Why you need a HITRUST “mechanic”
By: Jason A. Smith, Master Cybersecurity Consultant, Wipfli LLP
Deciding whether your organization should undertake a HITRUST Validated Assessment may be akin to deciding whether to hire a mechanic when you need to restore a long-forsaken old car or try to bring it back to life yourself.
First of all, most people, even those comfortable looking under the hood, don’t have the skills needed to transform a treasured jalopy from another era into a roadworthy vehicle for today. You need a mechanic who knows what you don’t. They need to be current on best practices for restoring vintage cars and compliance with the rules of the road.
HITRUST authorized External Assessors have your back, and that’s critical considering the HITRUST Validated Assessment can be complex and time consuming. HITRUST CSF has become the most widely adopted security and privacy framework across a wide range of industries — for good reason. It helps you manage risk, reduce the chances of a data breach, and shows you take security and compliance seriously. Its control requirements specify what is industry-standard, recommended, and required for certification.
By contrast, some other risk management frameworks can be vague on specific expectations. HITRUST not only points out control weaknesses but also clearly identifies them to help with remediation efforts. But its complexity and comprehensiveness make working with a knowledgeable third party critical to success.
Smooth the way to earning certification
A solid mechanic tells you where you stand and what needs to be done. HITRUST is transparent about both its scoring methodology and any potential weaknesses discovered in the testing of control objectives. The validated assessment typically has between 250 and 600 requirements that your organization needs to be certified against. Working with an authorized HITRUST External Assessor to guide you through can smooth the way to your organization earning HITRUST Certification.
Its testing framework allows clients and assessor firms the ability to reach the same conclusions regarding assessment scores. Further, the reporting structure encourages transparency between third-party entities and business associates; this allows all involved to make informed, risk-based decisions.
Flexibility for your organization
Next, your mechanic must fit your needs and resources. HITRUST provides similar flexibility by offering a variety of assessment styles to meet the size and complexity of any size organization. In fact, the scope of the assessment is based on factors unique to each organization.
Assessment requirements are also updated annually and vetted by industry experts to ensure HITRUST continually considers emerging threats, trends, and regulatory changes. Its assessments are a composite of applicable regulatory requirements and established risk management frameworks like NIST and ISO-27001. This means you get the best of both worlds – a current assessment tailored to be comprehensive for your specific environment.
Finally, you want to maximize the value of your investment, whether in a prized, restored car or a HITRUST assessment. You want a variety of options and a useful result. HITRUST provides this by offering an Implemented, 1-year (i1) assessment, a Risk-based 2-year (r2) assessment, self-assessments, and even certification.
In addition, a variety of licensure levels allow for other options, such as inheriting controls from other organizations and accessing the HITRUST MyCSF portal for research and remediation. The Assess Once, Report Many™ nature of the report allows for sharing results with multiple clients instead of being audited individually by each of them. The ability to leverage value is incomparable.
It would be hard to find a risk management framework able to deliver the efficiency, adaptiveness, or value offered by HITRUST. And HITRUST specialists are committed to keeping the engine of your business running smoothly.
How Wipfli can help
Wipfli is one of the longest-serving assessor firms in HITRUST. Count on Wipfli advisors to guide you through the complexities of the assessment process. In evaluating your security programs against regulatory mandates and industry standards, we can provide peace of mind in your journey to HITRUST certification.
Check out our HITRUST CSF services web page or learn more from these resources: