Listen to: "HITRUST CSF Assessment Preparation Guide"
A HITRUST® assessment reveals whether you and your IT team have learned, applied, and consistently maintain all the controls prescribed by the HITRUST CSF®. This demonstrates that your organization is committed to managing risk, improving its security posture, and meeting compliance requirements. And this is why it’s important that you make HITRUST CSF controls and standards a routine part of your maintenance practice.
Beginning to prepare for HITRUST assessments can seem like a challenge. So, we have put together some advice to help make it a stress-free process.
Prepare for the Upcoming HITRUST Assessment with Confidence
Some companies are aiming for certification, others utilize the HITRUST CSF as a type of internal audit of the organization’s security controls. Preparing for and completing a HITRUST CSF Assessment in an attempt to achieve HITRUST Certification can be a rigorous process. Yet, organizing your team and tools ahead of time will help get your assessment process off to a good start. Before the HITRUST CSF Readiness Assessment, which works as a self-assessment and the first step in certification, there are some crucial preparations that your organization should make.
Setting Up for A Successful HITRUST Assessment
Whether preparing for a HITRUST assessment for the first time, or working to improve for the next, here are some tips for success.
Identify Project Coordinator
The role of the project coordinator is to guide personnel towards meeting the set goals and expectations for the HITRUST assessment. This person will also lead the team collecting documentation, organizing interviews, and steering the process. The project coordinator should lead from a position of authority that has already been established and be able to work with employees and executives on all levels. Coordinating involves checking on participation at different points during the assessment process. According to HITRUST, it’s best to appoint this figure at least 6 weeks before your organization plans to begin fieldwork and testing.
Define Project Management Structure and Standards
One of the first tasks of the project coordinator is to meet with stakeholders and outline the management structure and standards for the HITRUST assessment. Next, he or she will need to create a project plan and list the procedures and tools that will be utilized to complete the assessment. The project coordinator will prepare the structure for the following activities:
- Interview tracking,
- Documentation request and submission tracking,
- Meeting reports,
- Weekly project status and issue log,
- Risk tracking for priority, status, actions required, and resolution.
Consider Bringing Expert Guidance Onboard.
Organizations of all sizes often seek guidance from a HITRUST Authorized External Assessor organization. These third-party experts are trained to assist companies in determining the scope, which type of assessment is a good fit, and the controls that should be addressed. This is often the point where I.S. Partners begins their relationship with clients. Our team works closely with organizations to identify the right scope and expectations, positioning them for an optimal outcome in the final assessment.
Seek Support from the Top Brass.
Explain the importance of the HITRUST assessment process to your company’s executives. Before getting started, stress the value of reassurance to third -parties, patients and/or customers. This will help lay the foundation for the cooperation and support needed. Whether you need extra financial resources, supplies, or additional staffing, reach out to make sure you will have what you need to complete the process.
The next step is to clearly define your organization’s unique goals for HITRUST assessment. About one month before beginning work, the project coordinator, key stakeholders and any External Assessors involved should discuss the important reasons for performing a HITRUST assessment and set goals for the outcome. From this, the coordinator can then set the expectations of the various departments involved in terms of evidence collection and timing.
Define the Scope of the Project.
A full assessment of all information systems at one time is not always viable or necessary for an organization. Large assessments become more complex, timely and costly. Breaking up the engagement into smaller level assessments allows your company to focus on one set of information systems, records, technologies and personnel. Additionally, defining the scope helps establish boundaries to better manage and control the assessment process.
To plan out the scope of HITRUST CSF engagement, break it down into these three steps:
- Figure out which facilities, systems, departments or business units will be covered by the assessment.
- Evaluate and understand the data, records, and reports used in that specific department.
- Define the systems, technologies, and devices that store, access and transmit the sensitive information.
Before starting the readiness phase, it’s important for your team to understand the boundaries of what will be analyzed. This is fundamental to setting up for certification success.
Plan Ahead and Define the Timeline.
HITRUST assessments can be long procedures; in fact, certification generally takes about a year to complete. Carefully consider the time that it will take your team to properly prepare for assessment, complete gap assessment and the readiness assessment, and handle any remediation necessary before moving on to validation and HITRUST quality assurance. The benefits are great, yet this will require time and resources.
The HITRUST CSF Assessor Quality Checklist asks a representative from the External Assessor organization to sign off that the maturation rule has been respected. The maturation rule requires that all controls, procedures, and policies, must be implemented 90 days prior to the External Assessor assessment testing. For this reason, planning ahead for a validated assessment may imply scheduling changes to the IT environment before the 90-day mark or after the current assessment period.
Be sure that your organization has considered the timing of the various assessment activities and how they will fit into its work schedule. This should be planned out with respect to regular annual and monthly activities.
Open the Lines of Communication with Everyone on Staff.
From executives to staff members working with regulated data, you need to make sure everyone understands and complies with the HITRUST CSF at all times. When everyone is on the same page and meets the expectations set from the beginning, there are less issues as you progress toward the validated assessment.
Gather & Review Supporting Documentation.
First, you will want to gather notes that acknowledge full compliance with HITRUST CSF standards. You should also collect any notations that include failure to adhere to security standards and other known issues. Most importantly, this phase ensures that you face few surprises, if any, during the official HITRUST assessment. This documentation can also be used as a questionnaire during the assessment. Reviewing the documentation can reveal patterns that you and your staff can explore further to make improvements, regardless of the outcome of the audit.
Perform System Tests.
To ensure that you and your team have complied with HITRUST CSF system controls, perform system tests. Uncover any breaches or accidental employee errors as early as possible to go into the test fully aware of issues, as well as having made any possible corrections in advance.
Download this checklist to help prepare your team for a HITRUST assessment.
Are You Ready to Get Started?
After the scope is defined, and the other steps have been addressed, your team should be ready to jump in. Here is the last thing to do as you move towards the self-assessment phase, or the HITRUST CSF Readiness Assessment.
Access the MyCSF® Portal
Now, you’re ready to gain access to the MyCSF portal. Once your organization has received access from HITRUST, it’s possible to start uploading the required documentation, information security policies, and risk management controls for the readiness review.
Find a clear definition to HITRUST CSF Terminology.
HITRUST Assessment Experts To Ensure Peace Of Mind And Stakeholder Confidence
I.S. Partners, LLC. understands the value that business partners and stakeholders place on data security. The assessment team also understands that a CIO’s work is never done. If you and your dedicated IT team can use extra assistance to renew your HITRUST CSF certification, we can help. Call us today at 215-675-1400 or contact us online.
Go on to find out more about Phase 1 of the process towards HITRUST certification: Readiness Assessment