S4 E02: The HITRUST AI Options

Audio version

The HITRUST AI Options

Transcript

Jordan Eisner  
All right, welcome back. Another episode of Compliance Pointers provided to you by CompliancePoint. This is a podcast focused on information security, data privacy, and other regulatory compliance. And this is the first episode I’m doing this year. Those of you who listen and watch might know me, Jordan Eisner, VP of Growth at CompliancePoint. However, as I alluded to, this is a second episode because a colleague of mine, our General Manager Matt Cagle, is also going to be doing some episodes this year, primarily.
Focused on interviewing different attorneys in the regulatory space. But I get the pleasure of continuing to interview a lot of our folk here and our experts and you know, letting them share their expertise with our followers and listeners. And so I’m joined today by Brooke Gardner.

Brooke Gardner  
Good morning.

Jordan Eisner    
Who is, it’s senior manager, right, Brooke? Yes, senior manager within our assurance group. Brooke has 20 years, maybe more, experience in information assurance and auditing. She’s a CPA. A plethora of that experience is in HITRUST, which is a topic we’re going to be talking about today. But yeah, you’re giddy about audits, right, Brooke? Would that be that be accurate? And how long you been with CompliancePoint now?

Brooke Gardner  
You could say so, yeah.
I feel like 3-4 years, maybe four years this year.

Jordan Eisner  
Wait, do you feel like 4 or is it definitely four? You know, do you feel more or feel less? You know, I’m trying to derive if that’s good or bad.

Brooke Gardner  
Right.

Jordan Eisner  
Yeah, yeah. We don’t get to see Brooke too often because I guess about 2/3 of our company is down here in the Atlanta area, but we have employees spread out across the US and so Brooke is in Indiana. So it’s nice, nice to see you here on the podcast, Brooke, and look forward to the next time whether it’s at a conference or some sort of thing that we get in person.

Brooke Gardner 
Yeah.

Jordan Eisner  
We’ll dive in. So we’re gonna be talking about HITRUST. What else, right? The HITRUST AI options today. So continues to be a relevant topic, maybe too relevant everywhere you look, but HITRUST I think it was just last year. Maybe they had been working on it. Maybe they announced it even prior to that. But it seemed last year was when their AI assessments really started getting a full swing.

Brooke Gardner  
Mm-hmm.

Jordan Eisner  
You actually, even outside of this podcast, Brooke, have given me a little bit of the runway or not the runway, but the lay of the land in terms of the what is it, A1 and A2 and how they’re associated with HITRUST E1s and i1s and r2s and every other alphabet and letter that I trust now has out there to put together. But we’re going to be talking about the options. We’re going to be giving an overview because it’s not just that you can now get, you can add, and I might fumble some of this, and Brooke, you can clean it up when you talk, when the expert actually talks.

Jordan Eisner  
But you can add these as part of your validated assessment. You can be included in your HITRUST certification, that you have AI controls included in there. But also, there are AI risk assessments or risk management maybe that are separate. So you’re nodding your head. So OK, good, I’m at least not saying an entirely inaccurate thing. So we’ll open some of those up, but let’s stop at the top, let’s start at the top layer. So there are two HITRUST options now. I alluded to them a little bit. Can you tell us about the security assessment and the certification?

Brooke Gardner  
Sure. Yeah, absolutely. So the first option is the HITRUST AI Security Assessment and Certification. And I like to describe this one as the Security Assurance Track for AI. Basically, HITRUST recognized that a lot of organizations now have AI-enabled features inside their platforms, whether that’s automation and.
Analytics decision support tools or embedded AI capabilities and clients are starting to ask how do you secure that? What controls do you have around it? So this option lets organizations add AI-specific security requirements into a validated HITRUST assessment and it’s done by including the security for AI systems in MyCSF and then HITRUST can issue an AI designation along with the assessment. If it’s paired with an E1 or an I1, the AI certification is called AI one, and if it’s paired with an R2, it’s called AI 2. So what’s nice is it’s not meant to explode the scope, but it’s a targeted set of AI security requirements that gets added in where it’s relevant. And for organizations that want to show customers they’ve taken real steps to secure AI systems, it’s a strong option. So it’s basically a way to say yes, we’re using AI and we can show validated security assurance around it.

Jordan Eisner  
And how do you feel about the controls? You know, I know going a little off script here, but having looked at it, familiarize yourself with the controls and how they apply. I know AI is still emerging and changing every single day, but how do you feel about them just personally as an auditor in terms of, you know, managing risk and the tie in with just HITRUST as a whole?

Brooke Gardner  
Yeah, I think they do a really good job at HITRUST. I’m sure they’re going to keep massaging the control language over time, but I think it’s a solid start for the controls and how they’re written. Some of them can get a little clunky, but that’s why we’re here to help people decipher where they where they’re going with them, but for the most part I think they’re doing a pretty good job.

Jordan Eisner  
Are you seeing widespread adoption or is it minimal? More wait and see from our clients and those that are, you know, turning over to now what would be subsequent year validated assessments. Are they asking about it and adding it in? I know we’ve seen a handful here and there, but it doesn’t seem like there’s an overwhelming majority, but maybe that’s because they’ve got turn over and get through the cycle and they’re gonna start seeing it added, or as HITRUST may be commented on what sort of adoption they’re starting to see on the AI controls.

Brooke Gardner  
I’m seeing people kind of being hesitant to get started or they’re just they’re more or wanting to do readiness types assessments versus going all the way and getting a certification. I just think people are being cautious and calculated, which is smart, you know and it a lot of times depends on if their clients start bugging them about it. That’s the tables will turn.

Jordan Eisner  
So which has been a trend of HITRUST even historically before AI, right. Is it asked about is it a is there a risk of revenue if I don’t have this HITRUST would argue differently and I understand why and there are certainly purposes of organizations using it for marketability.

Brooke Gardner  
Yeah.
For sure, yeah.

Jordan Eisner  
And security, which is the intent. But you know, I know with the majority of clients we’ve worked with, there’s been some sort of contractual obligation to be HITRUST certified and maintain that. OK, so the AI Risk Management Assessment. Not the same thing.

Brooke Gardner   7:59
Yes, no. And this one does not come with a certification. So it’s a little bit different and this is where some people might prefer to start honestly, but it is, it’s more of a governance and risk visibility track and so where the other option is focused on security controls and certification.
The AI risk management option is focused on how an organization manages AI risk more broadly. Things like oversight, accountability, risk processes and how AI is being evaluated and governed. So like I said, this one’s not a certification, which is important to know.
It’s designed to generate insights and reporting that can be really helpful internally and also really helpful when customers ask how are you managing risk? So it’s aligned with recognized frameworks like the NIST AI Risk Management Framework. So it gives organizations A structured way to communicate their approach without necessarily.
Going down that certification path right away. So honestly, like I said, for a lot of companies, this can be a great starting point, especially if they’re still early in their AI maturity or they just want to get their governance story in place first.

Jordan Eisner  
OK. But it’s not a maybe said this and I missed it.
It’s not a control for the AI certification, is it? Like a like having conducted a HIPAA security risk assessment would be a control under the HITRUST?

Brooke Gardner  
No, no, it’s a standalone and it does not have to go with a validated, regular validated HITRUST assessment. You can just do it by yourself. It’s just focused just on AI and just doesn’t give you a certification. It gives companies help answering questions to customers, but it doesn’t provide a certification that’s proof to customers, right? But it’s a it’s a starting point.

Jordan Eisner  
Are you seeing much adoption on that one? No.

Brooke Gardner  
I honestly have not. We have customers that are working on the validated pathway, but just work, you know, doing readiness against that one. But I haven’t seen a whole lot on this side.

Jordan Eisner  
Sure. I think that makes sense. It’ll be interesting to see how that goes, what sort of changes or adaptations I trust makes to get more adoption on that.

Brooke Gardner  
Yeah.

Jordan Eisner  
So you actually already talked about it earlier and if I remember right, so the AI one goes with an E1 and an I1 and the A2 goes with an R2.
There’s no interchanging of that. There’s no well, I wanna do an E1 and add the A2 controls like they’re specifically matched up with those type of validated assessments. Or is it now if you’re doing the R2, you have to do AI 2?

Brooke Gardner  
Yes.

Jordan Eisner  
But if you’re doing the you want and the AI want and you want to up it to an AI too, you can do it that way.

Brooke Gardner  
Well, yeah, they have to be linked to the A1 has to be linked to the E1 or I1 and the A2 has to be linked to the R2. So it’s just the way those assessments are there’s the annual ones or the biannual, which is the R2s.

Jordan Eisner  
OK. But the i1 is biannual too, right? I know it wasn’t at first, it was annual and now they do the rapid research interim years.

Brooke Gardner  
Yeah, they still call it a one year certification, but you’re right about that. And I I don’t completely understand where they’re going with that, you know, because it is, you’re right, it is kind of you do a full I one every other year and then a rapid research in the middle year, but it’s um a little larger than the middle, the interim for an R2.

Jordan Eisner 
Right, right. I do call that. So would you?
Would you do the AI one?
At the I1 validated and at the I1 rapid research. So you do the AI one as part of it. OK, OK, I see.

Brooke Gardner  
Yeah, they’ll they they will have you do all the AI controls every year and even with an R2 when you do your interim year, yes.

Jordan Eisner  
Oh, is that right? OK, I did not know that. That’s a good call out. Yeah, what? What is the control count? Maybe you don’t know that off the top of your head that and I could be way out of left field here, but was it it was 50 controls or something being added for an AI too?

Brooke Gardner  
Yeah, I believe, I believe you’re right. It might be more like 60, somewhere in that range, yes. So it’s it’s a decent number of them. It’s a little bit less closer to like 40 to 50.

Jordan Eisner  
OK, so somewhere in that range.
And what about the AI one?
OK, so good bit. I mean that changes the and all of those have to be reviewed in the interim assessment. So that changes the level of effort for an interim assessment a good bit.

Brooke Gardner  
Correct, yes.
A little bit, yes, that’s for sure.

Jordan Eisner  
Yeah, OK, interesting. Anything else that you would add on how they apply across the different HITRUST assessment types or do you think that pretty much covers it?

Brooke Gardner  
Yeah, I think that pretty much covers it, but it’s just knowing which one that you want to do, right? And knowing if you’re needing that certification or if you’re just doing a internal compliance program, right? Or if you’re just trying to get your ducks in a row internally, or if you need to prove it.

Jordan Eisner  
Yeah. OK. So maybe, maybe you were, I think you sort of just answered this one because I was going to ask next how, how can businesses determine which option makes the most sense for them? But it sounds like it’s what’s going to be required maybe. Yeah, what AI is being leveraged. Do you want to, do you want to talk to that a little bit like are there?
Various degrees of how AI is being leveraged or is HITRUST more so just the one-size-fits-all? If it’s e1, it’s A1, it’s r2, it’s A2. Are there any nuances in the controls or added layers or is it pretty standard across the validated?

Brooke Gardner  
Sure.
Yeah. Well, I think if they’re trying to figure out if they want the certified route versus the not certified route, first that they want to decide if AI is in scope. So like is AI actually part of the system product or service that’s being assessed for HITRUST already? I’m not just we use I AI somewhere in the business.
But it’s part of what customers rely on or what touches your sensitive data. The second thing you want to think about is what are we trying to accomplish? Like are we trying to show strong security assurance to customers or are we trying to build a strong risk governance and overnight oversight story?
So if they’re getting pressure from their customers, like prove this is secure, then they want to do the certification option of course. But if they’re still maturing their program, they just want to establish structure internally, like for governance, risk evaluation, internal alignment kind of stuff, then the risk management insights option can be a great starting point, so.
Sometimes the answer can be both. So some orgs might want, yeah, they might want governance, governance insights internally and certification externally, especially in healthcare if they’re handling PHI or selling to enterprise customers, so. Um, you know that’s a long winded answer to say it depends.

Jordan Eisner  
Well, yeah, that’s, uh, that’s a classic consulting and auditor answer. It depends. Um.

Brooke Gardner  
Right.

Jordan Eisner  
Well, I think that covers it pretty, pretty well for what is it? What should I expect? Yeah, and.
How? How do I go about getting started? And really a lot of that depends on your organization, your goals, or your requirements tied to your HITRUST. Anything in in closing, I guess. Anything I didn’t ask Brooke regarding the AI assessments within HITRUST that they think would be pretty relevant for the listeners.

Brooke Gardner  
I just think it’s HITRUST is trying to integrate this into their assessments that companies are already doing. And so their intent is it’s an evolution of the process and not a complete restart of your process, your HITRUST.

Jordan Eisner  
Are there any rumblings of, you know, eventually these controls would be part of an R2 regardless or part of an i1A1? OK.

Brooke Gardner  
I have not heard that. And I mean, we’ve got people that may not ever include AI in their systems, probably very few eventually, but so I guess it’s possible in the future depending on how things evolve. But I at this point I don’t think so.

Jordan Eisner  
Yeah. OK. Well, Brooke called your break. We’re about to break. It was great having you on, Brooke. Thank you for the overview on on HITRUST and you know keeping our listeners hopefully finger on the pulse on.

Brooke Gardner  
Yeah. Thank you.

Jordan Eisner   16:50
AI and how it ties into different information security frameworks that they may be maintaining or pursuing. So I think this is going to be helpful information and until next time and for our listeners and viewers, if you have any questions around HITRUST in general or more specifically the new AI assessments, please don’t hesitate to reach out to us. Compliancepoint.com is the easiest way to find and learn more information. That’s our website. But you can also e-mail in at connect@compliancepoint.com and we will get back to your inquiry and reach out and hopefully learn more about what you’re going through and how we might be able to help.
Until next time, everybody be well.