Wipfli logo
Insights - Articles, Blogs and on-demand webcasts

Articles & E-Books


Are you ready for your HITRUST validated assessment?

Dec 17, 2021

If you’re facing a HITRUST assessment, are you ready to handle the many requirements, typically between 250 and 600, you need to be certified against? A validated assessment, overseen by an Authorized HITRUST External Assessor, is a formal audit of your security protocols. It’s generally conducted over 75 days.

To ensure the safety and security of critical data, your service organization may be required to obtain certification through the HITRUST assurance program, a risk-management leader safeguarding information across industries globally. HITRUST ensures its programs are aligned and structured to support a company’s information risk management and compliance objectives.

The organizations requiring this certification from their vendors are likely to be part of complex, highly regulated industries like healthcare and insurance. The validated assessments are the core of the certification process.

The business being assessed, typically a technology vendor, scopes out which specific software applications or other systems they need to have certified through the validated assessment. The hired external assessor examines those applications in-depth, including the various risk factors pertaining to whether the software is physically located on the company’s premises or hosted in the cloud.

Some examples of what you can expect during the assessment include:

  • A review of organizational charts, policies, procedures and other documentation.
  • Interviews with key personnel.
  • Testing and review of system configurations and other evidence of technical controls.
  • Physical walk-throughs of applicable facilities.

Before the assessor digs in, your organization does its own initial scoring and collects evidence to support those scores. That information is turned over to the external assessor, who reviews all the evidence and either agrees or disagrees with those scores in determining how well the requirements have been met. For instance, for a requirement about anti-virus control, if the assessor found the software was included on only 75% of the computers, the assessor would point out the gap. Your company wouldn’t receive a full compliance score in that area.

At the time of the assessment, organizations must have all of their documented policies, procedures and other evidence ready for scrutiny and have a subject matter expert available for each assessment domain. It’s also essential to provide access to any third-party facilities — like a hosted data center— because the assessor will need to ensure controls exist there too.

Establishing the scope of the assessment

In determining the scope of the controls and processes being assessed, it’s essential to make sure the parameters align with the expectations of your customers. If a key aspect of your environment that the customer’s organization relies on is left out of the assessment, then certification will be of minimal value. Having an assessor’s assistance upfront can provide valuable guidance to help ensure nothing is left “unchecked” when it comes to the scope.

As part of the validated assessment, service organizations must sign a HITRUST Validated Report Agreement and Representation Letter (a letter of forthcoming stating you have not withheld any information). Once the validated assessment is completed and submitted, HITRUST reviews the results. During this process, it may require a corrective action plan (CAP) should there be deficiencies. If your organization meets most of the requirements for certification, for example, yet has a few minor deficiencies, HITRUST may grant certification, but with a CAP detailing the deficiencies that need to be addressed in a timely manner. Your organization will then need to address those CAP report items as part of a subsequent interim assessment when the assessor checks in to see whether they have been resolved.

Using the MyCSF Assessment tool

Throughout the assessment journey, participants — both the organization being assessed and the assessor — use HITRUST’s web-based assessment tool called MyCSF® to manage the entire process. Service organizations can purchase one of the two offered subscription options: a 90-day, report-only access or an annual subscription. Because offerings and pricing vary, working with HITRUST at the outset can help you make the most cost-effective decision based on your circumstances and objectives.

Inheriting scores to speed the process

To save time and effort during the validated assessment process, you may be able to benefit from what’s known as the inheritance process. This means that you can ride the coattails of your vendors who have already been HITRUST certified, which will save you time and money.

For example, cloud service providers like Microsoft Azure and Amazon Web Services have been certified through HITRUST, so your organization may be able to leverage those assessments and “inherit” scores from certain requirements without the need for their own reassessment.

But the request for inheritance must be made at the beginning of the certification process through the MyCSF tool. There are other ways to provide this evidence, such as relying on a third-party audit report, but those may be more cumbersome and may not cover everything needed.

Another step to keep in mind is the need to book a reservation early on for a quality assurance check from HITRUST that takes place no sooner than two weeks after the formal submission of the validated assessment. The system gets filled quickly, so this prompt booking is necessary to keep the process on track. The 14-day window gives HITRUST time to makes sure all details of the testing are in place before the formal QA analysis gets underway.

Also, with regard to timing, as organizations gather their evidence, HITRUST rules require that the policies and procedures being assessed must be in place at least 60 days before they are tested during the validated assessment, and 90 days for security controls. No last-minute implementations are permitted under the rules.

Choosing the right assessor

To ensure a smooth and successful certification process, no step is more important than choosing the right assessor for your needs from the nearly 100 assessor organizations on the HITRUST website. Some factors to consider are how much experience an assessor has and what their track record is for thorough, accurate submissions.

It’s useful to find out whether the assessor thoroughly reviews all document to make sure each they are correctly completed before uploading them through the MyCSF tool. If the documentation is rejected by HITRUST because of poor quality validation testing by the assessor, this could lead an escalated quality assurance step and a significant delay in the certification process. In the worst case scenario, an assessment may be rejected in its entirety and the organization may need to start over. While no assessor is perfect, it is worth inquiring about their submission success rate when weighing candidates to hire as your assessor.

You and your organization benefit from having a communication plan with your assessor and an agreed upon approach to resolving issues that come up at all stages of the process. With the size and complexity of a validated assessment, it pays off to work with the right assessor to ensure you smoothly navigate through this process to earn your HITRUST certification.

How Wipfli can help

Our HITRUST assessments will evaluate your security programs against regulatory mandates and industry standards (e.g., HIPAA, HITECH, CMS, PCI, COBIT and NIST) while helping you achieve HITRUST certification. Wipfli is one of the longest tenured assessor firms in HITRUST, so we bring the experience you need. Learn more on our HITRUST services page or contact us.

Related resources:


Paul J. Johnson, CPA
View Profile