Staying current with HITRUST advisory changes

Keeping up with continual improvements is mission-critical

As a result of an ever-evolving threat landscape, cybersecurity compliance burdens are proliferating at an unprecedented rate. It can be overwhelming to keep up with the staggering number of new and updated regulations, compliance frameworks, and standards. HITRUST®, founded in 2007, recognized this challenge and created the HITRUST CSF® to aggregate disparate authoritative sources into a single and certifiable framework.

HITRUST’s origins are deeply rooted within the healthcare ecosystem, and by using the HITRUST CSF, HITRUST was successful in providing a scalable, comprehensive, and certifiable framework for Business Associates and Covered Entities. Fast forward to today – HITRUST is evolving to provide the same industry-leading security and privacy assurances to an industry-agnostic and global marketplace.

Due to HITRUST’s global expansion, and the incorporation of new or updated authoritative sources, the HITRUST CSF and Assurance Program Requirements must be updated to reflect industry best practices and market feedback. Arguably the biggest update in HITRUST’s history, HITRUST CSF v10, is slated for 2022; in the meantime, HITRUST has committed to continually improving the existing versions of the HITRUST CSF. This has resulted in four new HITRUST Assurance Advisories that improve and streamline the HITRUST assessment process. These changes are effective for all HITRUST CSF v9 assessments and will be incorporated into the release of HITRUST CSF v10.

We’ll break down each of these Advisories one-by-one, giving you a quick synopsis on what you need to know and how it impacts your organization.

1. HAA 2021-001: Reservation-based QA programs

The first assurance advisory focuses on the quality assurance (QA) process. Starting in July 2021, all HITRUST CSF Validated Assessments require Assessed Entities to schedule a Quality Assurance reservation prior to submitting the assessment to HITRUST. This new reservation-based system gives your organization’s stakeholders and HITRUST Authorized External Assessors tremendous visibility into the QA timelines, upcoming tasks, and important milestones.

Reservation-based QA details

• The Assessed Entity, or designated Lead Assessor, is responsible for registering your organization for a QA timeslot.
• QA timeslots represent a week of time where HITRUST will begin QA procedures for the assessment and provide feedback.
• The QA reservation windows are determined by the submission date of the assessment.
  • Generally, the earliest reservation windows are available two weeks following report submission to HITRUST.
• Assessed Entities must have purchased the Validated Report Credit prior to reserving a QA timeslot.
• A late submission may cause you to incur additional costs or lose your QA timeslot
  • External Assessors and Assessed Entities need to be vigilant in ensuring an on-time submission.
• Expedited QA credits, available for an additional fee, offer the option to further decrease time spent in the QA process.
• HITRUST has a walkthrough of the process, which can be found here.

To further support a timely QA process, HITRUST has developed a suite of nearly 50 automated tests that identify assessment inconsistencies, errors, and omissions. Any potential quality indicators (PQIs) from these tests are sent to the External Assessor ahead of the QA Analyst’s manual review. Unresolved PQIs may result in delays to the QA process and should be addressed as soon as possible.

2. HAA 2021-002: HITRUST CSF Validated Assessment enhancements

In 2019, HITRUST modified the scoring methodology and increased the implementation maturity to have the highest weighting of any maturity. This advisory builds on that change by reducing the level of effort associated with creating and maintaining policies and procedures. These changes ensure that effective control implementation and operational effectiveness remain at the forefront of your information security, privacy, and risk management programs.

Policy and procedure incubation period

• The policy and procedure incubation period has been reduced to 60 days (from 90 days).
• Policies and procedures are still required to be approved by management and communicated to all impacted stakeholders.
• This timeline does not affect the implemented, measured, and managed maturities, which are still required to be effective for 90 days prior to any testing.
• This change is effective immediately for all upcoming, in-flight, and submitted assessments.
• If an assessment has been submitted for QA, HITRUST will not revert the assessment to make scoring changes.
• Assessments that have Draft Reports posted to the HITRUST MyCSF® platform will not be modified.

Policy and procedure scoring criteria

With the increased emphasis on the implementation maturity, HITRUST has revised the assessment criteria for policies and procedures. In short, policies are no longer required to have verbiage demonstrating management intent, such as “shall/will/must/should,” and procedures now focus on an end user’s ability to operationalize the process. Additionally, management approval and communication requirements are now tested a single time, rather than for each and every requirement.

Policy guidelines

The revised strength criteria states, “A documented policy must specify the mandatory nature of the control requirement in a written format which could reside in a document identified as a policy, standard, directive, handbook, etc.”

This change significantly streamlines the assessment process while emphasizing strong policies that are not bound to a restrictive format. All policies are still required to be scored using Coverage, which is based on the elements defined within each requirements’ policy-level illustrative procedure.

Procedure guidelines

While the policy guidelines remain very straightforward, procedures now have a higher level of subjectivity. The revised strength criteria states, “A documented procedure must address the operational aspects of how to perform the requirement. The procedure should be at a sufficient level of detail to enable a knowledgeable and qualified individual to perform the requirement.”

While the procedure criteria have formally removed the need for an organization to describe all operational aspects (e.g., how, when, who, where) for each requirement, Coalfire still encourages organizations seeking HITRUST Certification to document how, when, and where each control is performed, as well as who is responsible.

Revised scoring guidelines

Coverage (e.g., the use of illustrative procedure elements) is still the same; however, strength has changed significantly. Effectively, strength now has three tiers:

1. 0% - Policy and/or procedure does not exist.
2. 25% - Policy and/or procedure is entirely unwritten or has not incubated for 60 days.
3. 100% - Policy and/or procedure exists and meets the updated criteria.

