITRUST Certification.

What makes HITRUST a valid organization for issuing a certification for the NIST Cybersecurity Framework certification?

ANSI estimates there are hundreds of ‘traditional’ standards developing organizations (or “SDOs”) in the United States and hundreds more ‘non-traditional’ standards development bodies, such as consortia. The HITRUST Alliance is one of these industry SDOs and produces the HITRUST CSF, the most commonly used information security controls standard in the healthcare industry. And, in its 2018 Report to Congress on the state of NIST Cybersecurity Framework Adoption, the GAO states Healthcare and Public Health (or “HPH”) Sector officials encourage alignment of the NIST Framework with existing cybersecurity guidelines and goes on to state, “the sector aligned the [HITRUST CSF] with the NIST Framework,” which “allows organizations to demonstrate compliance with NIST through their implementation of the pre-existing [HITRUST] framework.” In fact, current HPH Sector guidance uses the HITRUST CSF as the underlying foundation for an organization’s implementation of the NIST Framework.

Refer to https://www.gao.gov/assets/700/690112.pdf for a copy of the GAO report.

Refer to the US-CERT Cybersecurity Framework Website at https://www.us-cert.gov/ccubedvp/cybersecurity-framework for a copy of the HPH Sector implementation guide, or download a copy directly using https://www.us-cert.gov/sites/default/files/c3vp/framework_guidance/HPH_Framework_Implementation_Guidance.pdf.

Does a CSF Assurance assessment weight all controls equally?

Although all CSF controls placed in scope after the tailoring process must be implemented by the organization to effectively manage excessive residual risk, not all controls are assessed for a HITRUST CSF Validated or Certified Report. This is consistent with NIST guidance that allows for focused assessments to address specific issues or answer specific questions. “Organizations have maximum flexibility on how risk assessments are conducted and are encouraged to apply the guidance in this document so that the various needs of organizations can be addressed and the risk assessment activities can be integrated into broader organizational risk management processes” (NIST SP 800-30 r1, Guide for Conducting Risk Assessments, pg. ix). For purposes of certification, control selection is based on an analysis of breach data, leading practices and regulatory requirements (e.g., the HIPAA Security Rule).

With respect to the way an assessment is conducted, one control does not have more weight or importance than another. This is because, by definition, all the controls that the organization has determined it must implement—regardless of whether they were designed from a custom risk analysis or tailored from a control baseline by a supplemental analysis—must be implemented in order to manage risk to an acceptable level. But the HITRUST CSF Assurance Program only requires this level of “completeness” for purposes of certification and, even then, organizations can remove controls that do not apply to them or accept a small amount of risk for partial implementations of those that do.

HITRUST also encourages the prioritization of remediation activities based on relative risk by providing impact ratings and their relationship with each other with the inclusion of priority codes. Although examples have not yet been provided in the Risk Analysis Guide. HITRUST encourages organizations to modify the impact ratings based on an evaluation of their control environment and consider other factors, such as existing infrastructure, budget constraints and organizational culture when developing and prioritizing corrective actions.

For more information, refer to the Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection brochure and the Risk Analysis Guide for HITRUST Organizations and Assessors.

Since ISO/IEC provides an internationally recognized information security standard, can I use my ISO 27001 certification to satisfy customer and business partner requirements for a HITRUST CSF Validated or Certified Report?

The best discussion of why one would choose the HITRUST CSF over ISO 27001 and NIST SP 800-53 is provided in an earlier FAQ, but to address the question about accepting one in lieu of another, we’ll need to expand a little further.

The biggest difference between the two certifications is what they intend to certify.

In the case of ISO 27001, the focus of the certification is on the information security management system (ISMS), which includes an evaluation of the information security risk assessment and treatment processes. However, “organizations can design controls as required, or identify them from any source” (ISO 27001, § 6.1.3.b, p. 4). Further, although ISO 27001 Annex A contains a list of control objectives and controls, they are not exhaustive and additional control objectives and controls may be needed” (Ibid., § 6.1.3.c, p. 4). And although the ISO assessor must produce a “Statement of Applicability that contains the necessary controls (see 6.1.3 b and c) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A” (Ibid., § 6.1.3.d, p. 4), it doesn’t extend beyond what’s required in Annex A. Subsequently, organizations have wide latitude in the controls they specify to address the risks they identify at a level suitable to their risk appetite. ISO certification assessors also have some latitude in how they assess the effectiveness of the controls, and there is no quality control of the assessments other than a general requirement that consultants that help organizations prepare for ISO certification do not perform the certification assessment.

