By Michael Parisi, Vice President of Adoption, HITRUST
During the HITRUST Collaborate 2021 conference last month, I was fortunate to moderate a highly informative session exploring the concept that not all assurances are created equal. Since information security assessments differ dramatically regarding transparency, consistency, quality, accuracy, rigor, and other factors, final assurance reports can end up with significant gaps and deficiencies.
To identify some of the key elements to consider when choosing the right assurance mechanism to provide to internal/external stakeholders or request from business partners/vendors, I was joined by the following highly knowledgeable information security and privacy professionals:
- John Houston, VP, Privacy and Information Security & Associate Counsel, UPMC
- Doug Kanney, Principal, Schellman
- Jeremy Huval, Chief Innovation Officer, HITRUST
In our question-and-answer panel discussion, John, Doug, and Jeremy shared many key considerations that help identify the best assurance approach for your organization. I invite you to review their thoughts below. In addition, check out the last section below to preview some exciting new assessment offerings coming soon from HITRUST.
Why is there an increased need for third-party assurances from business partners?
John: Healthcare and other industries are quickly moving to the cloud. As a result, organizations are no longer able to directly control the security of their applications and need a third party to provide that security. Organizations are also sharing data more often with third parties, who perform back-end processing for them. In those cases, they must rely on those third parties to ensure that data is secure.
Doug: The sheer volume of service providers, and the fact that so many of them can be done in the cloud, has increased the demand for third-party assessments in the service provider space. If an organization is using a cloud service provider and that CSP is using sub-providers, they would need an assessment mechanism that would cover and call that out that the CSP has gone through some sort of third-party assessment that also covers potential fourth parties, and so on.
What are some common limitations with certain third-party assurance reports that users of those reports should be aware?
John: One thing that is often overlooked is simply – is the assessment and assurance being provided even covering the service that the third-party is supplying to that customer? It is vitally important that the way the assessment is structured actually addresses whether the shared environment is secure. We have seen many instances where an organization has been shown an assessment, but it does not apply to the services they get from that vendor.
Doug: From a scope perspective, one of the things that can get overlooked is carve outs. If you carve out entity A or B and they are relevant to your scope, do you take it to the next level and include them – or do you assume they will be covered in some other way? The other thing that is important is to have some sort of process for tracking and monitoring issues found in the report. If an issue or exception is found with a third-party vendor, what are you going to do to actively check up in the future to be sure it is fixed? Another consideration is that some assessments are point-in-time. It may look good today, but there could be major changes tomorrow. That’s where the component of continuous monitoring and continuous improvement is key.
John: Let’s take the macro view. My organization is HITRUST Certified, and I place a lot of value on that because technologies change, threats change, our businesses change. So, a security program we put in place today is probably going to be outdated in many respects six months to a year from now. With a mature HITRUST Certification program in-place, you should be able to adapt as changes emerge, so you can be confident you have a secure program that reflects the current threat landscape and that others can rely on.
Can you help demystify the different types of assurance reports and discuss some of the considerations for choosing the right one?
Doug: A good place to start is that some are very prescriptive, and some are very broad. For instance, a SOC 2 has high-level criteria, but how organizations meet those criteria could vary dramatically between two separate reports. Another difference is testing control operating effectiveness, not just design. A SOC 2 report may check a box even though there are all kinds of issues with it, but something like HITRUST or ISO would have a much higher bar you have to reach to earn certification. Others such as NIST don’t just meet a bare minimum, they provide a view how you are performing over time so you can consistently see improvement. After doing all of the other ones, the thing I like about HITRUST is that it blends all the other concepts together. It identifies the maturity model, it is a certification, and it tests for control operating effectiveness with prescriptive requirements.
John: HITRUST checks off all of the things I think are important in third-party assurances. The HITRUST certification audits ensure a consistent and accurate understanding of third-party risks. If I get a HITRUST certification from one third party, it will be very close to the HITRUST certification I get from another third party. Having one consistent measure across my third parties is important to me. If I’m looking at HITRUST, it gives me an objective, consistent measure when I’m looking across third parties.
Do you see the need in the marketplace for a moderate assurance mechanism?
John: In cases where a vendor has access to a large amount of very sensitive information and they deliver a mission-critical service using that data, it is still going to be necessary to require them to deliver a very high level of assurance, like a HITRUST Certification. However, we often see vendors who are smaller and who have access to much less data, and in those cases, it is not really practical to require a full certification. We need some sort of alternative mechanism, which is lighter weight and easier for them to comply with, yet still has a high level of rigor, a lot of consistency, and is still reliable – but is not so burdensome. One answer that is hugely important is to have a lesser, but reliable and consistent level of assurance, which is missing today.
Jeremy: HITRUST is moving to an Expanded Assessment Portfolio to address the gaps that John just described. The expanded portfolio keeps the Validated Assessment, which is being renamed the HITRUST Risk-based 2-year (“r2”) Assessment, which leads to certification. Later this year, we are rolling out two new assessments.
Our new HITRUST Implemented, 1-year (“i1”) Validated Assessment is a new certification offering that it is designed to address the moderate assessment space. We believe this assessment addresses many of missing pieces for moderate levels of assurance with an approach that is very carefully and very thoughtfully designed to ensure rigor along with a reliable level of assurance. HITRUST is also bringing out the Basic, Current-state (“bC”) Assessment designed for a lower level of assurance that is a self-attestation assessment including the HITRUST Assurance Intelligence Engine, which provides some automated validation and scoring.
HITRUST is excited to introduce these new assessment options for customers who need to provide their business partners with low- to moderate-level assurance regarding their information security risk.
As you can tell from my HITRUST Collaborate 2021 conversation with John, Doug, and Jeremy: Not All Information Security Assurances Are Created Equal. Different organizations have different requirements, and many recognized industry assessment frameworks and assurance mechanisms have inherent strengths and limitations. To help more organizations obtain higher levels of reliability for every level of assurance — low, moderate, and high — HITRUST is expanding our assessment offerings across the range of needs to support each organization on their assurance continuum journey.
About the Author
Michael Parisi, Vice President of Adoption, HITRUST
Michael Parisi has led over 500 controls-related engagements and has extensive experience with third-party assurance reporting including HITRUST readiness, HITRUST certification, SOC 1, SOC 2, SOC 3, Agreed Upon Procedure, and customized AT-101 engagements. Michael is deeply involved with helping customers leverage the advantages of the HITRUST Assessment XChange for third parties. He has extensive knowledge of financial reporting and regulatory standards through his external audit and consulting experience, including Sarbanes Oxley, HIPAA, NIST, CMS, and state-specific standards. He is an active member of ISACA and IAPP.