How to Prepare for HITRUST CSF® Certification


Prepare for HITRUST CSF® Certification

For hospitals and other healthcare organizations, the COVID-19 pandemic is not the only threat. Every day, those in the healthcare industry grapple with a looming crisis targeting cybersecurity. In 2019 alone, there were more than 500 data breaches, which ended up compromising patient records in the U.S. Today, as most healthcare organizations have switched to electronic health records, the chances are network and data vulnerabilities will likely increase. Therefore, healthcare organizations must ensure they safeguard patients’ sensitive information while also ensuring they meet security and compliance standards. Various regulations surrounding data security and privacy exist, including HIPAA, CCPA and GDPR. While HIPAA compliance is beneficial, it alone falls short of protecting health information (ePHI). The adage of compliance does not equal security comes to mind. Here is where HITRUST CSF Certification comes in.

Keep reading to learn about HITRUST CSF® Certification, the significance of CSF certification, and how to prepare your organization for the certification process.

What is HITRUST CSF Certification?

Even before we dive into the ins and outs of HITRUST CSF Certification, let’s first discuss how it came to be. In 2007, key players in the healthcare industry formed the Health Information Trust Alliance(HITRUST). The goal being to share information security best practices, help protect sensitive information, effectively manage risk, and institute unified information security standards for healthcare providers, payors and business associates.

Due to the inconsistencies and gaps surrounding current regulations, HITRUST developed the HITRUST Common Security Framework (CSF) to streamline information security. Today, the HITRUST CSF has expanded to a security, privacy and compliance risk management framework that can be applied towards any industry.

To receive the HITRUST CSF Certification, you must demonstrate that you can securely access, store or exchange protected health information. Note that it is a rigorous process that entails control evaluation, remediation and assessment by an independent Authorized HITRUST External Assessor like SCA.

Preparing for the HITRUST CSF Certification

The size of your organization will affect the timelines for receiving HITRUST certification. The reason being that the more complex a company’s structure is, the longer it takes to complete each phase. Below is a step-by-step guide to becoming HITRUST certified.

Get Support from the Top

Getting some executive buy-in and support can help ensure you have the supplies, financial resources, or human resources needed for the best outcome. You’ll need to explain the importance of the certification process to lay the foundation for the support and cooperation you need to complete the process.

Choose the Project Coordinator

Every project needs a leader. The project coordinator will be in someone in a higher-up position within the company who’ll be charged with managing teams and providing guidance toward achieving the goals set for the HITRUST CSF assessment. They’ll also be in charge of collecting and managing documentation, tracking interviews, and guiding the entire process. The project coordinator should be able to work with executives and staff members on all levels. If possible, the project coordinator should become a CCSFP (Certified CSF Practitioner) so that they are more familiar with MyCSF and the HITRUST assessment process.

Implement a HITRUST Support Program

HITRUST CSF certification is only good for two years, so your team needs to understand areas of weakness as standards change. For long-term success with subsequent audits, your team needs to keep up with updates even when there’s not a certification assessment coming up. You can perform a Self-Assessment through MyCSF portal provided by HITRUST, but you’re bound to get the most value out of your certification process by using a qualified cybersecurity assessor.

Set the Project Structure and Standards

The project coordinator will need to meet with the management and key stakeholders to outline the project management structure and standards. This will involve developing a plan and identifying the tools and techniques necessary to complete the self-assessment. The project coordinator will be responsible for:

  • Documentation request tracking
  • Interview tracking
  • Issue/risk tracking
  • Meeting reports
  • Weekly project status

 Maintain Open Lines of Communication with All Parties

HITRUST CSF should not be a foreign term in the office. You need to make sure that everyone working with regulated data understands the role that the security standard plays within their job. From executives to staff members, all parties should understand that the company will be undergoing a cybersecurity improvement process and they may be required to change their routines or learn additional job responsibility for compliance purposes. When everyone is on the same page, you’ll encounter few issues as you progress toward the validated assessment.

 Define the Organizational Scope

Defining your organizational scope helps you determine which systems, facilities, units, and layers will be a part of the assessment. This helps ensure a comprehensive review of all aspects of your organization is conducted. You’ll need to identify:

  • Type of organization –Healthcare or other, provider, payor, service provider, etc.
  • Information about your data such as the number of records held and/or processed annually and the location of data among other criteria.
  • Regulatory factors related to compliance requirements, such as HIPAA, FISMA, CCPA, and PCI.

