Avoid 3 common HITRUST CSF certification errors with a readiness assessment

Health Information Trust Alliance Common Security Framework (HITRUST CSF) certification is an internationally recognized cybersecurity benchmark that integrates multiple standards into a single certifiable framework. HITRUST CSF certification demonstrates your organization’s commitment to meeting security standards and protecting sensitive information.

But achieving certification can be challenging. To address today’s increasingly complex cyberthreat landscape, HITRUST has expanded the scope of requirements organizations must address. Even with recent streamlining in v11.5.0, assessments are still time-consuming and challenging. And failing an assessment can lead to reputational, operational and financial risks.

That’s why starting with a HITRUST readiness assessment is critical — and can help you get the certification process right on the first try. A HITRUST readiness assessment can also help you understand which framework, or combination, is right for your organization.

HITRUST vs. SOC 2

HITRUST CSF and SOC 2 are two of the most recognized frameworks for demonstrating your organization’s commitment to data security, but they serve different purposes.

• HITRUST offers a comprehensive certification that combines multiple standards, like HIPAA, ISO 27001, NIST and PCI DSS, making it ideal for healthcare and highly regulated industries.
• SOC 2 provides an attestation report based on the Trust Services Criteria and applies broadly across industries.

While they share similarities in security controls, they are not interchangeable. Some organizations pursue both to meet client or regulatory requirements.

What is a HITRUST readiness assessment?

A HITRUST readiness assessment is a dry run for the actual HITRUST assessment. It can help you uncover testing areas that may lead to failure if handled incorrectly. During a HITRUST readiness assessment, you’ll work with a qualified consultant to:

• Review your security policies and procedures against HITRUST’s control requirements.
• Clarify the scope of your HITRUST assessment.
• Identify gaps between your practices and HITRUST standards.
• Collect evidence required to meet HITRUST standards.
• Determine a realistic timeline for remediating issues and scheduling your HITRUST assessment.

3 common errors to avoid

There are three main errors that you can avoid by doing a HITRUST readiness assessment:

1. Unrealistic timeline expectations

Even though HITRUST v11.5.0 comes with reduced and clarified requirements, the certification process can take around six months. That timeline includes scoping, evidence-gathering and control validation.

HITRUST also requires a 60-day waiting period for established policies and procedures to operate in your environment (or 90 days for new implementations) before the official assessment can begin. After that, the testing and walkthrough phase typically takes about three months to complete.

Organizations under client pressure to certify quickly may be tempted to rush through evidence-gathering to speed up testing. However, doing so actually risks lengthening the timeline. Submitting incomplete or low-quality evidence leads to remediation work, and you’ll have to restart the waiting period before resuming the assessment.

The best practice is to invest time in upfront planning instead.

A HITRUST readiness assessment helps you find and address gaps before the waiting period begins. It also helps you set a realistic assessment date, based on your level of preparedness and HITRUST’s schedule.

2. Incorrect scope

Another common error organizations can make during an engagement is incorrectly identifying scope. Your organization is responsible for identifying the systems, processes and policies that fall under HITRUST CSF certification requirements. For example, a hospital may need to certify the system it uses to store patient data, or a business may certify an application that handles sensitive information.

But determining what is in scope can be challenging. If you miss something, you risk failure. If you include too much, and you waste time gathering unnecessary evidence.

Getting scope right is critical.

If you perform a HITRUST readiness assessment, an experienced consultant can help you identify the right scope from the start, making evidence-gathering easier and giving you confidence that you’ve covered everything needed to pass.

3. Lack of quality evidence

Gathering evidence is often the most daunting part, especially since low-quality or improper evidence can stop or fail your assessment.

Depending on the assessment, you may need to meet over 100 or 200 HITRUST controls, each requiring screenshots, policy and procedure documentation or configurations and settings from your in-scope environment.

Common reasons for failure include:

• Submitting evidence that isn’t appropriate for the controls.
• Failing to document a process that was implemented.
• Only partially meeting controls (e.g., multifactor authentication on only some devices as opposed to all of them).

Get evidence right.

During a HITRUST readiness assessment, you get a chance to review and improve evidence so you can fix gaps early and be fully prepared when the waiting period begins.

How Wipfli can help

Wipfli is one of the longest-tenured HITRUST assessment firms. Our advisors can help you figure out the right scope and realistic timelines for your HITRUST assessment. We also help you streamline the evidence-gathering process by asking the right questions from the start.

Contact us today to simplify and streamline your HITRUST assessment process.

Sign up for more information, or continue reading:

• HITRUST scoring methodology: What it is and how it works
• Signs you should switch HITRUST assessors
• Common misconceptions from a HITRUST assessor