For successful HITRUST CSF certification, start with a readiness assessment

By:  Chris Balch and Richa Khare, Risk Advisory Services, Wipfli LLP

Health Information Trust Alliance Common Security Framework (HITRUST CSF) certification adds value to your organization. As a framework of frameworks, it can help you comply with a variety of cybersecurity standards and regulations and ensure your clients that you’re meeting your responsibility to keep private information secure.

But achieving certification can be challenging. Although HITRUST continues to make assessments more accessible, they’re still expensive, time consuming and challenging. And failing an assessment or stopping an engagement can lead to even more costs from penalties with your reservation date.

If you’re trying to get your certification, you want to do it right the first time. That’s why it’s important to invest in a readiness assessment.

What is a HITRUST readiness assessment?

A HITRUST readiness assessment is a dry run to the actual HITRUST assessment. It provides you with an opportunity to go through each step in the assessment process with a consultant’s guidance. That way, you can discuss each of the controls and get an understanding of testing expectations.

It can also help you plan scope, evidence and a timeline for completion — important aspects of testing that can lead to failure when handled incorrectly.

Here are three common errors that a readiness assessment can help you avoid:

Unrealistic project timeline expectations

Altogether, the process for an assessment can take around six months. First, there is a 60-day waiting period for policies and procedures to live in your environment or a 90-day waiting period for implementation. After that, the testing and walkthrough phase of the assessment usually takes around three months to complete.

Organizations that are facing outside pressure from clients may be tempted to rush through evidence-gathering to help expedite testing and walkthrough. However, doing so actually risks lengthening the timeline. Lacking or low-quality evidence will require remediation and then the waiting period will have to be repeated before the assessment can begin again.

Instead, it’s important to invest time up front in planning. A readiness assessment will help you determine where your gaps are so that you can address them before you undergo the waiting period. Consultants will also work with you to determine a realistic reservation date for your engagement based on your level of preparedness.

Incorrect scope

Another common error organizations can make during an engagement is incorrectly identifying scope.  Scope refers to the systems you are certifying against during your engagement. For the assessment, your organization is responsible for identifying the related processes, policies and procedures that fall under the HITRUST CSF certification requirements.

But determining what is in scope for your environment can be challenging. You want to ensure that everything that needs to be in scope is prepared and being tested. At the same time, including extra processes or policies will lead to wasted effort spent gathering unnecessary evidence.

With a readiness assessment, you can rely on the guidance of a consultant to help you identify what needs to be assessed. This leads to an easier evidence-gathering process, and you can be confident knowing that you’ve covered everything you need during the engagement.

Lack of quality evidence

Submitting low-quality or improper evidence can also lead to a stopped or failed engagement.  Gathering evidence is often the most daunting part of an assessment for auditees. Depending on the assessment, there can be more than 100 or even 200 HITRUST controls. And each of those will need the corresponding screenshot, policy and procedure document or configurations and settings for your in-scope environment.

An auditee may fail in this process because they:

• Submit evidence that isn’t appropriate for the controls.
• Fail to document a process that has been implemented.
• Do not fully meet a control (e.g., you only have multifactor authentication implemented for half of the laptops in your in-scope environment as opposed to all of them).

With a readiness assessment, a consultant will help you determine the quality of your evidence before your engagement. They can help you identify areas where you evidence is lacking and help with remediation so that everything is prepared for your waiting period.

How Wipfli can help

If your organization needs to be HITRUST CSF certified, let Wipfli offer our guidance and support both before and during your engagement.

Our readiness services can help you determine what scope and realistic timelines look like for your organization. We can also help you streamline the evidence-gathering process by asking you the right questions so that you know what evidence you need.

And our assessors check in with you throughout the engagement process to help ensure that you are on track in terms of timeline and that there are no obstacles to you passing.

Contact us today for more on how our readiness assessment can help you complete your assessment successfully.

Sign up to receive more information, or continue reading:

• HITRUST scoring methodology: What it is and how it works
• Signs you should switch HITRUST assessors
• Common misconceptions from a HITRUST assessor