S3 E24: HITRUST Certification First Steps

Audio version

HITRUST Certification First Steps

Transcript

Jordan Eisner (00:16)

Hello everybody. I am excited to have Brooke Gardner on today for our episode of Compliance Pointers. It’s Brooke’s second time on. Much excited. She’s been able to take a minute away from delivery, delivery, delivery and servicing our clients to be able to talk a little bit about HITRUST for the marketplace and for those considering for the first time. So Brooke, good to have you on.

Brooke Gardner (00:38)

Yeah, thank you. Glad to be here.

Jordan Eisner (00:41)

And I’m a brag on Brooke a little bit. 20 years, you want to know by looking at her, but 20-plus years in the audit industry, internal audit. She’s a CPA. Her last several years have been spent primarily focusing on HITRUST, which is a topic of the conversation today. I was reading off all your different certifications, CISA, CSSP, CHQP. I’m sure I’m messing some of these up.

You know, so on and so on, think you’re going to be a QSA pretty soon. The list goes on and on in terms of security certs, so I don’t think it’s a matter of. What you? Have per se, it’s like hey, if she needed to have the certification, she could probably get in a heartbeat.

Brooke Gardner (01:28)

I’m good at taking tests, right?

Jordan Eisner (01:30)

Yeah, there you go. you go. So today we’re talking like I alluded to, we’re talking about HITRUST, which changes every single day. Almost feels like it. And I’m having conversations with folks and they’re mixing up e1 and i1 and r2 and this month and which one’s every two years and which one’s only a year. But we’re going to we’re going to back it up a little bit. And this is more of a HITRUST 101 or first steps. And, you know, for our listeners, I think this will be important.

Even if they’ve done HITRUST that they’re considering it’s some it’s some fun facts and some things to know. Maybe not fun facts, but some facts, some FAQs. But really it’s geared towards organizations that have been entertaining HITRUST or need to go down HITRUST or exploring what it even means or want to pursue HITRUST. And so what are the first steps in doing that? And we’re going to talk about. What you need to consider when you start which HITRUST certification is right for me. What does that mean?

From there, who do I need to partner with? Can I do this myself? Do I need a company for readiness? Do I need a company for certification? Do I need a company for all of it? From there, how do I pick the right company for my company, my size, our goals? And then, okay, I figured out which HITRUST certification. I’m figuring out how I’m gonna get ready for it and who I’m gonna partner with to get certified against it.

What I need to get to work on or what do most companies typically start on? So we’ll get into all those. Brooke, why don’t we start with. If I’m pursuing HITRUST, there’s many different reasons I could be doing it for marketability. I could be doing it because it’s a obligation from a client commitment that we’re going to be had to certify. So there’s many different reasons we don’t have to get into those, but let’s say I’ve got my reason and I need to be HITRUST certified. But that’s it. That’s what I’m running with.

What should I consider for?

Brooke Gardner (03:27)

Yeah, so once you’ve decided that you need HITRUST, and like you said, it’s kind of based on most people don’t get in the HITRUST because they want to, they get in the HITRUST because their client needs them to, customer needs them to, know, reasons like that. Sometimes people do it for marketability, but mostly they’re being forced to in many cases. But once you decide that you do need HITRUST, the next thing to do is realize that there’s, you know, several different types of HITRUST certification.

And so you had to decide which one of those is appropriate for your company. So the three are the e1, which is very basic. There’s 44 controls. It’s foundational security controls. Then there’s an i1. It’s more of a moderate, focused on best practices. I believe it’s 183 controls for that one. And then there’s an r2.

And that is the most comprehensive and it’s risk-based and that can range anywhere from if you’re lucky 200 controls or if you’re a smaller company, guess 200 controls up to a thousand. So it can get pretty in depth for that one. So an assessor firm can kind of help you decide which one of those is best. And it’s based on what do your clients or the reason you’re getting HITRUST, what do they expect? Are they expecting an r2 or are they gonna be okay if it’s an e1? Some companies might start with an e1 for their first year because it’s easier, there are less controls and then move on to an i1 or an r2 the following year or two after that. So the right level just kind of depends on your business type, your risk profile, what your customer, your business partners expect.

Jordan Eisner (05:09)

Right. The end goal, your maturity, what’s realistic, and the timeline maybe that you need to accomplish that e1 seems like it’d be the quickest. The E and the I and the R, they don’t stand for anything, do they?

