How to choose the right HITRUST External Assessor

By Chris Balch

If you’ve been looking into whether your organization should pursue HITRUST CSF® Certification, you probably know that your validated assessment must be conducted by a HITRUST Authorized External Assessor. A year after achieving certification, you’ll also go through an interim assessment to ensure your controls are still operating effectively or that you’ve taken steps to close previously identified gaps. Your assessor will work with you during this interim assessment, too. 

So, you may be wondering, how do I choose the right assessor?

There are approximately 95 firms approved by HITRUST®, but that doesn’t mean they’re all the same. Some firms deliver more value than others. Below are four features you should look for in your External Assessor to help ensure you find the firm that is the right fit for you.

1. They offer guidance during a readiness assessment 

Many organizations choose to go through HITRUST’s self-assessment before starting the validated assessment because it gives them a better understanding of what to expect from the validated assessment. 

But that’s not the only way you can prepare. Achieving HITRUST CSF Certification is a lengthy, involved and complex process. The right External Assessor will add further value by taking you through a readiness assessment. This will specifically prepare you for the types of questions asked and the expectations regarding the evidence you’ll need to provide during the validated assessment. 

The right External Assessor will also ensure that an experienced consultant with many years of HITRUST experience and a HITRUST CCSFP designation is the one who takes you through the readiness assessment, answers your questions and provides the guidance you’ll need to be prepared to undergo the validated assessment. 

2. They bring extensive HITRUST experience to the table

Experience should be one of the main considerations you base your decision off of. Your External Assessor must have a thorough understanding of the HITRUST framework and how to audit against it. They should be able to answer any questions you have, as well as ones you didn’t even know to ask. And they should have years of experience and a lengthy history of performing validated assessments. 

Did you know that HITRUST actually validates the work of its External Assessors to ensure organizations are being assessed correctly? You want to work with a firm that knows the HITRUST framework inside and out and doesn’t have their work questioned or redone by HITRUST.

3. They offer additional services to help you prepare or to mitigate risks

HITRUST readiness assessments often bring to light gaps in an organization’s controls. Once those gaps are identified, it’s on the organization to remediate them. 

It’s also the organization’s responsibility to provide customers and vendors alike with reassurance that their controls are operating effectively — one of the reasons you’re pursuing HITRUST CSF Certification in the first place. This may mean customers or vendors will request that you take additional actions, such as performing penetration testing or vulnerability scans, along with building out various policies, procedures and programs such as incident response, risk management, disaster recovery and business continuity plans. In many cases, you might not have the expertise on your team develop these plans to ensure they meet your HITRUST requirements and ensure you have a strong security posture.

Because your HITRUST External Assessor will already be familiar with your organization, environment and controls, it’s much easier and more efficient for them to help you close gaps, mitigate risk and/or perform additional assurance. Look for a firm that offers a variety of cybersecurity services.

4. They provide policy and procedure templates

Policies and procedures are two huge elements in meeting your HITRUST requirement statements and controls. To achieve HITRUST CSF Certification, it’s critical to have the right policies and procedures in place and to have fully and effectively implemented them. 

But policies and procedures can differ wildly between organizations. Some are underdeveloped, some are outdated, some are spread across documents and difficult to pin down, and some just plain cannot be mapped to HITRUST requirements. 

The right External Assessor will offer policy and procedure templates that have been updated regularly to meet HITRUST standards. These templates can then be modified to reflect your organization’s environment and implemented procedures. If writing policies and procedures is not an expertise you have on staff, you will want to hire a firm to facilitate the collection of information from your subject matter experts and then document your policies and procedures in such a way as to meet HITRUST requirements and illustrative procedures. 

If you do have the expertise on staff to write policies and procedures, having templates built around the HITRUST framework can be a great place to start, as they will provide the guidance needed for making your own more efficient and effective. 

Ready to choose your HITRUST assessor?

Don’t let the complexity of HITRUST CSF Certification overwhelm you. By partnering with the right firm, you can break HITRUST down to its components, understand your roles and responsibilities, and get started on the right foot.

Wipfli has been helping organizations achieve certification since 2013, when we were one of the first firms to become an authorized HITRUST External Assessor. We’re also a member of the HITRUST Authorized External Assessor Council, whose members help ensure the HITRUST CSF can continually ensure and evolve its integrity, effectiveness and efficiency. Click here to learn how Wipfli can add value to your organization as your HITRUST assessor, or continue reading on:

What is HITRUST, and why does it matter?
Common misconceptions from a HITRUST Authorized External Assessor
HITRUST scoring 101: How scoring works and how to self-score