Managing Your HITRUST Certification
Congratulations! After a lot of hard work, you have received your HITRUST certification! Now you can move on to other priorities, or can you?
Your HITRUST Certification is good for two years, assuming you keep the controls in place and continue the required updates and monitoring. So, what does that mean and what do you have to do once you have your certification?
Once you have your certification, you have to complete any Corrective Action Plans, prepare for your Interim Assessment, and stay on top of the HITRUST CSF framework updates to make sure you are ready for your next assessment. In this article, we will provide some guidance to help you meet the standard.
Corrective Action Plans
If any of the controls in your assessment scored less than 62.5%, you will be requested to prepare a Corrective Action Plan (CAP) before you receive your Validated Certification. The CAP requires that you indicate how you will address the identified gap along with who is responsible and when you will have the CAP completed.
The HITRUST MyCSF provides you with a tool to help manage your CAPs, which can be used to document the progress on the CAP, provide documentation supporting the implementation of the CAP, and ultimately close the CAP once it’s completed. While use of the tool is not required, you will need to update the CAP within MyCSF prior to your Interim Assessment as your External Assessor will need to validate your CAP status.
One year after you submitted your assessment to HITRUST, you and your External Assessor will be required to submit your Interim Assessment. Remember that your Interim Assessment is due based on your submission to HITRUST, not the date you received your Validated Certification Report.
You can request HITRUST to create your Interim Assessment 90 days prior to your due date by contacting HITRUST. Sixty days before your due date, HITRUST will automatically create your Interim Assessment and notify you it is ready.
What’s involved in your Interim Assessment? The Interim Assessment has three components: (1) validation of your overall environment; (2) verification of your CAP status; and (3) testing of 19 controls selected by HITRUST. Let’s look at all three components:
1. Validation of your overall environment.
Your External Assessor will confirm that you have not a data security breach reportable to either State or Federal agencies. If you have had a data breach, you and your assessor will need to contact HITRUST. HITRUST will perform an evaluation to determine if your breach was deemed to be material. If HITRUST deems the breach material, the certification will be suspended, and you will be required to perform a new Validated Certification. The breach could be deemed to be material due to a failure of a required control.
Your assessor will also confirm that no significant changes in the business or security practices, controls, and processes have occurred that might impact your HITRUST Certification criteria. For example, if you migrate from a server-based environment to a cloud-based environment, that would be a significant change that would require you to complete a new Validated Assessments instead of an Interim Assessment. Other changes that are not as significant may require that your assessor validate the controls are still functioning. For example, you implemented a new mobile device encryption tool that would require the assessor to validate the new tool meets the control requirements related to mobile device encryption.
2. Corrective Action Plan Status
Your External Assessor will evaluate the status of each of your CAPs. This includes verification that the CAP is either completed or on track. The Assessor will also validate the overall control status. For example, if your CAP was related to incomplete procedures, the Assessor will validate your policy still addresses the control and that the implementation evidence supports the implementation of the control. The assessor will confirm that the updated procedures addressing the CAP have either been developed or are in the process of development.
The status of the CAP in MyCSF must agree with the status your Assessor reports to HITRUST. HITRUST also expects that you will demonstrate forward progress on all CAPs and that you have met the timelines you established. If you have not met the timelines, you and your External Assessor will need to document what progress has been made and your updated timeline.
3. Testing of 19 Controls
HITRUST will select 19 controls, one from each Domain, that must be retested using the same testing requirements as for the Validated Assessment. Your External Assessor will evaluate your Policy, Process, Implementation, Measured and Managed evidence to ensure the control is still functioning as assessed in the Validated Assessment.
In order to maintain your HITRUST Certification, you will need to perform the periodic monitoring required by the controls in your assessment. You need to be documenting the results of your monitoring to provide evidence to your External Assessor in order to gain full maturity on your next assessment. The table below indicates some of the most common monitoring that is required. You should review your assessment to develop a detailed listing of what your monitoring requirements are. Once you have that listing, be sure to assign the monitoring activities to the responsible person and perform follow-up to verify that the monitoring was done and documented as required.
HITRUST updates the Control Security Framework (CSF) at least annually to incorporate updated controls and new regulations to continue to provide a comprehensive approach to managing information and security risks. In 2017 HITRUST released V9, which increased the number of controls within the CSF. Since then HITRUST has made several updates to V9 which incorporated the following security requirements:
- New York Cybersecurity Requirements for Financial Services
- EU General Data Protection Regulation (GDPR)
- Singapore Personal Data Protection Act
- California Consumer Privacy Act
- South Carolina Insurance Data Security Act
- NIST SP 800-171 R2 (DFARS)
In 2020 we expect HITRUST to publish CSF V10, which will probably have extensive changes and updates to the CSF controls and potentially your next assessment.
Each CSF update may result in changes to your required controls. Once your assessment begins, it’s too late to implement new controls and receive full credit, so you need to stay abreast of the updates to the CSF and make sure your policies, procedures, and implementation evidence supports your adoption of any new or updated controls.
Along with updates to the CSF, HITRUST also makes periodic updates to the testing and evidence requirements. In 2019 HITRUST provided guidance on control implementation, which informed the External Assessors that controls should be functioning for 90 days before testing to be considered mature and functioning effectively.
In 2020 HITRUST made a significant update to the control maturity measures and the scoring rubric which are outlined below.
HITRUST evaluates each control based on a maturity referred to as the PRISMA. For assessments created after January 1, 2020, the PRISMA has changed to provide more emphasis on the implementation of the control. The table below shows the old and new PRISMA weights.
The impact of this is that without proper evidence of implementation, it will be significantly harder for a control to achieve a passing score on the HITRUST Validated Assessment. Organizations should evaluate their last assessment to identify any controls which may need strengthened evidence of implementation for their next assessment.
For all assessments submitted after January 1, 2020, HITRUST has updated the Control Maturity Scoring Rubric that is used to evaluate the control maturity. The new rubric provides five tiers for assessing the strength of the control and five tiers for assessing coverage and adherence.
HITRUST has developed individual rubrics for each of the five PRISMA maturity weights to provide an increased level of prescriptiveness and increase consistency across assessments. Each rubric includes a scoring matrix that is used to score the organizations’ control maturity. Each of the five control maturity measures has an individual rubric to provide more specific guidance on scoring the controls. Additionally, the new rubric uses concise language to determine scoring for a requirement.
The updated scoring rubric also includes concise language on how to score the requirement. Criteria requirements for Policy, Process, Measured, and Managed weights have also been more clearly defined. Additionally, while previously automated controls did not have to be supported by formally documented procedures, the new rubric requires all controls must have formally approved procedure documents. HITRUST also indicated that automated controls must now be supported by a formally-approved procedure document.
CompliancePoint can assist you with ensuring that all the required activities are performed, which can help increase your control maturity and reduce the effort for your next HITRUST validated assessment. For any questions regarding our services, please feel free to reach out to us at firstname.lastname@example.org.