Is HITRUST worth the effort?
By: Tom Sost, CPA, CISA, MBA, CCSFP – Manager, Risk Advisory Services at Wipfli LLP
HITRUST® continues to gain traction as a robust security framework to certify against. Chances are, if you’re looking into what is HITRUST or how to get HITRUST certified, you have a client or prospect requiring the certification to continue or begin building a business relationship. Or you are seeking a leg up against your competitors to attract new clients and business. And because of that, you might also be wondering what the HITRUST CSF Certification involves, and whether it’s worth the effort.
What are the benefits of HITRUST?
Fortunately, HITRUST offers benefits beyond meeting contractual obligations or any regulatory requirements that may apply to your organization. Let’s dive into a few of the benefits.
- It’s comprehensive and highly regarded: What makes HITRUST’s security framework so impressive is that it has essentially taken the best pieces of other frameworks and regulations and put them into one central control repository. Because of that, HITRUST has gained a reputation for being robust and comprehensive, and getting HITRUST certified carries a lot of weight.
- It’s transparent and consistent: HITRUST offers greater transparency and consistency to external parties — including prospects and clients — and can even reduce requests for security questionnaires and other external audits.
- It delivers a competitive advantage: HITRUST certification isn’t easy to achieve, but it does tell clients that their data is in good hands, so it can actually offer your organization a competitive advantage. You can use the certification in the sales process to gain new clients who would rather work with an organization that’s HITRUST certified than one that isn’t.
What goes into getting HITRUST CSF Certified?
Since you are weighing whether HITRUST is worth the effort, we should cover what, exactly, that effort entails. The three main areas of consideration are the requirements, time, and cost.
- HITRUST requirements: Unlike a SOC exam where you define your organization’s controls, HITRUST has predefined requirements that are applied to your organization based on your size, records, transactions, and other risk factors. You must audit against all applicable requirements prescribed by HITRUST based on these factors in order to achieve certification. It’s typical to have hundreds of requirements — each needing detailed evidence of compliance — so this is where the majority of your time and effort will go when pursuing a HITRUST certification.
- Timeline: HITRUST is not a quick certification. A typical organization can take anywhere from 9-18 months (depending on how prepared your organization is) to complete the readiness/gap identification, remediations or gaps and validated assessment phases. First, your organization will score itself on how well you meet the HITRUST requirements and collect evidence to prove these scores. Then a third-party assessor like Wipfli reviews your scores, inspects the evidence provided, and may request scoring changes where needed in order to submit your assessment to HITRUST. Finally, HITRUST itself performs a quality control process where it reviews your scores and evidence before issuing a report and, hopefully, the certification.
- Cost: HITRUST certification cost can be a concern for organizations. You will have to devote internal resources, such as a dedicated project manager, to working on HITRUST certification. You will also need to purchase one of HITRUST’s MyCSF® subscription options, as well as engage a HITRUST External Assessor to perform your validated assessment. There can also be additional costs if you perform a readiness assessment and discover, for example, you don’t have the networking equipment needed to comply with that requirement, and thus, need to purchase that equipment. At the end of the day, these costs can all add up into a significant investment.
How to make HITRUST certification easier
You can’t really weigh whether HITRUST is worth it to pursue until you consider ways you can make the process smoother, faster, and easier. So, let’s cover five best practices.
1. Obtain internal buy-in
Obtaining a true commitment to HITRUST is the first step. Your upper management team must be willing to devote the time, money, and resources to getting certified. And your project manager must be able to perform the necessary work unimpeded, which means being able to get required evidence from people across departments in a timely manner. Buy-in makes the process easier and faster by giving this person the pull they need.
In addition to a project manager, the organization should have at least one internal HITRUST subject matter expert (SME). Organizations should identify one person, usually your information security officer, to be your HITRUST SME. This person will gain the necessary knowledge (training, etc.) to implement and manage the controls prescribed by the framework.
2. Perform a readiness assessment
Performing a readiness assessment is critical for an organization undergoing HITRUST CSF Certification for the first time. As noted above, the more prepared you are, the faster the process will go. By doing a readiness assessment before your validated assessment, you can start locating and logging the evidence you’ll need during the assessment, as well as identifying gaps in your compliance. Then you can close those gaps, which further ensures your chances of achieving certification.
3. Use crosswalks
A crosswalk document lays out all the HITRUST certification requirements you must audit against and exactly what evidence you’ll need to provide. This allows you to put the policy or procedure document and the page number the evidence is located on right into that crosswalk. Because you need to provide HITRUST with a self-score and the basis for that score, having the crosswalk put together allows you to organize all of the evidence needed to support that score. All in all, the crosswalk keeps you organized and makes the HITRUST validated assessment faster and easier. Plus, it can be updated and reused for future assessments, including your interim assessment.
4. Name more than one dedicated project manager
When everything about the HITRUST certification process is funneled through one person, it can get overwhelming and start to hold up the timeline — especially considering the process can take 12 months or more, and that project manager deserves to use their PTO. Who is capable enough to fill in for them while they’re on vacation?
Having more than one project manager or a reliable and dedicated team spreads out the workload, providing not just a backup resource while one is unavailable but also providing at least two different people your External Assessor team can come to with questions.
5. Use the MyCSF tool
HITRUST has built a tool that helps organizations stay organized during the certification process. The requirements and scoring are built into the tool, you can submit evidence via the tool, and you can even access guides to help answer any questions. Using MyCSF means you don’t need to work in spreadsheets and take the risk of multiple versions of that spreadsheet floating around.
Achieving your HITRUST CSF Certification
While getting HITRUST certified won’t happen overnight, the added value can outweigh the effort for many organizations. At the end of the day, you’ll have significantly improved your information security program and reduced the chances of a data breach, and you can use your certification — and the weighty name behind it — as a tool to gain new customers.
Another way you can make the process smoother? Work with an experienced HITRUST assessor firm like Wipfli. Wipfli can take you through your readiness assessment to identify and close gaps and prepare you for the validated assessment. Wipfli even has a crosswalk template it can share to assist with the evidence-gathering process. And, of course, Wipfli can work with you on your validated assessment.
Click here to learn more about Wipfli’s HITRUST services.
To reach out to Wipfli for questions or additional assistance, click here.
Sign up to receive additional information security and cybersecurity information in your inbox, or continue reading on:
What is HITRUST, and why does it matter?
The path to HITRUST certification: Five reasons to start now
Tips for gathering evidence for your HITRUST validated assessment
How to choose the right HITRUST External Assessor