Brooke Gardner (05:18)

Absolutely. Well, the E is Essentials.

Jordan Eisner (05:25)

Okay, so they do. Yeah. Is it what intermediate or?

Brooke Gardner (05:29)

You know, you’re I wasn’t prepared to say that. No, it’s OK. don’t know. be implemented, I believe. And then the R is I think risk, but I could be I could be wrong on those.

Jordan Eisner (05:41)

But for our watchers and listeners, e1, as Brooke said, I’m not going to say the simplest, but 44 controls, smallest amount of controls. You have to do it every year, though.

Brooke Gardner (05:54)

Correct, so the ones and the twos do stand for something. So the e1 and i1, because they’re one-year certifications, the r2 is a two-year certification, but you do like some, much smaller subset on the off year. So they have an interim of maybe 19 to 20 controls.

Jordan Eisner (06:11)

So that’s what the numbers because I always. I won was one year, but didn’t they move it to two year and now there’s a rapid research.

Brooke Gardner (06:21)

There is a rapid research. Yeah, so they they want to make it complicated, so it’s kind of a two year, but it’s really a one, you know. Yeah, and want to do the same one every year.

Jordan Eisner (06:29)

Right. Yeah. Rapid recertification.

Brooke Gardner (06:34)

Right? Yeah. Right. Yeah.

Jordan Eisner (06:37)

OK, so figure out which one, e1, i1, r2. We’ve crossed that bridge. We know which one we want to do. It’s one of those three. Now, what should we start to consider? Well, before we get to what assessment company to partner with, or maybe this is kind of a multifaceted question. Maybe it comes into how do I evaluate the right sort of auditor, but you also need to be thinking about, do I need help with readiness, policies, procedures, risk assessment, other requirements that HITRUST is going to have for my organization? Do I need a partner for that or can I do that myself? what’s your recommendation, Brooke? Should I talk with somebody and an auditor and get their opinion on what you do readiness or should I go out to the marketplace and start having conversations around readiness and audit from the start?

Brooke Gardner (07:37)

So hypothetically, you can prepare yourself as a client firm. I would not necessarily recommend that. We’ve had some clients I’ve come through and they didn’t, like they did their own readiness themselves. And then it’s just a little bit more difficult to get through the actual assessment because they’re not auditors, they’re not HITRUST experts. So they’re making a lot of assumptions about what the controls are asking for and things like that.

Jordan Eisner (08:07)

So there might be auditors, right? There might be auditors as you’re an auditor, but it’s the HITRUST specificity. Or at least that’s my understanding, right? It’s like, it’s not your typical audit. And so you might feel I’ve been through audits, I can prepare for an audit, we have SOC 2, and you could be caught off guard with HITRUST and some of the specific and prescriptive requirements they have, right? Is that maybe what?

Brooke Gardner (08:32)

Right, because you might think you understand where they’re going with the control, because you’ll have the control set and you might think you know where they’re going with it someone, know, an audit firm who specializes in HITRUST understands, they’re going to want a sample of something to prove this control, not just a one and done test, different things like that, that ⁓ even if they are an auditor, but if they’re not experts in HITRUST, they might not realize that they have to do. It’s a little bit more in-depth than just, do we meet this control?

Yeah, we do give this lighthearted evidence, but that’s not always, that’s usually not enough.

Jordan Eisner (09:08)

OK, all right. So that so readiness. Not a need to have certainly nice to have and going to increase your chances of a successful audit, which is important. I mean, the last thing you want to do is. Pay HITRUST for subscription, pay an audit firm to come into your and then fail the audit.

Brooke Gardner (09:34)

Absolutely, yeah, because you don’t get that money back. You have to pay it all over again.

Jordan Eisner (09:38)

If you indeed decide to, you know, pony up and decide to go for certification again, and then you might be going to a readiness partner. So I don’t want to put words in your mouth, but if you’re a company and you know which HITRUST certification you need to get and you’re starting to explore partners for the audit side, it would behoove you to talk about readiness and the value of readiness with organizations and how they can help with readiness and or the audit. Why that’s valuable.

Brooke Gardner (10:11)

Yeah, I agree for sure. Yeah.

Jordan Eisner (10:13)

At least the first time around.

Brooke Gardner (10:16)

Right, yeah, once you have it, you already know what to expect, then you don’t need a readiness on future years. should be ready to go for the future, yeah.