In effect, we’re left with the same problems that existed before the creation and implementation of the HITRUST CSF—which is actually structured on ISO 27001 and contains additional guidance from ISO 27002 and multiple other relevant authoritative sources such as HIPAA, NIST SP 800-53, CMS IS ARS, PCI DSS and the NIST Cybersecurity Framework—and its assessment through the HITRUST CSF Assurance Program: a lack of comprehensiveness and prescription in the control requirements; little or no U.S. healthcare industry context; lack of comprehensiveness related to regulations, legislation and other relevant requirements such as leading practice frameworks; and uncertain rigor and approach to the assessments including limited quality control.

The HITRUST CSF on the other hand provides a minimal baseline of comprehensive, prescriptive control requirements tailored to a healthcare organization’s specific organizational, system and regulatory risk factors. And the specific focus of HITRUST CSF Certification is on the maturity of this control baseline’s implementation using a specific, rigorous assessment approach and scoring model in order to gauge the level of excessive residual risk to ePHI in the organization. HITRUST also provides detailed assessment procedures for each control requirement, and ensures assessments are performed by an Authorized External Assessor Organization and requires each assessment undergo a quality assurance review to ensure accuracy and completeness before awarding certification.

As an example of how high-level control requirements can benefit from the context, comprehensiveness and rigor of the HITRUST CSF and CSF Assurance Program, one only has to look at the joint initiative between AICPA and HITRUST on using the HITRUST CSF to support SOC 2 assessments against the Trust Principles and Criteria. This ensures a standardized set of industry-relevant control requirements are identified for each criterion, and the assessment of these controls are conducted with a specific approach and level of rigor that provides relying entities, including regulators and other third parties, with accurate, consistent and repeatable assurances.

The best treatment on why one would choose the HITRUST CSF over ISO can be found in the risk framework analysis presented by HCSC and Children’s Health Dallas Selecting a Healthcare Information Security Risk Management Framework in a Cyber World. For more information on the HITRUST RMF, refer to the HITRUST RMF Whitepaper.

The HITRUST CSF FAQs

Why choose the HITRUST CSF over other control frameworks like NIST SP 800-53 and ISO/IEC 27001?

Many of the elements for the argument are presented in FAQs throughout this section. But more specifically, the HITRUST CSF is designed with certain highly-regulated industries in mind; however, it is a region- and industry-agnostic control framework that can be used globally by organizations across all industries. Furthermore, HITRUST is the only standards development organization with a framework, an assessment platform, and an independent assurance program.

The table below compares the HITRUST CSF with other leading information security and risk frameworks:

csftable

For more information on why one would choose the HITRUST CSF, refer to the Comparing the CSF, ISO/IEC 27001 and NIST SP 800-53 brochure or, for a healthcare organization’s perspective, a joint presentation by HCSC and Children’s Health Selecting a Healthcare Information Security Risk Management Framework in a Cyber World.

Is the scope of the HITRUST CSF too large for most organizations?

Although HITRUST specifically provides for significant tailoring of the HITRUST CSF based on an organization’s specific risk factors, any framework can be applied inappropriately. Given the relatively uncontrolled sprawl of sensitive information in many organizations, the HITRUST CSF can (and should) be applied as broadly as necessary to scope to the specific types of information, systems, and/or business units requiring protection. The scope can be minimized by ensuring that workflows requiring the use of sensitive information is understood and such uses are restricted to the minimum necessary, as required by many legal and regulatory bodies as well as best practice. Information assets and data flows with sensitive information can also be isolated from other assets and data flow types, e.g., through network segmentation.

For more information, refer to the CSF Assessment Methodology and the Risk Analysis Guide for HITRUST Organizations and Assessors.

Does the HITRUST CSF take a “one-size-fits-all” approach to information security?

