The HITRUST Certification process is comprehensive and rigorous. By design, the process gives an organization and its HITRUST Authorized External Assessor team the opportunities and information needed for success. This includes first assessing controls, improving gaps in existing controls and HITRUST CSF® requirements, then verifying that controls meet the requirements for certification. In HITRUST® terms, these three steps are known as:
- Verified Self-Assessment, bC or (Readiness Assessment)
- Remediation
- Validated Assessment
Let’s clarify what many organizations start to wonder when they first approach the HITRUST certification process: the difference between the two types of assessments and how they are scored.
IMPORTANT UPDATE: HITRUST CSF Validated Assessment Become the i1 and r2 Validated Assessments ; HITRUST Readiness Is Renamed the bC Assessment.
The HITRUST Validated Assessment vs. Readiness Assessment: What Are the Differences?
Though the procedure and scoring of the Readiness and Validated Assessments are largely the same, they are differentiated mostly by the results. A successful Readiness Assessment provides a HITRUST Readiness Assessment Report which evaluates the current controls for managing information security- and privacy-related risk and becomes the foundation for gap analysis and remediation. A successful Validated Assessment, on the other hand, results in either a HITRUST CSF Validated Report or a Validated Report with Certification.
Readiness Assessment
There are two purposes for the HITRUST CSF Readiness Assessment — the verified self-assessment that has recently been renamed as the HITRUST Basic, Current-State Assessment (bC).
- The Readiness Assessment can be utilized as a standard methodology for assessing security policies and procedures for organizations who are not pursuing or required to complete the validation and certification process.
- The Readiness Assessment can also be performed in order to prepare for the Validated Assessment in the process of pursuing HITRUST certification.
For most organizations, this is the first phase in the certification process. This phase used to be called the HITRUST self-assessment phase. In fact, it allows organizations to self-assess using standard methodology, tools, and requirements of the HITRUST CSF® Assurance Program. Alternatively, the organization can work with a HITRUST Authorized External Assessor from the beginning to facilitate the entire process.
When the assessment is complete, HITRUST performs limited validation on the results of the assessment to provide a low-level of assurance to the entity.
Validated Assessment
The HITRUST CSF Validated Assessment — which has recently been divided into two options: HITRUST Implemented, 1-Year (i1) and the HITRUST Risk-Based, 2-Year (r2) Validated Assessments — is the third phase of the certification process. This step is performed by HITRUST Authorized External Assessors who have the responsibility of reviewing and validating the organization’s control scores.
When the assessment is complete, everything is sent for the Quality Assurance Review. HITRUST performs a full validation of the assessment to provide high-level assurance. Based on the scores of this assessment, HITRUST then determines if the entity is approved for certification or requires further remediation.
Unsure of which type of HITRUST assessment is right for your organization? Refer to this helpful guide provided by HITRUST.
As this chart illustrates, the main differences between a HITRUST Readiness and Validated Assessment are the level of assurance and type of report provided upon completion.
What Is the HITRUST CSF Maturity Model?
The HITRUST CSF Maturity Model is a continuous improvement cycle used to help organizations comply with the HITRUST CSF. Based on the *Prisma model, the HITRUST CSF Maturity Model is a more robust, and consequently more reliable, method of scoring controls. It is used to score both Readiness and Validated Assessments. These scores help drive the HITRUST rating which determines whether an organization will be certified.
Categorized into five areas, this criterion evaluates an organization’s compliance within that maturity level.
Policy
Policy asks the hard questions about the organization. Do they know what they are supposed to do? Are the requirements outlined in the policy understood across the organization? Is the policy communicated to all pertinent employees? Are the implementation requirements outlined in the policy? Do the policies contain “shall” or “will” statements for each element of the requirement statements? Are the policies and standards for each element of the requirement statement approved by management?
Process/Procedure
Do formal, up-to-date, documented procedures exist for implementation? Does the process follow the policy, assign responsibility, and provide additional instruction for carrying out the policy? Are the policy requirements documented within the process, and is it understood by those it affects? Are the procedures for implementation of each element of the requirement statement communicated to the individuals that must follow them?
Implemented
Has the control been implemented? Is the organization implementing all the elements of a specific control, and is that implementation everywhere it should be? Is the intent of each control met and followed? Can it be tested? Are ad hoc approaches that tend to be applied on an individual or case-by-case basis discouraged?
