Listen to: "Factors to Determine the Scope of HITRUST Engagement for Certification"

Safeguarding healthcare information used by hospitals, insurance companies and other health-related industries is vital to prevent identity theft and other illegal activities. Information security specialists will perform assessments of health information systems to ensure that all protected health information is created, gathered, transmitted and stored in a secure manner throughout the organization.

HITRUST® has established the CSF for organizations to validate the privacy and security of their health information systems to achieve required certification. When you perform an assessment, you need to determine the scope of HITRUST engagement so that they can efficiently evaluate the right data and systems during the given assessment period.

Importance of Determining the HITRUST Scope

A full assessment of all health information systems at one time is not always viable or necessary for every healthcare organization. Large assessments become more complex, timely and costly. Breaking up the engagement into smaller level assessments allows you to focus on a set of information systems, records, technologies and personnel so you have an easier time receiving the necessary certification. In addition, you establish boundaries to better manage and control the assessment so it stays focused and doesn’t stray from your specified parameters.

To plan out the scope of the engagement, break it down into these 3 key factors:

  • Figure out which departments of the organization will be undergoing the assessment
  • Evaluate and understand the data, records, and reports used in that specific department
  • Define the systems, technologies, and devices that store, access and transmit the private health information

Organization and Department Scope

Every organization has different security factors based on what they do with the private health information. The first step in determining the scope of HITRUST engagement is to figure out the entity type of your organization as well as your potential security risks. Then you can further understand what local, state and federal regulatory standards apply to your organization.

In addition, you have to figure out which departments will fall under the assessment engagement and where they are located. You may have an organization where the specific department spans other geographical locations, as each location performs a specific task in the process. You will want to evaluate the risk factors of these departments in other locations and the security risks that may be present, especially when they transmit data to different geographical locations.

Another factor is to see who is accessing the data. Figure out all the personnel who will come in contact with the data, how they use it, and what steps are taken to securely manage the data.

Data Type and Usage Scope

You want to determine the types of data that the specific department uses, how it is used, and what is done with it after the information is no longer needed. A documentation method that you can use to understand the processes and systems that are set up to interact with the data is a data flow diagram.

Data Flow Diagram: A data flow diagram simply tracks the flow of data through the department. It establishes the following department activities:

  • How the data is gathered;
  • Where the data is transmitted;
  • How the data is stored;
  • How the data is processed;
  • How the data is removed or destroyed.

This diagram will allow you to identify key risk factors with how data is used, stored and collected. You can also examine the protocols that are presently in place regarding the disposal of records. By establishing the scope of the data type and usage, you can focus your assessment on the necessary data and its flow through your organization. So you don’t have to go through huge amounts of data during the engagement that isn’t necessary for the assessment.

System, Technology and Device Scope

This step involves diving deep into the technological side of your operations in the specific department that will undergo the HITRUST engagement. These technologies, devices and systems can range from:

  • Standalone and network-connected patient care systems
  • Business administration systems, such as accounting or customer service networks
  • Infrastructure components, such as routers and firewalls
  • Mobile devices

You want to understand the accessibility of your networks to these devices and technologies to determine any weak points or gaps in security measures. You’ll want to determine how systems connect, interact and transmit data as well as figure out which systems need to be connected on a permanent basis versus devices and technologies that only connect for one-time use.

A network diagram, system inventory document and systems management document can help you narrow down the scope of your HITRUST engagement involving your systems and technologies.

System Inventory Document: The system inventory document involves finding out which technologies and devices are part of the department undergoing the assessment. You can then focus on only determining the interactions of these devices in the scope of the HITRUST engagement without needing to evaluate other unnecessary systems.

Network Diagram: A network diagram gives you a visual roadmap of the data environment. It shows how the network environment fits together when interacting with the data that moves to different technologies and systems. Creating a network diagram also allows you to have a greater understanding of how you manage your network and what controls should be put in place to increase network security.

System Management Processes: The system management document allows you to narrow the scope to what processes are used to manage your systems and technologies. You’ll be able to focus on what you do to safeguard technologies, how you provide network access permissions, and how you remove access of certain devices when they no longer need to use the network data.

Establishing Scope Parameters for a Successful Assessment

Achieving HITRUST CSF certification requires understanding the boundaries of what will be evaluated in your organization. You will be able to keep the scope of engagement focused on the desired outcome without wasting time or money on an assessment that grows too large to implement or control.

If you are getting ready to perform a HITRUST CSF assessment in your organization and need help to get started, contact I.S. Partners, LLC. We can assist you in establishing scope boundaries so you can perform a self-assessment. We also provide validated assessments and certifications for organizations.

Author Picture

Request a Quote

Get hassle-free pricing in 3 easy steps:

  • Step 1: Send us a message
  • Step 2: Allow us to create a customized plan
  • Step 3: We’ll get you an accurate, no-obligation quote

Start Here

Request a Quote

Please fill out the fields below and one of our specialists will contact you shortly. Want to speak to us now? Call us at (866) 335-6235

Request a Quote (ACTIVE)

I.S. Partners is serious about privacy. We will never share your information with third parties. Please read our Privacy Policy for more information.

I.S. Partners

Your choice regarding cookies on this site

This website stores cookies on your computer. These cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, see our Privacy Policy.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference not to be tracked.