Is HITRUST worth the effort?

The HITRUST CSF (Common Security Framework) continues to gain traction (and not just in the healthcare industry) as a robust HITRUST security framework to certify against. The Health Information Trust Alliance (HITRUST Alliance) has developed this comprehensive HITRUST cybersecurity framework to address various aspects of information security, risk management and regulatory compliance.

Chances are, if you’re looking into What is HITRUST or how to get HITRUST certified, you have a client or prospect requiring the certification to continue or begin building a business relationship. And because of that, you might also be wondering what the HITRUST CSF Certification involves, and whether it’s worth the effort. Let’s explore the HITRUST compliance process, its benefits and the role of external assessors in the HITRUST CSF Assurance Program.

Evaluating the benefits of HITRUST certification

Fortunately, HITRUST offers benefits beyond meeting contractual obligations or any regulatory requirements that may apply to your organization. Let’s dive into a few of the benefits of the HITRUST security framework.

1. It’s comprehensive and highly regarded: What makes HITRUST CSF so impressive is that it has essentially taken the best pieces of other frameworks and regulations, including HIPAA, and put them into one central control repository. Because of that, HITRUST has gained a reputation for being a robust and comprehensive privacy framework, and getting HITRUST certified carries a lot of weight in terms of demonstrating your commitment to information security and data protection.
2. It’s transparent and consistent: HITRUST offers greater transparency and consistency to external parties — including prospects and clients — and can even reduce requests for security questionnaires and other external audits. The HITRUST CSF provides a standardized approach to assessing and reporting on an organization’s security controls, HITRUST domains, and implementation maturity levels.
3. It delivers a competitive advantage: HITRUST certification isn’t easy to achieve, but it does tell clients that their data is in good hands, so it can actually offer your organization a competitive advantage. You can use the certification in the sales process to gain new clients who would rather work with an organization that’s HITRUST certified than one that isn’t. This is particularly valuable in the healthcare sector, where HIPAA compliance is crucial.

What goes into getting HITRUST CSF Certified?

Since we’re weighing whether HITRUST is worth the effort, we should cover what, exactly, that effort entails. The three main areas of consideration are the requirements, time and cost.

1. HITRUST requirements: Unlike a SOC exam where you define your organization’s controls, HITRUST has predefined requirements that are applied to your organization based on your size, records, transactions and other risk factors. You must audit against all applicable HITRUST requirements prescribed by HITRUST Alliance based on these factors in order to achieve certification. It’s typical to have hundreds of requirements — each needing detailed evidence of compliance — so this is where the majority of your time and effort will go when pursuing a HITRUST certification. The HITRUST CSF covers various assessment domains and control categories to ensure comprehensive security and privacy controls, including HITRUST password requirements and HITRUST encryption requirements.
2. Timeline: HITRUST is not a quick certification. A typical organization can take anywhere from 9-18 months (depending on how prepared your organization is) to complete the readiness/gap identification, remediations or gaps and validated assessment phases. First, your organization will perform a self-assessment, using the HITRUST scoring methodology to evaluate how well you meet the HITRUST requirements and collect evidence to prove these scores. Then an external assessor like Wipfli reviews your scores, inspects the evidence provided and may request scoring changes where needed in order to submit your assessment to HITRUST. Finally, HITRUST Alliance itself performs a quality control process where it reviews your scores and evidence before issuing a report and, hopefully, the certification. 
3. Cost: HITRUST certification cost can be a concern for organizations. You will have to devote internal resources, such as a dedicated project manager, to working on HITRUST certification. You will also need to purchase one of HITRUST’s MyCSF® subscription options, as well as engage a HITRUST External Assessor to perform your validated assessment. There can also be hidden costs if you perform a readiness assessment and discover, for example, you don’t have the networking equipment needed to comply with that requirement and thus need to purchase that equipment. At the end of the day, these costs can all add up into a significant investment.

How to make the HITRUST certification process easier

You can’t really weigh whether HITRUST is worth it to pursue until you take into account ways you can make the process smoother, faster and easier. So let’s cover five best practices for navigating the HITRUST CSF Assurance Program.

1. Obtain internal buy-in for obtaining HITRUST Certification

Obtaining a true commitment to HITRUST is the first step. Your upper management team must be willing to devote the time, money and resources to getting certified. And your project manager must be able to perform the necessary work unimpeded, which means being able to get required evidence from people across departments in a timely manner. Buy-in makes the process easier and faster by giving this person the pull they need.  

In addition to a project manager, the organization should have at least one internal HITRUST subject matter expert (SME). Organizations should identify one person, usually your information security officer, to be your HITRUST SME. This person will gain the necessary knowledge (training, etc.) to implement and manage the controls prescribed by the framework.

2. Perform a HITRUST CSF certification readiness assessment

Performing a readiness assessment is critical for an organization undergoing HITRUST CSF Certification for the first time. As we said above, the more prepared you are, the faster the process will go. By doing a readiness assessment before your validated assessment, you can start locating and logging the evidence you’ll need during the assessment, as well as identifying gaps in your compliance. Then you can close those gaps, which further ensures your chances of achieving certification. 

3. Use crosswalks to document HITRUST requirements

A crosswalk document lays out all the HITRUST certification requirements you must audit against and exactly what evidence you’ll need to provide. This allows you to put the policy or procedure documents and the page number the evidence is located on right into that crosswalk. Because you need to provide HITRUST with a self-score and the basis for that score, having the crosswalk put together allows you to organize all of the evidence needed to support that score. All in all, the crosswalk keeps you organized and makes the HITRUST validated assessment faster and easier. Plus, it can be updated and reused for future assessments, including your HITRUST interim assessment.

4. Name more than one dedicated HITRUST project manager

When everything about the HITRUST certification process is funneled through one person, it can get overwhelming and start to hold up the timeline — especially considering the process can take 12 months, and that project manager deserves to use their PTO. Who is capable enough to fill in for them while they’re on vacation?

Having more than one project manager or a reliable and dedicated team spreads out the workload, providing not just a backup resource while one is unavailable but also providing at least two different people your External Assessor team can come to with questions.

5. Use the MyCSF tool

The HITRUST alliance has built a tool called MyCSF that helps organizations stay organized during the certification process. The HITRUST controls, domains, and scoring methodology are built into the MyCSF tool, you can submit evidence via the tool and you can even access guides to help answer any questions. Using MyCSF means you don’t need to work in spreadsheets and take the risk of multiple versions of that spreadsheet floating around. The MyCSF tool is an integral part of the HITRUST CSF Assurance Program and can significantly streamline your certification journey.

Achieving your HITRUST CSF Certification

While getting HITRUST certified won’t happen overnight, we’ve seen how much the added value can outweigh the effort for many organizations. At the end of the day, you’ll have significantly improved your information security program and reduced the chances of a data breach, you’ll be in compliance with customer contracts, and you can use your certification — and the weighty name behind it — as a tool to gain new customers.

Another way you can make the process smoother? Work with an experienced HITRUST external assessor firm like Wipfli. We can take you through your readiness assessment to identify and close gaps and prepare you for the validated assessment. We even have a HITRUST checklist template we can share to assist with the evidence-gathering process. And, of course, we can work with you on your validated assessment as part of the HITRUST CSF Assurance Program, helping ensure that you meet all compliance requirements and achieve the desired HITRUST levels.

Learn more about Wipfli’s HITRUST services. Sign up to receive additional information security and cybersecurity information in your inbox.

What is HITRUST, and why does it matter?
The path to HITRUST certification: Five reasons to start now
Tips for gathering evidence for your HITRUST validated assessment
How to choose the right HITRUST External Assessor