Jordan Eisner (10:24)

And I would say the scrutiny of the prioritization of the readiness only increases as you go upstream in the certification. e1, all right, maybe you can get by. i1, you’re gonna really wanna take a look at readiness. r2, first year, you really, really should partner with the readiness organization. And not necessarily, Brooke, you’ve been doing this a long time.

Brooke Gardner (10:34)

Yeah.

Jordan Eisner (10:51)

I’ve worked with many clients on HITRUST, not actually delivering services, but you know, in how we structure our partner with them. And it’s not just even a readiness. Assessment or a gap assessment and then we give them all the findings and they remediate and validate. That’s an improvement over nothing, but it’s even beyond that. It’s I think it’s some consulting on what the policies need to have, what the procedures need to have.

You know, what sort of evidence HITRUST is one that’s going to want to see beyond just a readiness assessment that puts it on writing, but really, you know, for lack of a better thing, some hand-holding.

Brooke Gardner (11:31)

Absolutely. Yeah. When we perform readiness assessments, we get on a call with our clients and we walk through every single control one by one. What does this mean? What kind of evidence do you maybe already have? Are you already doing it? You’re doing something similar, you know, we’ll have them share, share their screen and show us, you know, how it’s being implemented and stuff like that. So it’s very thorough readiness more than just, you have this? Yes or no. And move along, you know.

Jordan Eisner (12:00)

Yeah, alright, so let’s shift gears to the daughter. Now we’ve made our case for readiness. Nobody can listen to this podcast and not be of the opinion that Brooke Gardner and Jordan Eisner think that readiness is valuable. We’ve selected what sort of occasion we’re going to need. We’re strongly looking at readiness because we see the value in that. What should we be thinking about in terms of who we’re selecting for the audit? Or what’s even, you know, validated assessment? Yes.

Brooke Gardner (12:29)

So number one, you have to make sure it’s an assessor firm that is officially authorized by HITRUST. So firms have to go through and pay their own fees and become certified and have a certain number of certified ⁓ people on staff in order to be authorized by HITRUST to even perform a validated assessment. And then once you make sure they’re authorized by HITRUST to perform HITRUST audits, you wanna make sure that they have experience.

in your industry or with your size of organization, because if they have only focused on super large companies, they’re not going to understand always what a very small company of maybe 10 or 20 people needs versus a large company and vice versa. So you want to make sure that their experience is with similar size and similar industries as you, I feel is important.

Jordan Eisner (13:24)

All right, I think we’re coming to the final chapter of this podcast.

Figure out what sort of certification you need. Figure out who you’re going to partner with for readiness and audit. Walk us through or tell us about some of the initial things that an organization is going to want to do to prepare for, whether they have a readiness partner or not. Or maybe a better way of asking this question is, what are the most common areas that you see companies needing to improve, enhance, or just develop altogether to be HITRUST certified, that is a commonality?

Brooke Gardner (14:01)

Well, I think one thing that is pretty important is to allocate some internal resources to the project. It’s difficult sometimes to focus on an audit when you have a lot of day-to-day activities that you’re responsible for. So I think it’s important for one person, maybe not fully focused on HITRUST, but at least have a resource internally that kind of acts as maybe a project manager and they know who to go to for evidence and things like that. And that’s kind of the go-between between your external assessor firm and everyone at your company. So yeah, can kind of manage how that goes. So it’s a good idea then to ensure leader support throughout the different departments. So we want to make sure, you know, your IT department, your security, HR, legal, whoever knows that this is happening and why it’s important. And so that when they receive requests from whoever the internal resource is, that they prioritize that and don’t kind of push it off and take a long time to respond. Because there is a ⁓ set time period once we’re in the actual validated audit that we can’t budge. There’s a 90-day testing period. So got to make sure that people on board and

You know, realize it can take a long time. So depending on how once you’re through the readiness, if there’s changes that you have to make, understand how quickly your company can make changes and things like that. So because it can take a long time and it’s a it’s a team effort among many different areas.

Jordan Eisner (15:41)

It’s a marathon, know, I think a lot of people I’ve seen a lot of organizations come and they think it’s gonna be a sprint I think it’s gonna be a race, but it’s a marathon yeah, you have to be prepared for an oriented that way and If you want to make it in a certain time period because we’ve seen plenty of these drag on these readiness Thanks. Yeah organizations just really are not properly prepared for the work it takes to get ready

Brooke Gardner (15:49)

Absolutely, for years.