Measured
Is the organization able to measure the performance of the control? How is the control being measured for success? Can a statistical analysis be provided, and are threats continuously being re-evaluated? Are self-assessments and audits routinely performed, or data collected to evaluate the adequacy and effectiveness of the implementation of each element of the requirements statement?
Managed
Is the organization correcting any problems that have been identified while monitoring the effectiveness of the control? Is it understood? Are security vulnerabilities being managed, and the controls being adapted to emerging threats? Do the decisions around corrective actions consider cost, risk and mission impact?
How are HITRUST Assessments Scored?
Each control requirement statement within the scope of the assessment is scored according to its level of compliance with each maturity level.
- Non-Compliant (NC), where very few, if any, elements exist for the level being evaluated;
- Somewhat Compliant (SC), where less than half of the elements exist for the level being evaluated;
- Partially Compliant (PC), where approximately half of the elements exist for the level being evaluated;
- Mostly Compliant (MC), where many of the elements exist for the level being evaluated;
- Fully Compliant (FC), where most, if not all of the elements exist for the level being evaluated.
Each level adds 25% to the total, with 100% being fully compliant. This same scoring system is used for both HITRUST Readiness Assessments (self-assessments) and Validated Assessments.
See the score possibilities for both HITRUST Readiness Assessments (self-assessments) and Validated Assessments.
How are HITRUST Assessment Scores Calculated?
The MyCSF® tool automatically calculates the scores for both Readiness and Validated Assessments. Though it can be helpful to understand how it works. The score for each control is the sum of the products of the weight maturity level, multiplied by the maturity level rating for all the maturity model levels.
The HITRUST Scoring Rubric
| Rating (score) | Maturity Level (weight) | ||||
|---|---|---|---|---|---|
| Policy (15 pts) | Procedure (20 pts) | Implemented (40 pts) | Measured (10 pts) | Managed (15 pts) | |
| Non-compliant (0%) | None of the CSF requirements. | None of the CSF requirements. | None of the CSF requirements. | No measure or metric in place. | No management action taken. |
| Somewhat compliant (25%) | Some CSF requirements AND ad hoc. | Some CSF requirements are supported by ad hoc procedures. | Some CSF requirements AND partial scope. | Operational OR independent measure. | Measure or metric AND management actions are sometimes taken on an ad hoc basis. |
| Partially compliant (50%) | All CSF requirements AND ad hoc. | All CSF requirements are supported by ad hoc procedures. | Some CSF requirements AND full scope. | Operational AND independent measure. | Measure or metric AND management actions are sometimes taken AND a formal action management process exists. |
| Mostly compliant (75%) | Some CSF requirements are written/signed AND the remainder ad hoc. | Some CSF requirements are supported by written and/or automated procedures, AND the remaining CSF requirements are addressed by ad hoc procedures. | All CSF requirements AND partial scope. | Operational OR independent metric. | Metric only AND corrective actions are always taken AND on an ad hoc basis. |
| Fully compliant (100%) | All CSF requirements are written/signed. | All CSF requirements are supported by written procedures and/or automated procedures. | All CSF requirements AND full scope. | Operational metric AND independent measure or metric. | Metric only AND corrective actions always taken AND a formal remediation management process exists. |
The HITRUST scoring rubric is used by External Assessors and entities to check actual performance against the HITRUST CSF requirements. For both the Readiness Assessment and Validated Assessment, this rubric determines the scores and shows if the organization is meeting the control requirements identified within the scope.
The weights of the five levels in HITRUST’s PRISMA maturity model changed in 2019. As this rubric shows, the implemented maturity level carries the most weight because it is very important to the risk-based approach. The underlying concept is that having controls implemented is the most crucial step to effective risk management. Policy and procedure are foundational steps; while measured and managed control activities are signs of mature organizations.
Compliance is more heavily dependent policy, procedure, and implementation. At the same time, the HITRUST Maturity Model encourages entities to continually improve and achieve those higher levels of security with time.
Seamless HITRUST Certification Support
HITRUST certification is key for your organization to show compliance and effectively manage risk. It is the foundation for building a trusting relationship with clients, business associates, and stakeholders. Get the guidance your company needs to become HITRUST CSF Certified. Contact the I.S. Partners team at 215-631-3452 for a consultation and audit.
Go on to find out more about Phase 4 of the HITRUST certification process: Quality Assurance Review and Certification Requirements
