Listen to: "Factors to Determine the Scope of HITRUST Engagement for Certification"
Safeguarding healthcare information used by hospitals, insurance companies and other health-related industries is vital to prevent identity theft and other illegal activities. Information security specialists will perform assessments of health information systems to ensure that all protected health information is created, gathered, transmitted and stored in a secure manner throughout the organization.
HITRUST® has established the CSF for organizations to validate the privacy and security of their health information systems to achieve required certification. When you perform an assessment, you need to determine the scope of HITRUST engagement so that they can efficiently evaluate the right data and systems during the given assessment period.
Importance of Determining the HITRUST Scope
A full assessment of all health information systems at one time is not always viable or necessary for every healthcare organization. Large assessments become more complex, timely and costly. Breaking up the engagement into smaller level assessments allows you to focus on a set of information systems, records, technologies and personnel so you have an easier time receiving the necessary certification. In addition, you establish boundaries to better manage and control the assessment so it stays focused and doesn’t stray from your specified parameters.
To plan out the scope of the engagement, break it down into these 3 key factors:
- Figure out which departments of the organization will be undergoing the assessment
- Evaluate and understand the data, records, and reports used in that specific department
- Define the systems, technologies, and devices that store, access and transmit the private health information
Organization and Department Scope
Every organization has different security factors based on what they do with the private health information. The first step in determining the scope of HITRUST engagement is to figure out the entity type of your organization as well as your potential security risks. Then you can further understand what local, state and federal regulatory standards apply to your organization.
In addition, you have to figure out which departments will fall under the assessment engagement and where they are located. You may have an organization where the specific department spans other geographical locations, as each location performs a specific task in the process. You will want to evaluate the risk factors of these departments in other locations and the security risks that may be present, especially when they transmit data to different geographical locations.
Another factor is to see who is accessing the data. Figure out all the personnel who will come in contact with the data, how they use it, and what steps are taken to securely manage the data.
Data Type and Usage Scope
You want to determine the types of data that the specific department uses, how it is used, and what is done with it after the information is no longer needed. A documentation method that you can use to understand the processes and systems that are set up to interact with the data is a data flow diagram.
Data Flow Diagram: A data flow diagram simply tracks the flow of data through the department. It establishes the following department activities:
- How the data is gathered;
- Where the data is transmitted;
- How the data is stored;
- How the data is processed;
- How the data is removed or destroyed.
This diagram will allow you to identify key risk factors with how data is used, stored and collected. You can also examine the protocols that are presently in place regarding the disposal of records. By establishing the scope of the data type and usage, you can focus your assessment on the necessary data and its flow through your organization. So you don’t have to go through huge amounts of data during the engagement that isn’t necessary for the assessment.
System, Technology and Device Scope
This step involves diving deep into the technological side of your operations in the specific department that will undergo the HITRUST engagement. These technologies, devices and systems can range from:
- Standalone and network-connected patient care systems
- Business administration systems, such as accounting or customer service networks
- Infrastructure components, such as routers and firewalls
- Mobile devices
You want to understand the accessibility of your networks to these devices and technologies to determine any weak points or gaps in security measures. You’ll want to determine how systems connect, interact and transmit data as well as figure out which systems need to be connected on a permanent basis versus devices and technologies that only connect for one-time use.
A network diagram, system inventory document and systems management document can help you narrow down the scope of your HITRUST engagement involving your systems and technologies.
System Inventory Document: The system inventory document involves finding out which technologies and devices are part of the department undergoing the assessment. You can then focus on only determining the interactions of these devices in the scope of the HITRUST engagement without needing to evaluate other unnecessary systems.
Network Diagram: A network diagram gives you a visual roadmap of the data environment. It shows how the network environment fits together when interacting with the data that moves to different technologies and systems. Creating a network diagram also allows you to have a greater understanding of how you manage your network and what controls should be put in place to increase network security.
System Management Processes: The system management document allows you to narrow the scope to what processes are used to manage your systems and technologies. You’ll be able to focus on what you do to safeguard technologies, how you provide network access permissions, and how you remove access of certain devices when they no longer need to use the network data.
Establishing Scope Parameters for a Successful Assessment
Achieving HITRUST CSF certification requires understanding the boundaries of what will be evaluated in your organization. You will be able to keep the scope of engagement focused on the desired outcome without wasting time or money on an assessment that grows too large to implement or control.
If you are getting ready to perform a HITRUST CSF assessment in your organization and need help to get started, contact I.S. Partners, LLC. We can assist you in establishing scope boundaries so you can perform a self-assessment. We also provide validated assessments and certifications for organizations.