Listen to: "How the HITRUST PRISMA Model Delivers ‘Rely-Ability’"
HITRUST® has streamlined the whole assurance process by centralizing robust compliance reporting and reviews. Combining assessment requirements, guidance through assessment preparation and readiness, assessor training, the assessment platform (HITRUST MyCSF®), and quality assurance reviews, HITRUST provides the structure for a more consistent and reliable cybersecurity program.
A unified, comprehensive program ensures better overall assurance for the entire IT environment. And the HITRUST CSF® makes the assessment and certification process much clearer and more efficient for organizations. At the same time, centralized reporting and oversight helps HITRUST to track and encourage continual improvement.
The end result is increased “efficiency, integrity, transparency, consistency and ultimately the ‘rely-ability’,” according to HITRUST. This means that HITRUST CSF assessments and certification are extremely reliable and valuable for building trust among the stakeholders of an organization. And it grants organizations the ability to achieve regulatory compliance with a more user-friendly, risk-based assurance program.
We want to take a deeper look at how this ‘rely-ability’ is built. To do so, we need to focus on the HITRUST Maturity Model® and how it differs from a typical PRISMA model. We also analyze how the latest update of the PRISMA weights and scoring rubrics by HITRUST reflect this concept of ‘rely-ability’.
Learn more about the Strength of HITRUST Maturity.
How the HITRUST Maturity Model Advances the Basic PRISMA Model
Unlike the PRISMA (Preferred Reporting Items for Systematic Reviews and Meta-Analyses) model, the HITRUST approach to evaluating controls isn’t binary, and isn’t focused on design or operational effectiveness.
Instead, HITRUST uses a five-point maturity model. As you probably already know, the five levels comprising the HITRUST Maturity Model are as follows:
- Policy – Are management’s expectations clearly laid out in written policies? Are those policies communicated and approved?
- Procedure – Are operational aspects of the control defined and written procedures? Are those procedures communicated and approved?
- Implemented – Is each control in place? Is it being performed? Is it operating as expected?
- Measured – Is there a mechanism in place that informs the organization when a control is not operating effectively?
- Managed – Is the organization responding to risks as they are identified? Are issues being addressed?
Over the course of HITRUST CSF readiness and validated assessments, a HITRUST Authorized External Assessor evaluates each of the maturity levels against a five-point compliance scale which ranges from non-compliant to fully compliant.
During an assessment, each level is rated. Then, those ratings determine the percentage points possible in that level. This means, for example, that non-compliant would receive 0%, partially compliant would receive up to 50%, and fully compliant up to 100%.
Learn more about How HITRUST Assessments Are Scored.
The new HITRUST scoring rubric and weighted point system which went into effect December 21, 2019. Source: HITRUST Assurance Advisories, “Updated PRISMA Weights and Scoring Rubrics.”
Updated PRISMA Model
The five levels in HITRUST’s PRISMA maturity model are also weighted in favor of the first three maturity levels. HITRUST decided to change the weight distribution from the original PRISMA model at the end of last year. Now, the implemented maturity level is worth the most points because it’s considered to be so critical to the risk-based approach.
In making this change, the goal was to encourage organizations seeking HITRUST certification to focus security efforts on the higher levels of maturity. The logic was that, security control policies and procedures are foundational, where measured and managed are basically monitoring of controls. For that reason, the sum of policy and procedure is prioritized in terms of points over the last two levels. Further, policies and procedures are a good start, but they aren’t very helpful if not implemented. This is why the implemented level accounts for the largest amount of points on HITRUST assessments.
Graph showing the difference in HITRUST PRISMA weights in point value for the five levels of HITRUST’s original PRISMA maturity model vs. the updated model. Source: HITRUST Assurance Advisories, “Updated PRISMA Attribute Weights.”
New HITRUST Maturity Level Scoring Rubric
The new HITRUST assessment scoring also takes into account both the strength of maturity criteria and the coverage of in terms of elements defined in each requirement statement. Strength is evaluated in tiers representing rigor in meeting maturity criteria. Coverage is evaluated on a scale from very low to very high representing compliance with requirement statements. The intersection of these two measurements produces the five maturity ratings – ranging from non-compliant to fully compliant – that allow the final maturity score to be calculated. This rubric is applied within each of the five PRISMA maturity levels.
Example of the HITRUST PRISMA Scoring Rubric for one HITRUST CSF Control Maturity levels. Pictured here is the policy. Source: HITRUST Assurance Advisories, “Updated PRISMA Weights and Scoring Rubrics.”
Benefits of the HITRUST PRISMA Maturity Model
So, what does this mean for organizations seeking to obtain or maintain HITRUST certification?
Stronger Cybersecurity Protection & Compliance Efforts
The updated HITRUST PRISMA attribute weights show an important shift towards more effective cybersecurity. The new HITRUST scoring rubric is now better aligned with the actual residual risk curve. For successful HITRUST assessments and certification, organizations now need to focus more on designing strong security policies and procedures, and implementing them effectively. As we know from experience, effective design and implementation are not only the basis for compliance, but they are the strongest defense from real threats to your organization’s infrastructure.
Assessment Accuracy & Consistency
It was also enhanced to ensure more consistent interpretation, by including definitions for assessment terms, examples, and color-coded tables. HITRUST believes these changes will result in more scoring predictability and consistency both between internal and external assessors, and among various assessors over time.
A Clear Outline for Building, Maintaining, & Enhancing Your Risk Management Program
First, the HITRUST PRISMA Maturity Model acts as the foundation upon which your organization can build a strong information risk management program. Next, using the same model, your team can accurately assess security polices, practices, as well as the implementation, measurement, and management of security controls. Finally, the HITRUST CSF encourages continual improvement by design, through weighted scores and maturity levels.
Guidance through a Framework that Is Simple to Use
The goal of HITRUST has always been to simplify the security assessment and certification process. Now, with the updated PRISMA model, HITRUST has made it even easier to use for scoring HITRUST CSF assessments.
I.S. Partners, LLC. – Certified HITRUST External Assessor
Since 2016, I.S. Partners is an authorized HITRUST external assessor. We have worked with companies of different sizes and in a variety of industries throughout the country. Our team guides organizations through the entire HITRUST preparation, readiness, certification, and remediation processes. Contact I.S. Partners, LLC. for more information or fill out the request form below.