The HITRUST CSF is actually one of the most flexible data protection frameworks ever developed. First, the HITRUST CSF was created by integrating multiple legislative, regulatory, and leading practice guidelines and frameworks, and tailoring the incorporated requirements specific to the industry, or industries, in which the organization operates. The resulting controls are then tailored further by selecting them based on specific organizational, system, and regulatory risk factors. But while this approach provides more granular tailoring ’out-of-the-box’ than any other framework, HITRUST understands that no two organizations—even similar ones—are exactly alike.

Although information may have a common classification (e.g., PII, ePHI), differences such as organizational culture, infrastructure, technology, and risk appetite could result in a slightly different set of controls. Subsequently, organizations leveraging a framework are expected to i) perform a risk analysis on threats it considers unique to it, and ii) select additional controls to address those threats. Organizations must also consider options for controls that may not be suitable for it to implement (e.g., based on constraints placed by existing or planned information architectures and infrastructure). Fortunately, this supplemental risk analysis addresses fewer threats and other issues considered unique to the organization and is subsequently more tractable. The result is something that is referred to as an overlay, which is a formally-documented set of justified modifications to a control baseline.

For more information, refer to the Risk Analysis Guide for HITRUST Organizations and Assessors.

What are the goals for the HITRUST CSF?

Through HITRUST, an organization seeks to adopt a control framework that is:

  • relevant through regular maintenance of supporting authoritative sources and changes in the threat environment;
  • scalable to various sizes and types of organizations or systems in a controlled manner;
  • tailorable through managed approvals of alternative (compensating) controls;
  • based on compliance with control baselines intended to manage risk to an industry-accepted level;
  • capable of providing certifiable risk assurances to internal and external stakeholders, including regulators; and
  • supported by appropriate guidance and tools.

For more information on HITRUST and the CSF, refer to the HITRUST C-Level Overview.

CSF Assurance Program and Certification FAQs

Does a CSF Assurance assessment weight all controls equally?

Although all CSF controls placed in scope after the tailoring process must be implemented by the organization to effectively manage excessive residual risk, not all controls are assessed for a HITRUST CSF Validated or Certified Report. This is consistent with NIST guidance that allows for focused assessments to address specific issues or answer specific questions. “Organizations have maximum flexibility on how risk assessments are conducted and are encouraged to apply the guidance in this document so that the various needs of organizations can be addressed and the risk assessment activities can be integrated into broader organizational risk management processes” (NIST SP 800-30 r1, Guide for Conducting Risk Assessments, pg. ix). For purposes of certification, control selection is based on an analysis of breach data, leading practices and regulatory requirements (e.g., the HIPAA Security Rule).

With respect to the way an assessment is conducted, one control does not have more weight or importance than another. This is because, by definition, all the controls that the organization has determined it must implement—regardless of whether they were designed from a custom risk analysis or tailored from a control baseline by a supplemental analysis—must be implemented in order to manage risk to an acceptable level. But the HITRUST CSF Assurance Program only requires this level of “completeness” for purposes of certification and, even then, organizations can remove controls that do not apply to them or accept a small amount of risk for partial implementations of those that do.

HITRUST also encourages the prioritization of remediation activities based on relative risk by providing impact ratings and their relationship with each other with the inclusion of priority codes. Although examples have not yet been provided in the Risk Analysis Guide. HITRUST encourages organizations to modify the impact ratings based on an evaluation of their control environment and consider other factors, such as existing infrastructure, budget constraints and organizational culture when developing and prioritizing corrective actions.

For more information, refer to the Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection brochure and the Risk Analysis Guide for HITRUST Organizations and Assessors.

Since ISO/IEC provides an internationally recognized information security standard, can I use my ISO 27001 certification to satisfy customer and business partner requirements for a HITRUST CSF Validated or Certified Report?

The best discussion of why one would choose the HITRUST CSF over ISO 27001 and NIST SP 800-53 is provided in an earlier FAQ, but to address the question about accepting one in lieu of another, we’ll need to expand a little further.

The biggest difference between the two certifications is what they intend to certify.

