Articles & E-Books

 

7 signs you should switch your HITRUST® Authorized External Assessor

Aug 08, 2021

If you’re aiming for HITRUST CSF® Certification, you have a challenging goal ahead of you. You want a HITRUST External Assessor and partner who will provide coaching and guidance so you can hit that target on the first try. Unfortunately, things don’t always go as planned, leaving you feeling like you’re not getting the service you expected — the service you need to reach compliance and keep your data secure.

Maybe you’re considering switching to a new External Assessor, but you’re worried. How much will changing assessor firms impact your workload? Will it make a meaningful impact toward certification? When’s the best time to make the switch?   

Our take is that the right partner can make a world of difference. We want to see you succeed and achieve HITRUST Certification with high scores and little to no corrective actions. To succeed, we believe you need an experienced HITRUST External Assessor who will partner with you, proactively, to meet your compliance goals.  

If that doesn’t sound like your External Assessor, it might be time to find a new firm. Here are the top seven pain points we’ve been hearing from organizations who made the switch:

1. HITRUST submission rejections

HITRUST Certification is a complex project. If you’re going through the certification process and your submission has been rejected multiple times, or if you barely squeaked through with an onerous number of corrective action items, you may need a new External Assessor.

Ask prospective assessors about their record of success. How many clients achieve certification on their first submission? What’s their average HITRUST score? Gauge how willing they are to provide this information and then check their references.

2. Scope clarity issues

Lack of scope clarity is a common issue that can complicate or even derail your HITRUST efforts. When pursuing HITRUST Certification, you don’t need to be certifying the entire organization or every location. An experienced HITRUST External Assessor will help you identify the proper scope so you’re not overreaching.

If you’re working with an assessor who is not particularly savvy in defining the scope, that can cause difficulty in the evidence gathering and testing phases of the HITRUST CSF Validated Assessment, resulting in inconsistent or missed testing of certain system components.

3. Quality assurance issues

HITRUST External Assessors are supposed to follow a certain set of guidelines in testing controls. If those standards aren’t adhered to, that can result in issues being raised in the quality assurance phase of a Validated Assessment, resulting in certification delays. Your assessor may be asked to expand or redo testing or — worst case scenario — start over.

4. Engagement delays

With a project of this magnitude, timing matters. We’ve heard horror stories from companies who had a HITRUST engagement lined up, only to be told their assessor wasn’t ready when the time came. That can have a significant impact on your internal resources as well as the certification obligations you have to your clients. Check your prospective assessor’s references. Ask about how well they adhere to the project schedule.

5. No sense of partnership

Another one of the concerns we’ve been hearing is that clients weren’t feeling a true sense of partnership with their HITRUST External Assessor. Some assessor organizations are designed for high volume. They work with a cookie cutter process that doesn’t lend itself to customization.

A true partner sets the stage for a long-term relationship. They will treat client needs like their own, helping a client organization identify the best approach for them and their specific needs.

6. Lack of technical expertise

Another common complaint we hear about assessors is that they don’t understand the technology their clients are deploying. If an assessor doesn’t understand cloud services, for example, they’ll struggle to test the relevant controls appropriately.

You want a partner who knows your technology platform and speaks your language when it comes to cloud services. If you must explain how a system works — or you find yourself answering misguided assessment questions — it may be time to change your assessor.

Check for certifications as you seek out a new partner. Ask about relevant certifications that may be applicable in your industry and the technologies you use. If you have complex compliance needs, you may want a firm competent in regulatory requirements such as NIST, HIPAA, SOC and a variety of other regulations that can be unified under a HITRUST assessment.

7. Lack of HITRUST expertise

Are you getting what you signed up for when you contracted with your HITRUST External Assessor? Perhaps you were sold on the credentials of a few Certified CSF Practitioners (CCSFPs), but your account is being handled by inexperienced team members. Or perhaps your primary point of contact is a generalist project manager who continually has to refer back to the specialists to answer questions.

Your assessor should have extensive experience. Ask about the number of CCSFPs on the team and find out who your primary point of contact will be. At Wipfli, for example, every project is managed by an experienced leader with the CCSFP and Certified HITRUST Quality Professional (CHQP) designations, so you’re working directly with a specialist throughout the engagement.

And, look for a firm with a strong reputation in the HITRUST industry, such as a firm serving on the HITRUST Authorized External Assessor Council and Quality Subcommittee and/or working groups.

Changing HITRUST External Assessors: Steps to streamline the transition

Whether you’re looking for better service, access to more experienced assessors or greater responsiveness, you’ll want to manage the transition to ensure the smoothest handover. Here are some considerations when making the switch:

1. Identify your “out”

Your engagement contract may cover both the Validated Assessment and Interim Assessment. Review your agreement to understand what your contract covers and what stipulations would allow you to exit the contract early.

2. Plan your timing

If you’ve successfully made it through a HITRUST Certification, you’ll need to decide whether to switch before or after your Interim Assessment. Even if they’ve had difficulties, some organizations choose to wait until after the Interim Assessment to complete the engagement contract and make the cleanest break.

On the other hand, perhaps you’ve lost confidence in your assessor and want to switch sooner. Engaging a new vendor for your Interim Assessment is a smaller scale way to test the waters. An interim engagement is typically 20 to 40 hours, so it can give you a good sense of how that assessor operates, before you commit to a large-scale project like your next Validated Assessment.

3. Update HITRUST MyCSF®

When going through a Validated Assessment or an Interim Assessment, organizations select their assessor firm in the MyCSF SaaS assessment tool. If past assessment and supporting documents are locked down under your original assessor, you’ll need assistance from HITRUST to make the switch. (This is doable, but plan extra time for it.)

4. Turnover information

Understand how you are going to onboard your new HITRUST External Assessor and get them the relevant information. If your initial assessor hasn’t provided a great deal of detail, your new partner may have to do some reverse engineering to help you with activities such as corrective action plans.

How Wipfli can help

Don’t let a poor fit with a HITRUST External Assessor discourage you. By partnering with the right firm, you can get tailored HITRUST guidance, high-touch project management and the specialized expertise/experience you need to meet your goals.

Wipfli has been helping organizations achieve HITRUST Certification since 2013, when we were one of the first firms to become a HITRUST Authorized External Assessor. We’re also a member of the HITRUST Authorized External Assessor Council, whose members help ensure the HITRUST CSF can continually ensure and evolve its integrity, effectiveness and efficiency.

Find out how Wipfli can save you time and eliminate headaches as your HITRUST External Assessor.

Author(s)

Paul J. Johnson, CISSP, CCSFP, CPA
Partner
View Profile