The HITRUST security framework has been the gold standard for ensuring your organization complies with multiple regulations and standards. But efficiency and transparency in the validated assessment process have been challenging due to the size and complexity of these projects.
In a game-changing advance for the HITRUST, the introduction of three new online calculators promises to make the certification experience much easier and smoother. All three tools are free of charge for users.
Previously, much of the assessment process relied on calculations done outside of the platform and the manual input of information from third-party vendors. Users typically have had to set up spreadsheets to answer assessment-related questions. These necessary steps bogged down the certification process.
The three calculators will speed up many of the preparatory aspects of the process, offering convenience and accuracy that will make them indispensable.
Here’s an overview of each tool:
Requirement scoring calculator
Before undertaking the validated assessment, organizations can use the new HITRUST scoring calculator to get a clear sense of where they stand regarding the certification requirements. The tool essentially evaluates readiness for the assessment itself. It looks at control maturity levels in policies, procedures and other categories and weights their relative importance to provide a compliance score for each area.
This gives organizations a clear picture of any gaps and whether corrective action plans are needed at the start. It’s effective as a demonstration of where you are and what you need to do before you undertake the time and expense of the validated assessment itself.
The calculator lets you explore different scoring scenarios for a single requirement across all HITRUST assessment types. It supports both the current and legacy control maturity weights and incorporates up-to-date program advisories.
This tool can be implemented both before and during the validated assessment. It explores different scoring scenarios involving the inheritance of third-party assessment scores without needing to make actual inheritance requests.
When an organization outsources parts of their operations (for example, their data center may be handled by Azure or AWS), they can inherit those controls from wherever that information is hosted in the cloud. The calculator imports this data from outside providers and enters it into HITRUST.
Those particular controls don’t need to be tested separately because they’ve already been tested by the third-party service provider. The calculator automatically provides a raw score for each control being tested. The tool lets you know the percentage the inherited information represents out of the total score.
Considering that typically anywhere from 250 to 600 controls are being tested in the full assessment process, the tool for incorporating third-party data will be a tremendous time-saver.
Online sample size calculators are not a new invention and neither are random sampling tools. But only now have they been adapted to incorporate the HITRUST prescriptive sampling guidance outlined in the HITRUST scoring rubric.
The sampling calculator can be used in many sampling scenarios that arise in validated assessments, including:
- Sampling from a point-in-time population.
- Sampling control occurrences of controls operating at a defined frequency (e.g., daily, weekly, monthly, quarterly).
- Sampling control occurrences of controls operating at an undefined frequency (e.g., as-needed controls).
- Testing automated controls.
This calculator defines the minimum sample size required and can be used to randomly generate sample selections based on the population size or testing date. The selections can be copied to a clipboard for easy importing into Excel, and the whole calculator can be exported for optional inclusion in the assessment documentation. It’s a helpful alternative to making a custom spreadsheet for sample size determination and random sample selection.
Organizations stand to benefit from the tools, both because of the broad insights they will provide and their ease of use for all involved parties.
How Wipfli can help
Wipfli has deep experience as a HITRUST assessor firm and can help you evaluate your security programs against regulatory mandates and industry standards (e.g., HIPAA, HITECH, CMS, PCI, COBIT and NIST) while helping you achieve HITRUST certification.
We’re excited to demonstrate the value of the new calculator tools to enhance the validated assessment experience. Contact us to learn more about our HITRUST consulting and certification services.
Sign up to receive additional security and risk mitigation information in your inbox, or continue reading on: