Overview of the HITRUST Validated Assessment

The validated assessment is the final phase before the quality assurance review, which may result in HITRUST Certification. During the validated assessment phase, HITRUST Authorized External Assessors review the progress made during the earlier phases and prepare the assessment materials for HITRUST® approval.

In this dedicated HITRUST blog series, we provide a detailed guide to each phase of the process towards certification:

1. Readiness Assessment
2. Remediation
3. Validated Assessment
4. HITRUST Quality Assurance Review
5. HITRUST Certification

Let’s find out more about the validation phase of HITRUST certification.

Who Conducts HITRUST Validated Assessments?

A HITRUST Validated Assessment is performed by HITRUST Authorized External Assessors. They aim to review and validate the organization’s scores for the various controls. Then, they submit their final assessment to HITRUST for quality assurance review. This is when HITRUST evaluates whether an organization has met the necessary minimum requirements for certification.

IMPORTANT UPDATE: There are now TWO OPTIONS for HITRUST CSF Validated Assessments: 1-Year (i1) Validated Assessment with Certification and 2-Year (r2) Validated Assessment + Risk-Based Certification.

What Happens During the HITRUST Validated Assessment Process?

If you’re wondering, ‘what do HITRUST Validated Assessments include?’ you’re asking the right questions. In order to be fully prepared for an assessment, it’s best to have a solid idea of what the process demands. This phase includes appointing the Certified HITRUST Quality Professional (CHQP) roles, analyzing the environment, defining and developing the test plan, carrying out examinations, interviews and tests, sampling, drafting the working papers, and submitting documentation for the pre-submission quality assurance review. Let’s take a closer look…

Appointing the Engagement Executive and Engagement Lead

Within the test plan, the compliance assessment team must appoint some key figures. Both roles should be entrusted to CHQPs from the External Assessor organization and they will work closely with the internal project coordinator. The Engagement Executive provides support for the organization undergoing assessment, manages costs related to the certification process, and tracks engagement.

The Engagement Executive and Lead should sign off on the scope and test plan before fieldwork starts. Other important responsibilities include testing oversight, as well as reviewing, documenting, and verifying test results.

Analysis of the Environment

First, the External Assessor should work to better understand the environment. This includes:

• Reviewing the systems, business operations, and physical locations that will be assessed.
• Identifying the risk factors that should be assessed.
• Outlining the populations that will need to be sampled.
• Determining which HITRUST certification requirement statements involve shared responsibility.

Definition of the Testing Approach

The objective of testing during the HITRUST validation stage is to assess the organization’s controls. This can be done using three main methodologies.

1. Examining: Reviewing policies, guidelines, records and procedures in order to evaluate how a control is being addressed by the organization.
2. Interviewing: Key personnel with tasks and responsibilities related to a control can be interviewed to collect information about the procedures in place.
3. Testing: System configurations and operations can also be tested to ensure that controls are implemented properly and achieve their design function.

Development of the Test Plan

The first step of the validated assessment is creating a test plan. The External Assessor is charged with developing an outline for the tests required for the controls which fall inside the scope. Test procedures need to be written to address each PRISMA level within the in-scope requirement statements.

This plan should be designed specifically for the environment being tested and will serve as a guide for the validated assessment. A clear plan should be laid out for the External Assessors doing the fieldwork, including the directions for sampling and testing.

Examination, Interviews & Testing

As part of the HITRUST CSF Assurance Program Requirements, External Assessors will validate scores and gap remediation through an examination of related documentation, a series of on-site walkthrough procedures, and interviews with key staff members.

External Assessors must also check the performance of security control processes and do testing to validate their implementation. With each testing approach, they will review the documented policies and implemented procedures related to the control being assessed. They will inspect the operational measures used within the organization and management procedures for relevant controls.

Testing Objectives

During the validation phase, External Assessors perform on-site inspections, interviews, and tests with two specific goals:

• Confirming the organization’s scores from the HITRUST Readiness Assessment.
• Confirming that compliance gaps have been properly identified and are being remediated.

