The Power of Gap Analysis & Remediation for HITRUST CSF Certification

Your company is investing a lot of time and effort in the process to achieve or renew HITRUST® certification. So, you really don’t want to fail during the validated assessment or the quality assurance review. After all the work to get to this point, success is important. That’s why gap analysis is a powerful tool during the remediation phase.

Learn more about the HITRUST CSF.

In this blog series, we are taking a closer look at each stage of the HITRUST certification process:

1. Readiness Assessment
2. Remediation
3. Validated Assessment
4. HITRUST Quality Assurance Review
5. HITRUST CSF Certification

Join us as we discuss the importance of conducting gap analysis and the other steps of the remediation phase.

The Importance of Gap Analysis for HITRUST Certification Success

Because HITRUST regulations change over time and so does the security environment of your organization, regular assessments help bridge those gaps. Gap analysis identifies procedures, policies, security controls and documentation that needs to be collected or updated to meet current HITRUST CSF requirements.

Learn about the new additions to the latest version, HITRUST CSF v9.3, which is now in effect.

Bridge assessments are recommended before the validation phase of HITRUST certification. This is true for companies seeking certification for the first time, or re-certification. They help ensure success by highlighting areas that still need improvement.

Gap Analysis Checklist

The following items should be on your organization’s HITRUST gap analysis checklist:

• Business processes,
• Operational policies and procedures,
• Reporting policies and procedures,
• Missing documentation,
• New compliance requirements.

Remediation then gives the organization the chance to fill in the gaps before submitting the HITRUST assessment for validation and quality assurance.

What Happens During the Remediation Phase?

Think of gap analysis as holding a measuring stick to the information security environment and risk mitigation controls. Remediation is the process of moving your organization from its current length towards the end of the stick. It’s normal for a company to have some work to do in order to reach 100% compliance.

So, remediation asks the question, ‘how can we get there?’ The process for meeting the mark involves six steps.

1. Develop a Remediation Plan

After the readiness assessment process, the project coordinator and/or HITRUST Authorized External Assessor will recommend strategies for improvement. Remediating the identified gaps will require certain actions, as well as management and tracking of those actions. The remediation plan should outline these different stages and tasks needed to implement recommendations. It’s important that the CAP responds directly to your organization’s environment and readiness assessment performance. Finally, the CAP should be written and formalized.

2. Submit Information to the HITRUST Alliance

Once the gap analysis checklist featuring all non-compliant controls and recommended remediation tasks has been completed, it should be sent to HITRUST. Using the HITRUST MyCSF®, the assessor will send:

• The assessment questionnaire,
• Description of the scope,
• Description of the organization’s information security environment,
• Report of testing performed, and
• Corrective action plan (CAP).

HITRUST will then provide a report covering the strengths and vulnerabilities related to your organization and a score for each control.

Read more about HITRUST Scoring for Readiness and Validated Assessments.

3. Present the Report

After the HITRUST CSF Readiness Assessment, the results should be shared with executive management and key stakeholders. A comprehensive report will outline:

• Each business units’ current level of compliance with HITRUST CSF standards,
• The general system’s level of compliance,
• Remediation goals and tasks.

4. Formalize the Corrective Action Plan

Input from department directors, system owners, and business unit heads will help develop the CAP in more detail and lay the foundation for implementation. At this point, management will need to come to an agreement on implementing controls and a timeline for remediation.

5. Share the Report

At this point, HITRUST readiness assessment results can be shared with any interested third parties.

6. Remediation

With this information, and the results of the gap analysis, it’s possible to start tracking remediation progress. HITRUST advises using the CAP to track the scope, timing, roles and responsibilities involved in remediation. Tracking should cover the following items:

• Control gap identifier,
• HITRUST CSF control mapping,
• Accountable point of contact,
• Required corrective actions,
• Status of corrective action,
• Scheduled completion date.

Each point person should regularly update the project coordinator on the status of corrective actions and the expected timeline to meet compliance.

Working Towards HITRUST Compliance

Gap analysis and remediation are designed to take the guesswork out of validation. The organization will have a clear idea of their status going into the final stages towards compliance and certification.

A score higher than 3 is needed to achieve HITRUST CSF Certification. There is an exception is for controls scored with a 3 and addressed with a solid corrective action plan. It will be important for the organization to carry out the CAP and make progress towards remediation within one year.

Look up the terms that have you confused in our HITRUST Glossary.

Get Expert Support and Guidance for HITRUST Assessments

I.S. Partners is ready to help your organization prepare for assessments and meet your challenging compliance goals and objectives. Our team has years of experience dealing with IT security compliance and governance gap analysis.

Work with our authorized HITRUST assessment support team and information security experts to achieve certification in a streamlined way. Get more information on how we can help your organization get HITRUST CSF Certified. Contact I.S. Partners at 215-675-1400, or request a free quote, to begin the process.

Go on to find out more about Phase 3 of the HITRUST certification process: Validated Assessment

About The Author

Robert Godard

Robert is a Principal with I.S. Partners, LLC’s Business Process/Advisory Services practice in Horsham, PA. Robert has conducted a variety of Financial Statement Audits for a range of industries such as banking, healthcare, payroll, employee benefit plans (Pension, Health and Welfare), Unions and Construction.

Robert’s specialty is in audits of IT Controls and Infrastructure, Financial Statements, SOC 1 and SOC 2 audits, HITRUST CSF Assessments, Model Audit Rule (MAR), including evaluating business process as well as IT General Controls surrounding the reporting of financial information. He also has experience with analyzing Health Insurance information from AmeriHealth, Blue Cross Blue Shield, Express Scripts and Delta Dental. Additionally, Robert has performed audits for Construction and Special Tax related credits (Historical Tax Credits). He has prior work experience using ISSI, Great Plains and Peach Tree.

Prior to joining I.S. Partners, LLC, Robert was employed with Novak Francella in the Financial Statement Audit division, where he worked as an associate on external audit engagements in accordance with GAAP and DOL requirements.

Robert has a Bachelor of Science degree in Finance and Accounting from LaSalle University, Philadelphia, PA.