This is a high-level overview of the most significant changes about the updated HITRUST scoring rubric and PRISMA model that will affect all organizations using the HITRUST framework. It contains tips and guidance for how to prepare for upcoming HITRUST assessments. If you need a deeper dive into the changes, read the Coalfire Scoring and Rubrics White paper or contact us.
Here Are the Basics
[If your organization is new to HITRUST or you need a refresher on the HITRUST structure, this section is for you. If you’re a HITRUST veteran and are curious about the changes, skip to the “Updated Scoring Rubric” section below.]
The HITRUST framework consists of 19 assessment domains, each of which must be assessed to qualify for a validated assessment report. You can think of domains as information security components such as endpoint protection, third-party assurance, risk management, and access control. Within each domain are requirement statements – the elements to be tested during the assessment.
Requirement statements are assessed against five maturity levels:
- Policy – an executive statement that states what must be done.
- Procedure – a detailed document that describes how the organization does what their policy states. It must describe the operational aspect of the control, such as how it will be implemented, who’s responsible for implementation, how frequently the control is performed, and on what the control is performed on.
- Implemented – this level is about doing what is documented in the policies and procedures.
- Measured – a periodic test, conducted outside the HITRUST assessment, of the operating effectiveness of implemented controls.
- Managed – a risk treatment process that is designed to mitigate risks identified during internal measurements. Includes the documented actions and activities involved in mitigating the risks.
The maturity levels are scored for all in-scope requirements. During the scoring process, the maturity levels receive one of the following scores:
- 0% - Non-Compliant
- 25% - Somewhat Compliant
- 50% - Partially Compliant
- 75% - Mostly Compliant
- 100% - Fully Compliant
These scores, in combination with the weighting of each maturity level, give a requirement statement its overall score. Once all requirement statements in a domain are scored, they’re averaged – then they become the domain’s overall score. To receive a HITRUST validated assessment report with certification, an organization must have a score of 62.00 or greater for each domain.
Weight Changes for Scoring
All self-assessments and validated assessments will be required to adhere to the new scoring weights released September 3, 2019 under HITRUST Bulletin HAA 2019-007: Updated PRISMA Attribute Weights.
The updated weights will be effective on all validated and self-assessment objects created on or after December 31, 2019. Assessment objects created prior to December 31, 2019 will continue to observe the current PRISMA attribute weights. Interim assessments performed after December 31, 2019 will observe the PRISMA weights in effect at time of performance of the original validated assessment.
The following chart shows the old weights/updated weights per maturity level.
The most dramatic and influential change is that Implemented is now worth 40% of a requirement’s score. To account for this level having an increased weight, the Policy and Procedure weights have been reduced to 15% and 20% respectively. The Implemented level’s weight is now worth more than Policy and Procedure combined.
The weight values of Measured and Managed have been reversed. Measured is now worth 10% and Managed is worth 15% of a requirement’s score. Consistent with previous HITRUST guidance, an organization cannot score higher in Managed than in Measured.
The significant weighting of the Implemented level presents options for HITRUST certification. An organization may choose to commit more resources to Measured and Managed, while reducing them on Policy and Procedure – all while maintaining scores that achieve certification. Organizations already scoring well in Policy, Procedure, and Implemented will experience minimal impact because they still combine for 75% of a requirement’s score.
Ultimately, the increased weighting on Implemented and decreased weighting on Policy and Procedure will allow organizations to focus on the most critical components of maintaining a robust risk management program that supports eligibility for HITRUST certification.
Updated Scoring Rubrics
On September 20, 2019, HITRUST released the updated Control Maturity Scoring Rubric. The announcement was part of HAA 2019-009: Updated Scoring Rubric.
The most notable change is that each of the five maturity levels now have individual rubrics. This update provides an increased level of prescriptiveness to scoring and should provide for greater consistency across all self-assessments and validated assessments. In order to score a requirement, an assessor must now use the matrix to understand an organization’s strength and coverage per maturity; strength and coverage are discussed in detail in the accompanying white paper.
Other significant changes to the rubric include the removal of terminology such as “ad-hoc”, “some”, and “partial”. Each of the matrices use concise language to determine how to score a requirement. The rubric also defines the criteria requirements for documented policies and procedures, and how to easily interpret Measured and Managed score requirements. The final significant change is that organizations can no longer receive credit for Automated Procedures. Using the previous rubrics, it was possible to grant the score of 100% for Procedure if the control was fully automated in implementation, such as setting the frequency of antivirus scans. Now, each requirement must be able to be mapped back to a formally approved procedure document.
Validated assessments resulting in HITRUST certification will observe the original score weights during the interim assessment if they are submitted and accepted by HITRUST on or before December 31, 2019. This means that that the maturities will be 25% for Policy, Procedure, and Implemented, 15% for Measured, and 10% for Managed. HITRUST recommends submitting all validated assessments by December 15, 2019 to reduce the risk of the report not being accepted prior to the full QA cycle.
Summary and Recommendations
Due to the significant changes in the way validated assessments are scored and how those scores are weighted, organizations seeking to obtain HITRUST certification for the first time, or organizations planning to maintain their HITRUST certification status must be actively preparing for all upcoming changes.
If your organization is new to HITRUST, a thorough self-assessment is your best starting point. This assessment will introduce your organization to the scoring methodology, determine what your organization’s in-scope control set is, and identify organizational risks. Coalfire recommends conducting a facilitated self-assessment because it provides an increased level of assurance that your organization is prepared for a HITRUST validated assessment.
If your organization is experienced with HITRUST and has previously undergone a validated assessment, you should review your previous validated or interim assessment reports. If your organization scored poorly in Implemented but scored well in Policy and Procedure, ensure that remediation activities are being tracked and managed to completion. If your previous HITRUST assessment relied on Automated Procedures, ensure that documented procedures will be available for review for any upcoming assessments. Additionally, consider documenting all internal measurements performed by your organization and the corresponding Corrective Action Plans to gain additional points in the Measured and Managed maturities.
Finally, be sure to subscribe to the HITRUST Newsletter. The newsletter provides the most up-to-date information regarding changes in the HITRUST assessment methodology, new guidance and rules, invitations to upcoming webinars, and announcements about changes to the framework.
Check out the following resources for more information about the changes in scoring methodology and updated rubrics: