Compliance

Coalfire and HITRUST – 9 years, 1,000 engagements and counting

Zach Shales 70px png

Zach Shales

Senior Director, Cloud Infrastructure, Coalfire

Blog Images 2022 HITRUST 9 years tile

Since 2007, HITRUST® has offered programs that protect sensitive information and allow organizations to manage information risk globally across all industries and throughout the supply chain. In collaboration with information security, privacy, and risk management leaders from public and private sectors, they develop, maintain, and provide access to comprehensive risk and compliance management frameworks, and related assessment and assurance methodologies.

To help enable this vision, the company created the External Assessor program – these are organizations that have been approved by HITRUST for performing assessment and services associated with the HITRUST CSF® Assurance Program and the HITRUST CSF. External Assessors are critical in providing trained resources to organizations of varying size and complexity to assess compliance with security control requirements and document corrective action plans that align with the HITRUST CSF. These organizations are bound by HITRUST’s Assurance Program requirements to provide high quality and consistent assessments.

Coalfire followed the growth of the HITRUST CSF over the years and in 2011 we joined the effort to help organizations protect sensitive data as an External Assessor. We were one of only a handful of External Assessors for several years until market demand for the HITRUST CSF spiked in June 2015 when several large health payer organizations selected the framework as a vendor risk management solution. These payers recognized the challenges of managing third-party risk as consistency, integrity, transparency, and scalability. Effectively assessing hundreds, and even thousands, of vendors' security and privacy posture was prohibitively expensive given the complexity of the risks. Covered entities could gain significant reductions in the cost and level of effort of vendor risk management by streamlining the process with a single, comprehensive framework. They needed something that harmonized multiple standards and best practices, plus enabled one assessment to produce reports in multiple formats – the “Assess Once, Report Many ™” philosophy.

On June 29, 2015, several health payers announced a mandate for 7,500+ of their business associates to become HITRUST CSF Certified within 24 months. As expected, this caused a mad scramble by these vendors to learn more about the HITRUST CSF, the level of effort and associated costs for certification, plus the benefits to their organizations. Ultimately, they learned that it was not only about meeting the mandate to secure the revenue represented by these health payer customers, but also about how the framework allowed them to mature their overall security programs. This let them gain even more revenue by using the HITRUST CSF as a competitive differentiator to demonstrate a much higher level of customer data protection.

Fast forward to 2018 when several academic medical institutions banded together to form the Provider Third-Party Risk Management (PTPRM) Council. They also determined that ineffective security, compliance, and assurance methods can cause increased cost and confusion within organizations and across third parties. They decided to leverage HTRUST to develop, recommend, and promote a series of practices to effectively manage information security-related risks throughout the supply chain and safeguard patient safety and information.

But even with these successful programs, the framework proved to be more than a third-party assurance solution for managing vendor risk. We witnessed the growth of the framework over the years as it evolved to include key privacy and security developments at the state, national, and global levels. New framework versions addressed organizations' needs to comply with new regulations such as the EU’s GDPR, the CCPA, and most recently preparing for CMMC.

From an emerging technology perspective, the CSF has kept pace with everything from cloud adoption trends to enterprise blockchain applications. It expanded to cover the needs of global organizations in industries outside healthcare that needed a proven information risk management solution and a way to manage vendor risk.

Our clients report ancillary business benefits, such as an elevated level of organizational energy with HITRUST that helped to facilitate communication and collaboration across the organization, in addition to the standard benefits they expected to achieve.

That’s why this month we’re celebrating our nine-year anniversary as a HITRUST Authorized External Assessor having delivered more than 1,000 HITRUST engagements since we first partnered with HITRUST in 2011. These years of experience allow us to bring the extensive knowledge and expertise crucial for successful certification – not to mention proper preparation and optimization of the framework after the hard work of certification is complete.

Today, with over 90+ External Assessors in the program, it’s important to choose the right partner. Coalfire strongly recommends partnering with an External Assessor that can meet the following requirements:

  • Several years as an External Assessor – Given the complex journey of a HITRUST CSF engagement, you’ll want to give serious consideration to the number of years the firm has been part of the assessor program. Seasoned assessor firms have learned the ins and outs of the program first-hand and can guide you accordingly.
  • A pure-play cybersecurity company – You don’t get your corporate taxes done at a cybersecurity company so why would you get your cybersecurity advisory and assessment services from a CPA firm? If your organization prioritizes security and wants a proactive approach to risk as opposed to a “check the boxes” compliance-type assessment, you should work with a best-of-breed firm that’s 100% focused on security. Unlike a CPA firm who may be dabbling in security, cybersecurity firms employ deep expertise and domain experience that are fully focused on security and IT risk.
  • Involvement in the HITRUST community – External Assessors that host Community Extension Programs (CEPs), participate in HITRUST Working Groups, and sit on HITRUST’s numerous councils demonstrate a vested interest in HITRUST. These companies are familiar with HITRUST and can guide your organization successfully through the journey.
  • A high number of HITRUST CSF engagements delivered in the last year – You want to hire an experienced firm; you don't want to work with a consultancy that is using your project to build out a service for their immature offering. While volume alone shouldn't be the key decision point, it provides an objective way to differentiate assessor firms.
  • Consider where the work is performed – It’s important to work directly with the team advising or assessing your organization as opposed to an organization that does not conduct their own HITRUST projects and relies on outsourced resources. Not all companies perform their own HITRUST projects and this can lead to a frustrating experience when working with those organizations.
  • HITRUST engagements with organizations that share similar characteristics as your own – This is an important question; you don't want to select a partner that doesn't have experience working with companies like your organization. Consider their experience working with covered entities or business associates that may require specific technical expertise. Look at their experience with small, mid-market, and enterprise organizations, or other unique aspects such as working with organizations that have a limited security team size, which may require more resources.
  • Quantity and quality of reference customers – We highly recommend you conduct reference interviews that would ideally include organizations that share similar characteristics or face similar risk and security challenges as your organization. If the assessor firm says they cannot provide specific customer names due to anonymity, ask them to arrange blind interviews where you don't know what company is on the other line.
  • The background of the typical consultant and number of HITRUST CSF practitioners on staff – What is the skillset and history of the typical consultant? Will you get the same caliber of onsite consultants that was proposed in the scope of work? It's also important to get the background for the individual that will manage your engagement. This individual will be interfacing with your leadership and will essentially be the face of the project. Additionally, the number of practitioners lets you gauge the level of commitment the firm has to the HITRUST CSF program and whether they have availability to take on your project.
  • Defined and proven methodology – Be sure to understand the process that enables the firms’ consultants. Do they have a mature process for delivering HITRUST CSF Certification projects? Can they demonstrate this in full detail? How has the assessor adapted to remote-only work?
  • Customers in industries outside of healthcare – This can allow you to benchmark your security maturity against not only other healthcare organizations, but often more mature industries such as financial services or retail.
  • A library of expertise on HITRUST CSF subject matter – Ask for links to HITRUST event sessions, white papers, case studies, blog posts, etc. Look for live and archived webinars for expert content about HITRUST CSF Certification. And of course, visit web sites to gather details on each assessor firm.

As technology and the framework evolves, we’re excited about the next decade serving as a trusted partner and resource that can help organizations navigate the complex HITRUST journey every step of the way.