Jordan Eisner (16:10)

For a HITRUST assessment. A lot of times, especially when we’re talking about an r2 and expectations are men that get on the other side and it’s just too overwhelming because they have a day job too. And so that’s why I think all those things are talking about ⁓ project manager, main person that has some sort of vested interest in getting the company certified other than just hey, do it and executive sponsors and ownership to say.

We need to have people on this resources on it. We need to be moving the ball forward all the time. Yeah. And this, can’t go between status meetings with our readiness partner and not making any updates and things. Cause then you just lost a week. You just lost two weeks and it goes on and on and on and on and on. And you’re pushing out your cert date. So yeah, organizational focus and prioritization of it and not, you know, I hesitate to say penalty.

Brooke Gardner (16:43)

Right.

Jordan Eisner (17:08)

But you need to draw lines in the sand and say, we need to have this by this point. We need to have this by this point and who’s driving it and who’s owning it. So I think I’m just basically reiterating the point that you made, but you know, companies struggle with this.

Brooke Gardner (17:23)

Yeah, and time is money too. So the longer it takes, the more it’s going to cost. And that’s not what anyone wants to do.

Jordan Eisner (17:30)

Yeah. Anything else that you would add, I guess, on that? I think that’s a big thing when you’re deciding on how you need to set yourself up for success as you prepare for it. Maybe the specifics or the tacticals around policy and procedures, there’s too many or it’s too nuanced, there’s too many variables for that to be the case. Or is there a common thing you see with those that companies, more times than not, they’re not ready from a policy standpoint or procedure standpoint or something. And that more times than not needs work before their assessment.

Brooke Gardner (18:07)

Yeah, especially for an r2, because every single control and like I said, that can be hundreds and hundreds of controls. Every single one needs to have a policy statement and a procedure describing how that control is in place in addition to proving that you have that control in place. So that’s a lot of documentation that a lot of companies may or may not have someone on staff that is good at putting stuff in writing like that, because that’s not everyone’s cup of tea, I guess.

There’s a lot of interviewing that needs to happen when you’re creating SOPs of subject matter experts to make sure you’re documenting them appropriately and things like that. And that definitely takes a long time depending on what your control set is. Now for an e1 and an i1, the policy and procedure requirements are much lower. You don’t need one for every single control because they’re focused on the implementation of the controls. But there are a handful that the control itself is you have a policy that says such and such or procedures around know, antivirus or whatever it might be. But yeah, for the r2, definitely it’s a huge undertaking just for the policy and procedure piece, which seems like the easy part of it, but not always.

Jordan Eisner (19:19)

Done. Okay, in summary or wrap up, anything else you would add for our listeners and our watchers?

Brooke Gardner (19:30)

I think the only thing that maybe we didn’t touch on that we should mention is purchasing the MyCSF subscription through HITRUST. So not only do you need to find an assessor firm, but you also need to go through HITRUST and get access to their tool. And that isn’t always cheap either, depending on, you know, what type of assessment you’re looking for. They have different, they have different fees for the different types of assessments. A subscription is required. So just got to.

Keep that in mind too when you’re budgeting and planning that that’s a important step that your assessor firm should help you navigate also. But it’s another step that you need to consider.

Jordan Eisner (20:09)

To a degree, you have to that conversation with the HITRUST organization. But yeah, at least in terms of. Telling you need to have that conversation and what to expect and those sort of things.

Brooke Gardner (20:22)

Right.

Jordan Eisner (20:24)

Well, I think this was a really good one. I think for any organization that’s getting started on this, this is enough to chew on, but then they’re going to get into different questions. They’re going to assess different organizations. And so this is the time where I’d make the shameless plug and say CompliancePoint has been doing this for a long, long time, both as a readiness and an audit partner for HITRUST with many organizations.

High, high, high success rate. I’m gonna throw that out there too. And we’d love to have a conversation with you. If you’re interested in HITRUST or pursuing it, come to our website, email us at connect@compliancepoint.com and we’ll share some of the successes we’ve had with our clients that continue to work with us. And you get to work with somebody like Brooke who is a whiz at this stuff.

Brooke Gardner (21:10)

Yeah, we have a great staff. we know the HITRUST certified people on staff are just great to work with, friendly, easy to work with. So we’re a good choice, I think.

Jordan Eisner (21:20)

Yeah. All right. Thank you Brooke for your time today. Thank you. And thank you to our listeners and watchers. Until next time, everybody be well.