Testing Requirements

Time Limit: According to the 90-Day Assessment Window Rule, all of testing planned as part of the validated assessment must be done within 90 days of the date that documentation is submitted to HITRUST for the quality assurance review.

Procedures: Testing procedures follow the Technical Guide to Information Security Testing Assessment outlined by NIST.

Get more information about HITRUST Validated Assessment testing procedures.

Documentation: Once the necessary information is gathered, the External Assessor will document any findings.

Sampling

For the HITRUST Validated Assessments, the External Assessor my test samples of system components in order to verify controls. Samples should fairly represent the systems, applications, databases, networking devices, and connected support systems in the assessment scope. It must also be large enough to allow the External Assessor to draw reliable conclusions about the sample group.

Standard data collected from a sample should include:

• The population source,
• Population size,
• Date range,
• Minimum required sample size,
• Method for selecting the sample – random, systematic, or haphazard, and
• Measures taken to ensure the sample accurately represents the population.

Drafting Working Papers

During the HITRUST Validated Assessment, the External Assessor is responsible for compiling documentation which supports their validation of assessment scoring. Working papers should include the following information:

• Name of the assessment,
• Name of the tester,
• Date of when the testing procedure was carried out,
• Description of the testing procedure,
• Results.
• Date and timestamp of when the sample was pulled, if possible,
• List of the scoping elements involved, if possible.

Working papers must cover the entire scope in order for the validated assessment to be considered complete.

Before Submitting a Validated Assessment for Quality Assurance Review

Prior to the HITRUST quality assurance review, the organization is required to perform a pre-submission review. This involves the External Assessor’s Engagement Executive and CHQP. They have the responsibility of going over the documentation related to the organization’s assessment.

During the Pre-submission Quality Assurance Review, External Assessors compare the documentation to the HITRUST CSF Assurance Program Requirements and HITRUST CSF Assurance Methodology. Their work follows the HITRUST External Assessor Quality Checklist available through the MyCSF® portal.

For more information about this pre-submission process, refer to the next article about the HITRUST Quality Assurance phase.

Finally, the External Assessors will gather the working papers, interview and test results, and submit the documentation to HITRUST for the quality review. At that point, the validated assessment will be reviewed by both the HITRUST Assurance and Compliance teams, which will determine if the organization has met the requirements to achieve certification.

Find out how to Prepare for Your Upcoming HITRUST Assessment with Confidence and refer to our HITRUST CSF Glossary.

Seamless HITRUST Certification Support

HITRUST certification helps organizations demonstrate their compliance of information security standards to help mitigate risk. Put the right protocols in place and make sure your organization’s infrastructure meets or exceeds the industry standard. For more information on becoming HITRUST Certified, call the I.S. Partners team at 215-675-1400 for an in-depth consultation and audit.

Go on to find out more about Phase 4 of the HITRUST certification process: Quality Assurance Review and Certification Requirements

About The Author

Robert Godard

Robert is a Principal with I.S. Partners, LLC’s Business Process/Advisory Services practice in Horsham, PA. Robert has conducted a variety of Financial Statement Audits for a range of industries such as banking, healthcare, payroll, employee benefit plans (Pension, Health and Welfare), Unions and Construction.

Robert’s specialty is in audits of IT Controls and Infrastructure, Financial Statements, SOC 1 and SOC 2 audits, HITRUST CSF Assessments, Model Audit Rule (MAR), including evaluating business process as well as IT General Controls surrounding the reporting of financial information. He also has experience with analyzing Health Insurance information from AmeriHealth, Blue Cross Blue Shield, Express Scripts and Delta Dental. Additionally, Robert has performed audits for Construction and Special Tax related credits (Historical Tax Credits). He has prior work experience using ISSI, Great Plains and Peach Tree.

Prior to joining I.S. Partners, LLC, Robert was employed with Novak Francella in the Financial Statement Audit division, where he worked as an associate on external audit engagements in accordance with GAAP and DOL requirements.

Robert has a Bachelor of Science degree in Finance and Accounting from LaSalle University, Philadelphia, PA.