By Michael Parisi, Vice President of Assurance Strategy and Community Development
As the COVID-19 pandemic hit, businesses found themselves in a bind when it came to assessing security and compliance postures. IT and risk management teams were overwhelmed with just keeping their businesses running while people worked from home. And assessors were restricted from visiting third-party vendors to evaluate their security and compliance postures to ensure they were not presenting any IT security risks.
The situation also adversely impacted the third-party vendors. To do business with customers, they need to be able to attest they have strong security postures so customers will trust them to process sensitive data.
To take on these challenges, many businesses turned to their trusted security risk and compliance management partner—HITRUST. They rely on the HITRUST CSF to provide a comprehensive and efficient approach to measuring regulatory compliance and risk management. The service is vital in helping businesses and their vendors establish trust between each other—that both groups carefully protect digital assets within their respective partner ecosystems.
But given that onsite visits are a key component of evaluating security and compliance postures, the pandemic created roadblocks. Assessors could not or did not want to go onsite to collect evidence, perform interviews, and review other required items.
Going to Bat for Our Customers
So HITRUST responded in a big way. We devised an innovative approach to help adapt information risk management and compliance programs so businesses can continue to attest to their security and compliance postures—without compromising the integrity of the process and without incurring any additional costs or inefficiencies.
Recognizing the challenges that assessed entities face in completing HITRUST CSF Validated Assessments—and the possible impact of not maintaining HITRUST CSF Certification—we created the HITRUST CSF Bridge Assessment. It assists organizations by allowing assessed entities to demonstrate a continued level of control effectiveness and to assert progress towards the next HITRUST CSF Validated Assessment.
During a HITRUST CSF Bridge Assessment, the HITRUST MyCSF platform selects a subset of the requirement statements from an entity’s previous validated assessment. A HITRUST Authorized External Assessor then tests these requirement statements to confirm maturity did not degrade since the previous assessment.
Maintaining the Same Level of Security & Privacy Posture Assurance
As we adapted quickly in issuing this guidance, we also made sure these changes did not impact the “rely-ability” of the assessments. Organizations still receive the same level of assurance as to the security and compliance postures of their third-party partners.
We took these steps because our customers asked for assistance, and we remain committed to innovating and adapting as conditions change—whether it’s due to technology, threats, business models, or another pandemic.
Our organization will continue to invest in developing and enhancing the HITRUST Approach, which integrates the various components of information risk and compliance management into a holistic ecosystem. These include the framework, assurance program, management tools, enabling technologies, training, and independent assessor governance.
The investments we make represent our unique approach, which keeps evolving. We are fifth generation while others are still on earlier generations, and we have moved beyond the security and compliance certification programs of other organizations. With this approach, our customers will continue to benefit from the most complete, innovative, integrated, responsive, adaptable, accurate, transparent, reliable, and extensible assessments of their IT environments and those of their third-party partners.
And that will never change.
For a limited time, HITRUST is also offering free two-year subscriptions to the HITRUST Assessment XChange (XChange) for eligible organizations—those in healthcare or have been negatively impacted due to COVID-19, such as distributors, manufacturers, and payors. The XChange streamlines and simplifies third-party risk management. Participants can tap into a common risk management approach that includes validation of vendor information, implementation of a risk tiering and scoring methodology, and facilitation of automated classifications of vendors and recommended level of assurances to request.