In the case of ISO 27001, the focus of the certification is on the information security management system (ISMS), which includes an evaluation of the information security risk assessment and treatment processes. However, “organizations can design controls as required, or identify them from any source” (ISO 27001, § 6.1.3.b, p. 4). Further, although ISO 27001 Annex A contains a list of control objectives and controls, they are not exhaustive and additional control objectives and controls may be needed” (Ibid., § 6.1.3.c, p. 4). And although the ISO assessor must produce a “Statement of Applicability that contains the necessary controls (see 6.1.3 b and c) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A” (Ibid., § 6.1.3.d, p. 4), it doesn’t extend beyond what’s required in Annex A. Subsequently, organizations have wide latitude in the controls they specify to address the risks they identify at a level suitable to their risk appetite. ISO certification assessors also have some latitude in how they assess the effectiveness of the controls, and there is no quality control of the assessments other than a general requirement that consultants that help organizations prepare for ISO certification do not perform the certification assessment.

In effect, we’re left with the same problems that existed before the creation and implementation of the HITRUST CSF—which is actually structured on ISO 27001 and contains additional guidance from ISO 27002 and multiple other relevant authoritative sources such as HIPAA, NIST SP 800-53, CMS IS ARS, PCI DSS and the NIST Cybersecurity Framework—and its assessment through the HITRUST CSF Assurance Program: a lack of comprehensiveness and prescription in the control requirements; little or no U.S. healthcare industry context; lack of comprehensiveness related to regulations, legislation and other relevant requirements such as leading practice frameworks; and uncertain rigor and approach to the assessments including limited quality control.

The HITRUST CSF on the other hand provides a minimal baseline of comprehensive, prescriptive control requirements tailored to a healthcare organization’s specific organizational, system and regulatory risk factors. And the specific focus of HITRUST CSF Certification is on the maturity of this control baseline’s implementation using a specific, rigorous assessment approach and scoring model in order to gauge the level of excessive residual risk to ePHI in the organization. HITRUST also provides detailed assessment procedures for each control requirement, and ensures assessments are performed by an Authorized External Assessor Organization and requires each assessment undergo a quality assurance review to ensure accuracy and completeness before awarding certification.

As an example of how high-level control requirements can benefit from the context, comprehensiveness and rigor of the HITRUST CSF and CSF Assurance Program, one only has to look at the joint initiative between AICPA and HITRUST on using the HITRUST CSF to support SOC 2 assessments against the Trust Principles and Criteria. This ensures a standardized set of industry-relevant control requirements are identified for each criterion, and the assessment of these controls are conducted with a specific approach and level of rigor that provides relying entities, including regulators and other third parties, with accurate, consistent and repeatable assurances.

The best treatment on why one would choose the HITRUST CSF over ISO can be found in the risk framework analysis presented by HCSC and Children’s Health Dallas Selecting a Healthcare Information Security Risk Management Framework in a Cyber World. For more information on the HITRUST RMF, refer to the HITRUST RMF Whitepaper.

How often do I need to get a HITRUST CSF assessment report to support my third-party assurance requirements?

HITRUST CSF Validated Reports with Certification are valid for two years given the successful completion of an interim review (12 months after the date of the original assessment), and that no breach or significant changes have occurred relating to the scoped control environment. Validated Reports not resulting in certification are point-in-time reports.

For more information, refer to the HITRUST CSF Assurance Program Detailed Overview.

How can I use the CSF Assurance Program for third-party risk management?

The HITRUST CSF Assurance Program is specifically designed to streamline the third-party risk management process by using a single comprehensive framework harmonizing multiple standards and leading practices to support a single assessment that may be reported out in multiple ways, e.g., to support PCI SAQ development, the issuance of SOC 2 reports against specific AICPA Trust Services Criteria, or scorecards of HIPAA or NIST Cybersecurity Framework compliance. Organizations using the CSF Assurance Program for third-party risk management experience significant reductions in cost and level of effort required to evaluate third-party reports or issue their own reports to their own stakeholders, including business partners and regulators. This is the fundamental reason why several large healthcare entities have moved from simply accepting HITRUST Validated and Certified Reports to requiring them.

HITRUST and the NIST Cybersecurity Framework FAQs

Is an interim review required to maintain your HITRUST CSF Certification for the NIST Cyber Security Framework?

No, the interim review requirement only applies to the HITRUST Certification.

What makes HITRUST a valid organization for issuing a certification for the NIST Cybersecurity Framework certification?

