HITRUST® inheritance is one of the most useful features that organizations can leverage as part of their HITRUST validated assessment. But many organizations haven’t heard of inheritance or, if they have, don’t know exactly what it is and why it’s so useful.
What is HITRUST inheritance?
HITRUST inheritance allows an organization to either partially or fully inherit scores from another HITRUST assessment. This can be done internally (inheriting scores from another of your organization’s assessments) and externally (inheriting scores from a service provider’s assessment).
Internal inheritance is extremely useful when you’re testing with a different scope than your previous assessment. For example, if different software systems are in scope this year, but certain system-level and organization-level controls haven’t changed from last year, you can inherit the scores related to those system and organization controls that you achieved in the prior-year assessment. You don’t have to re-test those same areas. You only have to test the part of the scope that’s different.
External inheritance means you inherit a service provider’s scores for the areas of your scoped environment where they are responsible for certain controls.
For example, one of the 19 HITRUST domains is physical security. If you are a company that does not have any physical office locations, you’d probably pause here wondering how you’re going to get a passing score on physical security. You know that your data is stored in physical data centers, but those data centers belong to and are managed by your cloud service provider. Without inheritance, you have to either directly audit your service provider to determine the appropriate scores, or you have to translate an audit report such as a SOC 2 that they provide to you. Neither option is always feasible. For one, larger cloud service providers typically do not let organizations audit them (partially because of the sheer volume of requests they would receive). Also, you may not even have a “right to audit” clause in your contract with a service provider, large or small. Second, other types of audit reports aren’t as comprehensive as HITRUST, leaving gaps and potentially bringing your scores down. However, if your cloud service provider is HITRUST certified, you can simply inherit their scores as they relate to physical security.
What are the benefits of inheritance?
The number one benefit of inheritance is the time and money your organization saves by not having to re-test specific controls. Each time you undergo a HITRUST assessment, you need to collect a wide range of evidence to support your scores for each requirement. Your assessor must then examine that evidence and validate your scores. When you’re testing hundreds of controls and collecting evidence for each, you’re committing significant hours to the assessment, and so is your assessor. By inheriting scores, whether internally, externally or both, you can reduce the number of hours your organization and your assessor must spend on the assessment, which also leads to reduced assessor fees and the ability for your team to focus on other business priorities.
There are more benefits to inheritance, too. By inheriting scores from a service provider’s assessment, you can potentially achieve higher scores. Without inheritance, you may not be able to obtain the detailed evidence to support fully compliant scores. Also, if you’re inheriting a service provider’s scores, you likely can get a further boost in your own scores if they have assessed the measured and managed maturity levels of the assessment and not just the policy, process and implementation maturity levels that organizations typically assess.
The last major benefit is in the quality assurance (QA) process. Inheritance can speed up the QA process and ultimately the issuance of the HITRUST report because assessors and HITRUST will have fewer requirements to review detailed testing on. Once you identify the scope and whether a requirement can be inherited, no one has to validate the quality of testing performed. They’re only evaluating the decision made about inheriting the requirement or not.
Considering that HITRUST has its own QA process separate from your assessor’s, inheritance can save significant time and potentially get your report issued faster.
What do you need to know before getting started?
The most important step to leveraging inheritance is proper planning from the beginning. Consider the scope of the assessment and whether there are opportunities to leverage internal or external inheritance. Consult with your assessor early on to help you consider all of the relevant factors.
It’s important to note that there are different versions of the HITRUST CSF and that internal and external inheritance both require you to use the same version of the HITRUST CSF as was used for those assessments. Before you decide which HITRUST CSF version to certify against, look at which version was used for the assessments you may be inheriting scores from. This may also be a consideration for the timing of performing your validated assessment, as you may want to hold off on your assessment for a couple months if a service provider is in the middle of performing their HITRUST validated assessment on the newest HITRUST CSF version.
To request partial or full inheritance of requirement scores earned by a service provider, you must use the MyCSF tool. This is done via an online process using features within MyCSF 2.0. If you plan to use internal inheritance, make sure you have the right MyCSF subscription level. A higher subscription level is required in order to leverage internal inheritance.
One last tip is to refer to the Shared Responsibility Matrix as a guide to help identify which requirements are eligible for partial or full inheritance. This will help you make crucial decisions from the very beginning.
How can Wipfli help?
If you haven’t used inheritance for past assessments, make sure you consider it for future assessments. It can save time, money and possible headaches down the road.
As a HITRUST External Assessor, Wipfli makes sure to advise clients on inheritance possibilities early on in the planning process. Our deep experience as an assessor means we know the HITRUST framework inside and out. We can walk you through the planning process, help you navigate HITRUST’s complexities and put together a solid plan.
To learn more about our HITRUST services, click here. Or continue reading on:
Article: HITRUST scoring 101: How scoring works and how to self-score
Article: How to choose the right HITRUST External Assessor
White paper: HITRUST® and the cloud