HITRUST Certification: How to Get Started

So, you are considering obtaining a HITRUST Certification. You have looked at the process and are now beginning to wonder how to get started, and more importantly – how long will it take?

How do I get started?

The equation above seems fairly straightforward, but the first step, “Identify Requirements” is not always easy. HITRUST Certification is based on an assessment that your organization meets the standards of the HITRUST Common Security Framework (CSF) identified as applicable to your organization. You can go to the HITRUST Alliance website and download the current version of the CSF for free. However, that includes ALL of the requirements, and HITRUST is scalable based on your organization’s size and identified risk factors. Depending on your scoping factors, you could have 250 controls to address, or up to 600!

So how do you identify your applicable risk factors? There are basically two options. You can contact HITRUST and purchase a self-assessment from them. This will allow you to scope your environment in the HITRUST MyCSF Portal and begin the self-assessment process. The disadvantage of this process is that you either have to pay for the HITRUST subscription or have access to the portal only for a limited time. Alternatively, a HITRUST assessor firm, such as CompliancePoint, can identify the required controls for you. Using an assessor firm also allows you access to HITRUST experts who can help you understand what is required to demonstrate compliance with the identified controls.

Once you have identified your requirements, you have to ensure they are all implemented. Each of your controls is evaluated based on five Control Maturity Measures (policy, process, implemented, measured, and managed). For each control you have a potential of 100 points, and a control is considered compliant if it scores at least 62/100. However, in order to avoid corrective action plans, you will want as many of your controls as possible to score at least 70/100. The table below outlines the control requirements:

As you can see, the policy, process, and implemented requirements make up the majority of your score and should be where organizations focus their efforts for their first assessment. The measured and managed requirements can be used to enhance control maturity as your organization implements and manages the required controls.

How long does it take to get certified?

The response to this question varies greatly depending on how mature your organization is and your current documentation status. However, the timeline below is based on what we have found through our experience with numerous organizations completing the HITRUST assessment process:

The main driver in the timing of the assessment is the organization’s current control framework status and the commitment to the certification process.

CompliancePoint’s experienced assessors can work with your organization to identify your required controls, implement the controls, and help you with the required documentation including the development of required policies and procedures. For any questions regarding our services, please feel free to reach out to us at 855-670-8780 or connect@compliancepoint.com