ANSI estimates there are hundreds of ‘traditional’ standards developing organizations (or “SDOs”) in the United States and hundreds more ‘non-traditional’ standards development bodies, such as consortia. The HITRUST Alliance is one of these industry SDOs and produces the HITRUST CSF, the most commonly used information security controls standard in the healthcare industry. And, in its 2018 Report to Congress on the state of NIST Cybersecurity Framework Adoption, the GAO states Healthcare and Public Health (or “HPH”) Sector officials encourage alignment of the NIST Framework with existing cybersecurity guidelines and goes on to state, “the sector aligned the [HITRUST CSF] with the NIST Framework,” which “allows organizations to demonstrate compliance with NIST through their implementation of the pre-existing [HITRUST] framework.” In fact, current HPH Sector guidance uses the HITRUST CSF as the underlying foundation for an organization’s implementation of the NIST Framework.

Refer to https://www.gao.gov/assets/700/690112.pdf for a copy of the GAO report.

Refer to the US-CERT Cybersecurity Framework Website at https://www.us-cert.gov/ccubedvp/cybersecurity-framework for a copy of the HPH Sector implementation guide, or download a copy directly using https://www.us-cert.gov/sites/default/files/c3vp/framework_guidance/HPH_Framework_Implementation_Guidance.pdf.

Will HITRUST incorporate the NIST Cybersecurity Practice Guides into the HITRUST RMF?

HITRUST works closely with NIST and we constantly analyze their documentation to see what additional guidance can be utilized. Many guidelines—most often those that are very technical or technology-specific—are typically outside the scope of the HITRUST CSF; however, HITRUST will review these practice guides, determine how HITRUST CSF adopters can best leverage this type of documentation, and provide supporting guidance to the healthcare community, e.g., through HITRUST Implementation Advisories, as needed.

For more information on the HITRUST approach to risk management, refer to the HITRUST Risk Management Frameworks and Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection brochures.

If I’m HITRUST CSF Certified, what do I need to do to demonstrate I’m complying with the NIST Cybersecurity Framework?

If you’re HITRUST CSF Certified, you can demonstrate compliance with the NIST Cybersecurity Framework in one of two ways.

nistcsfdiagram

An organization can generate a NIST CsF scorecard based on the maturity of the HITRUST CSF control requirements that support each of the NIST CsF Core Subcategories. A similar approach is used to “roll up” requirement-level scores to the HITRUST CSF Assessment Domains in a HITRUST CSF Assessment Report, and may be generated from the security assessment used for HITRUST CSF certification or from a comprehensive security assessment. The former will provide reasonable assurances about the state of NIST CsF compliance at a reasonable cost, whereas the latter will provide the greatest level of assurance but at a slightly higher cost.

Alternatively, an organization can use the results of a HITRUST CSF assessment to estimate the NIST CsF Implementation Tiers, which will help provide an organizational-level view into the maturity of its cybersecurity program.

For more information on the original NIST maturity model, see the NIST IR 7358, Program Review for Information Security Management Assistance (PRISMA).

For more information on how the HITRUST CSF is used to support an organization’s implementation of the NIST Cybersecurity Framework, see the Healthcare Sector Cybersecurity Framework Implementation Guide, Version 1.1.

For more information on the HITRUST CSF, see the Introduction to the HITRUST CSF, and the HITRUST CSF Framework FAQ.

HITRUST CSF and SOC 2 FAQs

Does a SOC 2 + HITRUST CSF examination assess all 135 or only the controls required for HITRUST certification?

The answer to this question is either. HITRUST has updated the SOC 2 + HITRUST guidance to illustrate how a SOC 2 + HITRUST CSF opinion could be based upon all 135 security CSF Controls or only those security controls required for Certification.

There are three (3) documents that have been updated to reflect this change:

  • Mapping of the HITRUST CSF to the Trust Services Criteria;
  • The Guidance/FAQ document; and
  • The Illustrative management assertion and CPA opinion.

HITRUST CSF and NIST CSF FAQs

What are HITRUST’s requirements for certification of an organization’s information security program against the NIST Cybersecurity Framework?