Define the Scope of Your Systems

The next aspect of scoping involves higher risk information systems within your organization. Common system factors that increase the risk of a system and the need for greater controls include:

  • All systems, devices, and technologies that access, store or exchange sensitive information.
  • Define technical factors in 19 categories (v9.4) including but not limited to:
  • Uses mobile devices
  • Public or third-party access
  • Stores, accesses, or transmits sensitive data
  • Total number of users, daily transactions, and interfaces to other systems
  • Features hosted in the cloud

Your project coordinator will need to document all the policies, standards, and procedures that support system processes in your organization. The key figures will then be interviewed to help verify that organization and systemic controls are in place. After completing the prep work, your team can start accessing the organization’s controls to ensure they’re working as intended and set up for HITRUST CSF certification success.

Define the Timeline

You’ll want to find out the time required and costs for you to achieve HITRUST CSF Certification. For this step, you’ll need to complete a readiness or self-assessment using the HITRUST MyCSF tool. This step will identify how many control requirements apply to your scenario, and these can range from about 200 to over 1,000. The fees for a HITRUST External Assessor are generally driven by the control requirement count and the nature/type of assessments. Other costs to consider are your subscription to MyCSF and your internal cost of dedicating resources to the project. If you would like to know how many controls apply to your situation before you subscribe to MyCSF, SCA offers a complimentary initial scope and control requirement count exercise!

HITRUST certification is a detailed, time-consuming, and exhaustive process with no shortcuts. The number of control requirements and the availability of internal resources to perform a Self-Assessment (or variation) will determine how much time will be needed to evaluate the existence of controls requirements and the remediation needed to fill the gaps. HITRUST certification has a maturity component which means controls generally should be operational for 90 days prior to a Validated Assessment. HITRUST allows 90 days for the External Assessor to complete the Validated Assessment, so completion of the Validated Assessment, and potentially achieving certification, will happen approximately 6 months after remediation is complete.

Determine Readiness

Once you’ve established the scope, you’ll need to measure all security documentation against HITRUST’s security controls. This documentation includes policies, processes, evidence of implementation and documentation of how each control is measured and managed. Note that a HITRUST assessment can focus on policy, process and implementation only helping to streamline the process. Nevertheless, this process can take considerable time, depending on your company’s complexities.

While it is okay for your company to perform this assessment without help, a Self-Assessment, we certainly advise against it. Seeking the assistance of a third-party assessor like SCA greatly improves accuracy and overall efficiency with a Facilitated Self-Assessment. Either a Self-Assessment or Facilitated Self-Assessment will result in HITRUST fees for the respective reports. SCA offers a HITRUST Gap Assessment that accomplishes the same result without the additional fee.


During this stage, your team will address any gaps noted during the readiness assessment. You’ll need to ensure that each control requirement is met and those with shared responsibility (e.g. third party service provider) are thoroughly documented. Remediating gaps may require implementing new solutions and the development of administrative processes, so the time required will vary depending upon your circumstances. As mentioned above, HITRUST certification includes control maturity, so keep in mind the requirement for each control to be operational for a period of time, generally 90 days, before the Validated Assessment can begin.

Validated Assessment

Unlike the readiness assessment, only an Authorized HITRUST External Assessor can perform a Validated Assessment.

This process normally involves an on-site evaluation, but HITRUST is currently allowing remote assessments due to COVID. The Validated Assessment follows a strict evaluation and scoring

rubric to measure each control for Policy, Process, Implementation, Measured and Managed criteria. Consistency and clarity are achieved by following this method so that all organizations are evaluated equally according to size and complexity.

Quality Assurance

Before submitting your company’s, assessment results to HITRUST, SCA will appoint an independent analyst to perform a quality assurance review. Once completed SCA will then submit the Validated Assessment and all relevant documentation to HITRUST for their review.

Receiving HITRUST CSF Certification

To become certified, you must meet the information risk management and data security standards of your Validated Assessment requirements as demonstrated by attaining a successful (minimum) score. Once SCA submits the Validated Assessment, HITRUST evaluates your assessment documentation and scores against their requirements. If HITRUST concurs with the results submitted by the External Assessor, they will issue your HITRUST CSF Certification. It’s worth noting that your HITRUST CSF Certification is valid as of the day the Validated Assessment is submitted to HITRUST and remains valid for two years providing the completion of an Interim Assessment.

Begin Your CSF Certification journey with SCA

Becoming CSF certified is not only an effective security and risk management strategy but also a significant step in building business partner and patient trust. To achieve HITRUST CSF certification, you’ll need the guidance of information security experts to help you navigate the HITRUST path.

The team at SCA will support you through the entire certification process. This includes an option to help you determine how many controls your organization needs to meet before subscribing to MyCSF. Contact us today for more information.