Effectively, this means that the only way for a requirement to have a composite score of 50% and 75% is to have a gap in coverage.

At a high level, the following describes how all policy and procedure scores will be attributed:

• Non-compliant (score of 0%) if the policy and/or procedure does not exist in any capacity.
• Somewhat Compliant (score of 25%) if the policy and/or procedure is undocumented but able to be confirmed via interview, or if the policy and/or procedure has not matured for the required 60 days.
• Partially Compliant (50%) if the policy and/or procedure meets all revised strength criteria and addresses 33%-65% of the policy-level’s illustrative procedure.
• Mostly Compliant (75%) if the policy and/or procedure meets all revised strength criteria and addresses 66%-89% of the policy-level’s illustrative procedure.
• Fully Compliant (score of 100%) if a policy and/or procedure meets all revised scoring criteria and 90% or more of the policy-level’s illustrative procedure elements.

HITRUST has provided numerous detailed scoring examples that can be found here. These changes are effective immediately and will be utilized for all Validated Assessments that are currently undergoing QA procedures.

Tucked away at the end of this advisory is a notice that there will be two versions of the HITRUST Certification Letter for all Validated Assessments that result in HITRUST Certification. The current HITRUST Certification Letter includes both context and a scope description from the assessment, as well as HITRUST’s signature. The new stand-alone Certification Letter will only include the signed certification from HITRUST without any ancillary details.

3. HAA 2021-003: Corrective Action Plan (CAP) identification changes

As described in HAA 2021-002, HITRUST remains committed to prioritizing and emphasizing control implementation, which has prompted changes to the Corrective Action Plans issued at the conclusion of a Validated Assessment.

Policy and procedure CAPs

• The thresholds for certification (62.00 or greater per domain) have not changed.
• The mathematical formula for generating CAPs has not changed.
• Risk acceptance (requirements scoring > 62.00) has not changed.
• You will only be required to fill in CAPs for requirements with implementation exceptions.
• Requirements with policy/procedure exceptions, and no implementation exceptions, will not generate CAPs.
• This change is effective for all assessments that have not been already issued by June 24, including assessments actively in the QA process.

Reissuing reports

All Assessed Entities who wish to take advantage of reducing the policy and procedure CAPs but already have a final Validated Report may be able to do so with some caveats. Here are the guidelines:

• You must have an active MyCSF subscription with access to the final report that is posted in MyCSF.
• Existing certified assessments will be de-certified, and the existing Validated Report will be considered invalid.
• HITRUST will clone and archive the current Validated Assessment and post an updated report to the newly cloned object, with all policy and procedure CAPs removed.
• For organizations who already have received a final report, you can have your report(s) reissued to reduce the number of CAPs.
• The reissuance process does not alter or modify any certification or reporting dates.

But what about Interim Assessments?

HITRUST has made significant considerations for Interim Assessments so that Assessed Entities can take advantage of these improvements. If you choose to refresh your Validated Assessment, the subsequent Interim Assessment will have all CAPs removed. It’s even possible to do this during an active Interim Assessment that has not been submitted to HITRUST.

To start the reissuance process, please contact your Customer Success Manager at HITRUST. HITRUST has also provided a list of questions and answers.

4. HAA 2021-004: Enhancements to MyCSF

Scoping is critical for a successful HITRUST assessment – it is imperative to have a clear understanding of the environment, boundary, systems, third parties, and organizational personnel that are in-scope. MyCSF uses risk factors, commonly identified during the scoping process, to generate a risk-appropriate list of requirements. To help ensure that the scoping factors are accurate, HITRUST has adjusted MyCSF’s scoping logic to enforce linkages between the following scoping factors:

• Is the system(s) accessible from the internet?
• Does the system allow users to access the scoped environment from an external network that is not controlled by the organization?
• Is any aspect of the scoped environment hosted on the cloud?

The following table illustrates the impact of the changes as well as the associated linkages between factors:

MyCSF will not make any automatic scoping updates, so customers with in-flight assessments should check the factors to ensure they align with the updated guidance. Further information regarding the scoping factors, including the definitions of each factor, can be found on HITRUST’s MyCSF Help website.

In addition to the scoping factor updates, the measured and managed maturities received two changes:

• Assessed Entities will have to choose if they want requirements assessed against the measured and managed maturity levels when setting up the object in MyCSF.
• Artifacts that are linked to measured and managed maturity levels in MyCSF are no longer required to be tagged as “Independent” or “Operational.”

Preparing for the future

HITRUST CSF v10 will be a monumental milestone in HITRUST’s history, and these advisories help to pave a path towards a smooth launch. While we wait for HITRUST CSF v10, these changes and their benefits can be recognized immediately. Organizations who are preparing for a Validated Assessment, or who are maintaining an existing HITRUST Certification, will have decreased QA times, increased QA transparency, a renewed focus on control implementation, and improved assessment quality and consistency.

Have more questions about any of these changes? Are you looking for guidance on getting started down the path to HITRUST Certification? Coalfire is here to help! Check out our HITRUST services page to get more information on our HITRUST advisory and assessment offerings. We look forward to optimizing your organization’s expanding certification requirements, and helping you navigate the complex compliance journey.

As one of the original Authorized External Assessors, Coalfire is proud to celebrate nearly a decade of HITRUST experience. As part of the Assessor Council, Quality Control Subcommittee, and Third-Party Risk Management (TPRM) Council, we are honored to stand today as one of its most experienced and involved assessors.