Consistent with the certification requirements for the HITRUST CSF, an organization must achieve a minimum score for each NIST Cybersecurity Framework Core Category, which is aggregated from the scores for individual HITRUST CSF control requirements as they are mapped to each Core Subcategory within a Category. However, no additional Corrective Action Plans (CAPs) are needed to support HITRUST’s certification of the NIST Cybersecurity Framework beyond what is required for HITRUST CSF certification.

What happens if I don’t meet the requirements for certification against the NIST Cybersecurity Framework?

If an organization does not meet HITRUST CSF requirements for certification against the NIST Cybersecurity Framework, HITRUST will issue an assessment report with a Letter of Validation in lieu of a Letter of Certification.

Can I get certified against the NIST Cybersecurity Framework even if I don’t meet the requirements for HITRUST CSF certification?

While it’s possible, the likelihood that an organization can be certified against the NIST Cybersecurity Framework without meeting the requirements for HITRUST CSF certification are very small. This is because each certification is based on a single assessment. While the individual scores for each control requirement are the same, the scores are aggregated differently to support reporting against the HITRUST CSF Assessment Report domains and the NIST Cybersecurity Framework Core Categories.

How long is HITRUST’s certification for the NIST Cybersecurity Framework valid?

HITRUST’s certification of the organization’s implementation of the NIST Cybersecurity Framework is for two (2) years, commensurate with the HITRUST CSF Assessment Report.

Interim Review FAQs

Will it be the same level of access as we get for full assessment submission?

Non-subscriber’s access will be the same as the “report only” option, currently set at 1 object and 3 users.

Does the interim assessment need to be submitted by the yearly certification date, or is there an allowance for submission up to 60 days late?

Interim assessments need to be submitted by the one-year anniversary of the certification date. Exceptions may be requested prior to the anniversary date to account for extraordinary circumstances that prohibit completion.

If we have already completed the evidence sampling and review with our HITRUST assessor firm, do we need to use the memorandum interim submission or the HITRUST MyCSF interim submission?

Interim assessments completed after April 1, 2019 need to adhere to the current guidelines, including submitting through MyCSF. The only exception is for organizations holding a certification on CSF v9.0 or prior versions – they can submit outside of MyCSF but must meet all other current interim assessment requirements.

How do we know which requirements will be sampled, and can we get advance notice of which ones will be included?

Since the controls are selected randomly by MyCSF, there is not a way to provide an advance notice. However, for MyCSF subscribers, interim assessments can be generated up to 120 days in advance of their due date.

Control Maturity and Continuous Monitoring and Assessment FAQs

What is the role of continuous monitoring in the HITRUST scoring process?

Information security continuous monitoring (ISCM) has been a part of the HITRUST CSF control maturity and scoring model since the inception of the HITRUST CSF Assurance Program in 2009.

Typical assessment and audit approaches generally focus on policy and implementation of the controls needed to implement that policy. HITRUST takes a more robust approach by specifically looking at the implementation of the control, including how well the control is supported by policy and procedures, as well as how well the organization monitors the effectiveness of the control and whether it takes appropriate action should monitoring indicate a degradation in effectiveness or failure of the control.

As shown in the table below, continuous monitoring is addressed by the ‘Measured’ and ‘Managed’ maturity levels with a maximum of 15 and 10 points awarded for each level, respectively.

figure2b

Will businesses that require HITRUST Assessments for their third-party risk management programs expect their vendors to obtain higher maturity scores?

HITRUST provides a common approach to triaging vendor risk by identifying the means and rigor of the assurances needed from a vendor based on the inherent information-related risks of a proposed or existing business relationship. This includes the information security and privacy controls specified for the vendor as well as the maturity scores required for an acceptable level of assurance.

figure1b

As shown in the table above, the HITRUST risk triage approach provides (1) specific organizational, compliance and technical factors that help identify the type and amount of inherent risk the business relationship with the vendor poses; (2) a simple risk scoring model to help quantify the risk; and (3) specific recommendations for the type and rigor of the assessment and the maturity of the organization’s information protection.

By providing a common set of risk factors independent of the security and privacy controls that may or may not implemented by a third party, an organization can readily assess inherent risk and determine a reasonable and appropriate mechanism for the assurances it needs at a reasonable cost. Broad adoption will also significantly reduce costs for any third party that needs to provide assurances to multiple customers or business partners.

