This process has four main phases: readiness, remediation, validated assessment and the HITRUST Quality Assurance review. The culmination of the HITRUST assessment process is certification.
1. Readiness
The readiness step starts with a readiness assessment. The readiness assessment can be completed using the HITRUST MyCSF tool.
Once the scope is determined, the partner will examine and measure all documentation relating to policies and procedures against current HITRUST requirements and controls. During this time, the assessor performs testing of controls to validate whether they are working as listed. All gaps are documented for remediation.
This can take up to 8 weeks, depending on the size and complexity of the organization’s infrastructure.
2. Remediation
All performance or documentation gaps found during the readiness phase will be addressed by the organization during this time. The goal of this phase is to identify and ranks gaps in your organization by risk level. This provides the organization with opportunities for remediation before moving forward to the validated assessment.
During the remediation phase, authorized assessors should work to understand the organization’s environment and the normal flow of data through systems within the scope. They analyze requirements to understand the organization’s controls, identify gaps, and workable solutions to remediate any gaps found. Then, as the company works to remediate issues, assessors can provide ongoing support and review progress towards reaching compliance.
This process can take up to 6 months the first year, depending on the type of remedial actions required by the organization.
3. Validated Assessment
During the validated assessment, the assessor tests the defined control requirements of each designated category. An on-site risk assessment usually includes interviews with key personnel, reviewing supporting documents, sampling, penetration testing and vulnerability scans. Each requirement is evaluated or scored based on the following attributes control maturity:
- Policy,
- Process/Procedure,
- Implementation,
- Measured, and
- Managed.
Based on these control maturity levels, the levels of compliance are:
- Fully compliant,
- Mostly compliant,
- Partially compliant,
- Somewhat compliant, and
- Non-compliant.
During this assessment testing phase, authorized assessors review and validate the organization’s scores. Then, they send the final assessment to HITRUST for approval. The final decision about approving or denying the application for certification is made by HITRUST.
4. HITRUST’s Quality Assurance Review & Report Generation
Once the validated assessment is complete, the assessment is submitted to HITRUST for their quality assurance review and generation of the final report. The typical duration of HITRUST’s processing of a submission ranges from 4 to 8 weeks.
How long does it take to get HITRUST certified?
This depends mostly on your organization’s preparedness and the skilled guidance provided by your assessor. If this is the first time that your organization is working towards HITRUST certification, the process may take up to 12 months to complete successfully.
How Long Is HITRUST Certification Valid For?
The HITRUST certification is valid for 24 months, with an interim review required to ensure standards continue being met. After 12 months, interim assessment testing is required. This is designed to ensure the ongoing effectiveness of data security controls for organizations that have already received certification. Interim testing also serves to update the scope and scores as needed.
After two years, certification expires and the organization must go through the process of recertification. Although, the HITRUST Bridge Assessment can help organizations to maintain their HITRUST certification report for an additional 90 days while working to complete re-certification.
Organization of the HITRUST CSF
The HITRUST CSF is a framework that normalizes security and privacy requirements for organizations, including federal
legislation (e.g., HIPAA), federal agency rules and guidance (e.g., NIST), state legislation (e.g., California Consumer Privacy
Act), international regulation (e.g., GDPR), and industry frameworks (e.g., PCI, COBIT). It simplifies the myriad of requirements
by providing a single-source solution tailored to the organization’s needs. The CSF is the only framework built to provide scalable
security and privacy requirements based on the different risks and exposures of each unique organization.
Key Components
The CSF was designed with security and privacy professionals in mind. By taking an abstraction of what is core to and common
across most dominant frameworks, the architecture was deliberately chosen to facilitate straightforward understanding and easy
consumption. Each control category in the CSF includes control objectives and control specifications, leveraging the primary
categories from the ISO/IEC framework, as well as the inclusion of specific categories for an information security management
program and risk management practices–which collectively help to ensure organizational, regulatory, and system controls are
properly specified and implemented. The core structure is then integrated with various authoritative sources, along with the
experience and leading practices of the HITRUST Community, to create specific implementation requirements for each control.
All requirements are mapped to the related framework, standard, or regulation, and noted as an authoritative source.
Control Categories
The CSF contains 14 control categories, comprised of 49 control objectives and 156 control specifications. The CSF control
categories, accompanied with their respective number of control objectives and control specifications for each category are:
- Information Security Management Program (1, 1)
- Access Control (7, 25)
- Human Resources Security (4, 9)
- Risk Management (1, 4)
- Security Policy (1, 2)
- Organization of Information Security (2, 11)
- Compliance (3, 10)
- Asset Management (2, 5)
- Physical and Environmental Security (2, 13)
- Communications and Operations Management (10, 32)
- Information Systems Acquisition, Development, and Maintenance (6, 13)
- Information Security Incident Management (2, 5)
- Business Continuity Management (1, 5)
- Privacy Practices (7, 21)
Designed to leverage the best-in-class components for a comprehensive information risk management and compliance program,
the HITRUST Approach integrates and aligns the following:
HITRUST CSF®—a robust privacy and security controls framework
HITRUST CSF Assurance Program—a scalable and transparent means to provide reliable assurances to internal and external
stakeholders
HITRUST MyCSF®—an assessment and corrective action plan management SaaS platform
HITRUST Threat Catalogue™—a list of reasonably anticipated threats mapped to specific CSF controls
HITRUST Assessment XChange™—an automated means of sharing assurances between organizations
HITRUST Shared Responsibility Program—a matrix of CSF requirements identifying service provider and customer
responsibilities
HITRUST® Third-Party Assurance Program—a third-party risk management process
