By Bimal Sheth, Vice President of Assurance Services
Welcome back for the April update in our series on Improving the Throughput and Transparency of the HITRUST Assurance Program. For those of you that missed the February update, it can be found here. This blog post is the fourth part in a series of communications meant to increase transparency as we continuously work to improve our processes.
In this post, I will highlight two important Assurance Advisories that were recently posted and also provide updates on several key HITRUST CSF Assurance Program changes, including the Automated Quality Checks, Quality Assurance (QA) Tasks, and Web Forms.
Recent HITRUST Assurance Advisories
HAA 2020-003: Assessment Scoping Factor Enhancements Designed to Reduce the Effort Associated With and Increase the Accuracy of CSF Assessments
This advisory was previewed during my last post and was officially published on March 30th. The change described is designed to reduce the number of not applicable requirement statements that appear in a HITRUST CSF assessment through the use of new Technical Scoping Factors that allow more granular tailoring of the HITRUST CSF to the assessed environment. As a result, there should be fewer requirement statements that need to be marked as “Not Applicable” by the assessed entity.
Listed below are the new Technical Scoping Factors that will be presented in all MyCSF assessment objects created on or after June 1st:
- Is any aspect of the scoped environment hosted on the cloud?
- Does the system allow users to access the scoped environment from an external network that is not controlled by the organization?
- Does the scoped environment allow dial-up/dial-in capabilities (i.e., functional analog modems)?
- Is scoped information sent and/or received via fax machine (i.e., an actual machine, excluding efax or scan to email)?
- Do any of the organization’s personnel travel to locations the organization deems to be of significant risk?
- Are hardware tokens used as an authentication method within the scoped environment?
- Does the organization allow personally-owned devices to connect to scoped organizational assets (i.e., BYOD – bring your own device)?
- Are wireless access points in place at any of the organization’s in-scope facilities?
- Does the organization perform information systems development (either in-house or outsourced) for any scoped system, system service, or system component?
- Does the organization use any part of the scoped systems, system components, or system services to sell goods and/or services?
- Does the organization allow the use of electronic signatures to provide legally binding consent within the scoped environment, e.g., simple or basic electronic signatures (SES), advanced electronic or digital signature (AES), or qualified advanced electronic or digital signatures (QES)?
- Is scoped information sent by the organization using courier services, internal mail services, or external mail services (e.g., USPS)?
Also introduced in this advisory is the requirement that any Technical Scoping Factors answered “No” will now require the assessed entity to enter a rationale as to why the question was answered as “No.” Because these rationales will appear in the final HITRUST CSF Validated Assessment Report, assessed entities should be sure to use clear, concise language understandable to report readers. HITRUST Authorized External Assessors should also review these rationales before submission of the assessment to HITRUST, as these rationales will be reviewed by the QA Analyst during HITRUST’s QA.
Generally, the HITRUST QA Analysts will review these to the same degree that the “Not Applicable” rationales are currently reviewed. They will specifically be looking to see that the Factor rationales are (1) clear and easily understood, (2) grammatically correct and free from spelling errors, (3) do not contradict other parts of the assessment, such as the Organization Overview and Scope document, (4) make sense given what we know about the scope of the assessment, and (5) have been correctly interpreted based upon the definition of the Factor on the Help page.
HA 2020-004 HITRUST CSF Bridge Assessments
On April 15, 2020, HITRUST CSF Bridge Assessments were introduced with this News Alert. HITRUST CSF Bridge Assessments are designed to fill a specific need for assessed entities who have a requirement to maintain HITRUST CSF Certification but anticipate that they will miss submitting their next HITRUST CSF Validated Assessment on time.
A HITRUST CSF Bridge Assessment allows an assessed entity to obtain a HITRUST CSF Bridge Certificate that is valid for 90 days after the expiration of a HITRUST CSF Certification. This certificate allows assessed entities to provide assurances to their stakeholders about the state of their control environment and also demonstrate that they are making progress on their next HITRUST CSF Validated Assessment.
The accompanying advisory details the qualification requirements for a Bridge Assessment, and I encourage all interested parties to read the qualification requirements closely. After meeting these requirements and obtaining a Bridge Assessment object within MyCSF, the assessed entity will see the object is comprised of 19 randomly selected requirement statements from their last Validated Assessment. Similar to an Interim Assessment, the External Assessor will be responsible for scoring these requirement statements. The External Assessor should leverage any testing that has already been completed as part of current Validated Assessment efforts to help complete the Bridge Assessment and avoid duplication of efforts.
Upon completion of the Bridge Assessment, the External Assessor should submit the assessment object to HITRUST. During this challenging time, HITRUST will be prioritizing the processing of Bridge Assessments for any entities that are healthcare providers, HIEs, or HINs. We anticipate that QA on Bridge Assessments, due to their limited size and scope, should be completed in two to three weeks.
Before completing a Bridge Assessment, I encourage assessed entities to discuss the reason for their delay with their stakeholders. While the Bridge Assessment can result in the issuance of a HITRUST CSF Bridge Certificate, assessed entities should understand that the assessment only opines that it is unlikely that the control environment for the in-scope systems has degraded since the expiration of the HITRUST CSF Certification. This is a much lower level of assurance than that which is provided by a HITRUST CSF Validated Assessment. Correspondingly, some stakeholders may not find that this limited assurance meets their needs.
Updates on Key Assurance Changes
Automated Quality Checks
While the first set of these checks are now live within MyCSF, to ensure a smooth roll-out, the remainder of the checks are being implemented progressively over the next several months. I encourage External Assessors to carefully consider any quality checks that appear in your assessment before overriding the check. As a reminder, the QA team will be reviewing all overrides and may ask follow up questions. Finally, please allow some extra time prior to submission if you have a deadline approaching. The quality checks are a new step, and we encourage you not to rush through responses.
The developers released their initial build of this important enhancement earlier this month. It is currently undergoing testing by our product development team. Given the impact this of change, one of the milestones we included in our release plan was a beta test. As we get closer to a final release, I will reach out to a select group of External Assessors with assessments in the queue to see if they would like to participate in the beta testing and provide feedback.
Since my last post, we have also hit another milestone with a change we collectively call Web Forms being submitted to our developers. The goals of this change were to replace the Organization Overview and Scope document, reduce the amount of potentially duplicative data in an assessment, and streamline certain routine processes to ease the burden on both External Assessors and assessed entities.
With these goals in mind, we began by looking at the Organization Overview and Scope document and asking how we could streamline the presentation of information into a format that was more easily understood in the report. The result was a reduction in the number of inputs required and the migration of those inputs to MyCSF. With all scope information now migrated to MyCSF, the platform should now be able to perform additional edit checks, which will result in fewer QA questions post submission.
We also looked at other offline processes like the QA Checklist, Management Representation Letter, and Validated Report Agreement and migrated the paper-based forms to MyCSF so that they can be signed electronically. This should eliminate the need to find the most recent template and also upload scanned copies of documents. As we move closer to our release date, I’ll share more specific details on these changes and will also publish an Assurance Advisory.
We appreciate all of the feedback we have received over the past several months and look forward to receiving more questions and thoughts. As a reminder, you can submit feedback through your Customer Success Managers, through our UserVoice page, or at firstname.lastname@example.org.