What credit do customers of HITRUST get for achieving mature scorecards? When will this take effect?

Based on an analysis of CSF Assessment data collected over a 10-year period, HITRUST has concluded that when an organization’s controls within scope of a CSF Assessment are operated at or above an aggregated HITRUST CSF maturity score of 79, there is a very high likelihood these controls will continue to operate in a similar manner going forward. And organizations that have mature information security continuous monitoring (ISCM) programs in place can also help ensure that any deficiencies that may arise in their protection programs are quickly identified and addressed. These organizations may qualify for the HITRUST CSF Ongoing Certification (OC) Program, which will allow these organizations to reduce the frequency of full, time-based recertification assessments, as shown in the graphic on the next page.

HITRUST plans to update the CSF Assurance Program to reward those organizations that have mature information protection programs as well as those that are actively implementing ISCM programs through a three-tiered certification program.

Organizations that demonstrate a ‘standard’ level of information protection, typically reflected in a CSF maturity score below 79, will undergo annual recertification assessments while those with higher scores striving to meet HITRUST requirements for ISCM would continue to undergo biannual recertification assessments with a targeted interim assessment.

Organizations that qualify for the ISCM-based HITRUST CSF Ongoing Certification (OC) program would conduct recertification assessments even less often, the frequency of which would be determined by its aggregated HITRUST CSF control maturity score and other criteria. Additional criteria will be developed by the HITRUST ISCM Working Group and integrated into the HITRUST CSF Assurance Program prior to its rollout, the timing of which is yet to be determined.

Benefits of the ISCM-based HITRUST CSF OC Program include:

  • On-demand, near real-time insight into their security and compliance risk posture* (visibility into how well stuff is protected)
  • The ability to make quick, risk-based decisions on system security in near real-time** (helps minimize the impact from bad things happening)
  • Better prioritization of remediation activities and corrective actions*** (helps identify the problems that need to be fixed first)
  • Consistent, continuous adoption of cybersecurity best practices**** (ensures extant and emerging threats continue to be addressed appropriately)
  • A higher level of assurance that personal data and individual privacy will continue to be protected and risk appropriately managed in the future (management can sleep better at night)
  • Longer periods between comprehensive control gap assessments (fewer interruptions at work)
  • Reduced time and effort needed to maintain certification (ability to focus on the real work)
  • Reduced lifecycle costs for maintaining certification (more money for other work)
  • Higher levels of assurance and trust with and amongst external stakeholders such as regulators, business partners, and customers (everyone can sleep better at night)

figure2

*REFERENCE *: Eisensmith, J. (N.D.). Ongoing Authorization: Changing how Government does Security Compliance, CIO Review. Available from https://identity-governance-and-administration.cioreview.com/cxoinsight/ongoing-authorization-changing-how-government-does-security-compliance-nid-5608-cid-180.html.

*REFERENCE **: Eisensmith (N.D.).

*REFERENCE ***: Luu (2015). Implementing an Information Security Continuous Monitoring Solution—A Case Study. ISACA Journal
(1). Available from https://www.isaca.org/Journal/Blog/Lists/Posts/Post.aspx?ID=264.

*REFERENCE ****: Luu (2015).

How are HITRUST report findings different than those from vendors like Security Scorecard and Bitsight?

While useful, the approach used to obtain reputational scores like Security Scorecard and Bitsight is limited (similar to a narrowly scoped external penetration test) and is arguably unique for each organization’s network. It is further recognized that each scorecard vendor uses a proprietary approach to collecting data as well as proprietary analytics when computing the scores or ratings. In addition to the challenges inherent in their opacity, any changes to these proprietary approaches can change an organization’s score, sometimes dramatically, when there has been no discernable change in their actual security posture.* This is because the type of evidence collected for these scorecards is circumstantial and statements made about the actual state of the organization’s security posture must be inferred rather than directly observed.

Simply put, security scorecards cannot replace the level of assurance provided by a thorough assessment of an organization’s information protection program, including its overall approach to risk and risk management as well as detailed reviews of its privacy and security controls.

*REFERENCE *: CSO Online (2016, Aug 4).

Chat Now

This is where you can start a live chat with a member of our team