Learn more about HITRUST® CSF Certification.
If you have never heard of HITRUST, just starting to learn about HITRUST or actively involved in using HITRUST or searching for a qualified, trusted partner to facilitate your HITRUST certification, this article is for you. We will present a high-level overview answering several key questions including; Who is the HITRUST Alliance? What is the HITRUST CSF®? Why is HITRUST CSF certification important? How does the HITRUST CSF Certification process work? How much does HITRUST CSF certification cost? Does HITRUST CSF Certification equal HIPAA Security Rule compliance?
Who is the HITRUST Alliance?
The HITRUST Alliance is a non-profit organization formed in 2007 by healthcare and security experts. The Board of Directors of the HITRUST Alliance is comprised of leaders across the healthcare industry from organizations such as UnitedHealth Group, Highmark Blue Cross Blue Shield, Express Scripts, McKesson, Epic, Anthem, Humana, IMS, and Kaiser Permanente. Their purpose was to develop programs for risk management and compliance for the healthcare industry as an answer to a major question: How can healthcare organizations (providers, payors, business associates) have a reasonable amount of assurance of each other’s security practices? This question continues to be fueled by:
- The increasing complexity of business relationships,
- Data transmitted through an increasingly complex web of relationships,
- Multiple security and privacy frameworks,
- No established healthcare industry standards, and
- An overlay of HIPAA Security Rule and the Privacy Rule compliance
What is the HITRUST CSF?
The answer to the issues identified above is the HITRUST CSF. The CSF (originally Common Security Framework) provides a consensus-driven set of security standards for the healthcare industry. The CSF combines best of breed elements from major frameworks and healthcare regulations including COBIT, ISO 27001/27002, PCI, NIST Cybersecurity Framework, FTC Red Flags Rule, Meaningful Use, HITECH, and HIPAA. Today, the CSF has expanded into certifiable risk management and compliance framework including security, privacy and numerous authoritative sources (frameworks and regulatory requirements) that provides organizations with an actionable roadmap offering consistency and clarity to implementing effective risk management and compliance controls.
Why is HITRUST CSF Certification Important?
HITRUST provides a standardized assessment and certification process. The result is the reasonable assurance to patients, stakeholders and business relationships of security practices at your organization. Becoming HITRUST certified is a significant competitive advantage. By demonstrating HITRUST certification, credibility and prestige are added to your security program. An added layer of brand protection is created through risk management and reduction. Increasingly, HITRUST certification is becoming a requirement in the healthcare industry. CVS Caremark, Health Care Services Corp., Highmark, Humana, United Healthcare Group and Anthem now require their service providers to be HITRUST CSF Certified. This healthcare industry wave is driving 81% of hospitals and 80% of health plans who have adopted or are adopting the HITRUST CSF. Some are just starting to use the CSF as a benchmark while a growing number have fully adopted the CSF through certification.
How does the HITRUST CSF process work?
Organizations who wish to become HITRUST CSF certified will start by subscribing to MyCSF®, the online HITRUST tool for creating a HITRUST audit plan, performing a Self-Assessment and ultimately a Validated Assessment. The Self-Assessment becomes your gap analysis against the control requirements that are specific to your organization’s size, complexity, identified systems, and regulatory requirements. Depending upon the scoping selections, an audit plan can range from 300 to over 800 control requirements. It is highly recommended that you engage the assistance of an Authorized CSF Assessor at this point. Authorized CSF Assessor organizations have demonstrated excellence in the areas of cybersecurity and information protection and have undergone specialized training to become an Authorized CSF Assessor. Your chosen assessor adds value by advising through the scoping process to determine your control requirements. Through a Facilitated Self-Assessment, your assessor helps streamline the self-assessment process. The result of your (Facilitated) Self-Assessment is an understanding of what controls should be implemented to satisfy HITRUST CSF requirements. Once all control requirements are met, you are ready for the Validated Assessment.
A Validated Assessment can only be performed by an Authorized CSF Assessor. During the Validated Assessment, your assessor evaluates each control requirement in your audit plan to provide an independent 3rd party validation of your HITRUST CSF compliance. The Validated Assessment follows a rigorous assessment process. Each of the control requirements is evaluated across five criteria: Policy, Procedure, Implementation, Measured and Managed. Each is scored individually, and partial scoring is allowed depending upon the level of compliance. And, it is possible to attain a successful score by evaluating only against Policy, Procedure, and Implementation. Details about how scoring works are better suited for another post.
Once the Validated Assessment is complete, your assessor must perform a strict quality assurance review before submitting the Validated Assessment and report to HITRUST. HITRUST reviews the Validated Assessment and issues the HITRUST CSF Certification specific to the factors identified in the scoping process. Your HITRUST CSF Certification is valid for 2 years from the date of issuance. To help ensure your organization remains in compliance and has not drifted from the certification, your assessor will return in 12 months for in Interim Assessment that tests sample control requirements across the 19 CSF domains.
How much does HITRUST CSF certification cost?
The direct and indirect costs of your organization should be considered in this calculation. Since these vary widely, this article cannot accurately define them, so we leave this determination to the reader. Outside of direct and indirect costs, there are external cost components.
First, are your fees from HITRUST. These include your subscription to MyCSF and HITRUST Reporting. There are a few options available and HITRUST handles this directly with each client. It is strongly recommended that one of the annual subscription options is chosen as it normally takes quite some time to thoroughly work through the Self-Assessment to prepare. There are three levels of annual subscriptions and each adds functionality that may be of value to you and your organization.
Second, are the fees associated with your chosen Authorized CSF Assessor®. There will be some variance in fees across the available assessors due to different organizational sizes and operating costs. For competitive reasons, we prefer not to make our fees publicly available. However, we can present how our fees are determined. For a HITRUST Validated Assessment, SCA fees are directly related to the results of scoping the assessment. The scoping factors chosen will yield a control requirement count or audit plan. Next, in consultation with the client, we determine if all five evaluation criteria will be included in scope (Policy, Procedure, Implementation, Measured, Managed) for each control or just the first three (Policy, Procedure, Implementation) which are enough to attain a successful score. A time element is assigned to the number of evaluation criteria and multiplied by the number of control requirements to arrive at the time needed. Once we know the time needed, we can arrive at a cost. The calculation looks like this:
Total Time Needed for Validated Assessment = # of Control Requirements X Evaluation Criteria (3 or 5) X Time per Evaluation Criteria
The next fee from your assessor is the Interim Assessment fee. The Interim Assessment is a sampling of controls across the 19 CSF domains and requires a fraction of the time of a full Validated Assessment. This fee might be listed as a separate line-item or calculated into the total fees for the Validated Assessment.
Outside of the Validated and Interim Assessment fees above, other potential fees are those resulting from engaging your assessor in a Facilitated Self-Assessment or other HITRUST consulting services that may be available.
Does HITRUST CSF Certification equal HIPAA Security Rule compliance?
This debate continues. While the HITRUST CSF includes Meaningful Use (now MIPS), HITECH and the HIPAA Security Rule, HITRUST certification does not necessarily equal HIPAA Security Rule Compliance. While neither the HHS or OCR endorse a particular framework or methodology for satisfying the risk analysis requirements in CFR § 164.308(a)(1)(ii)(A), the HHS does include HITRUST in references for their risk analysis guidance. Additionally, the OCR has accepted HITRUST Validated Assessments as evidence of compliance with the HIPAA Security Rule. The caveat is whether the scope of the Validated Assessment matches that of the OCR audit. In other words, if a breach happened to a system that was not included in the Validated Assessment scope, the results of the OCR audit may not be favorable. HITRUST offers more details here. If your goal is to achieve HIPAA Security Rule compliance, scoping your Validated Assessment is of critical importance.
Achieving HITRUST CSF Certification is an ambitious project that will both elevate and help protect your organization. SCA has been delivering world-class information security assessment and advisory services for over 14 years including numerous HIPAA Security Risk Analysis, HIPAA Privacy Assessment, Vulnerability Assessment, Application Assessment, Penetration Testing and Policy Development services for the healthcare industry. We welcome the opportunity to demonstrate how we are different and earn the role as your trusted and valued Authorized HITRUST CSF Assessor!