Everything You Need to Know About HITRUST Certification: Part 1—Readiness Assessment

If you work in the healthcare industry, chances are you’re aware of the challenges that come with securing your organization’s data. According to the  Verizon Data Breach Investigations Report, the healthcare industry is the most popular target for hackers, which is why obtaining a HITRUST Common Security Framework (CSF) validation assessment can help ensure your organization remains both secure and compliant. 

This blog is the first of a two-part series on what to expect from your HITRUST assessment. Within this series, we’ll outline the two major phases of BARR’s HITRUST proven process:

1. The readiness assessment
2. Validation assessment and quality analysis review 

Let’s take a look at what your organization can expect during what’s called the HITRUST readiness assessment. 

What is a HITRUST Readiness Assessment? 

HITRUST CSF was developed in collaboration with healthcare and information security professionals to provide a prescriptive framework to simplify security requirements. It is the most widely-adopted security framework in the U.S.

When starting the HITRUST CSF process, it can be helpful to conduct a readiness assessment, formerly known as the self assessment. The readiness assessment happens prior to the validation assessment and provides your organization with a clear understanding of the controls you have in place and any security challenges that might occur. During this phase, your organization evaluates itself under HITRUST CSF requirements. 

Readiness assessments are a great way for small and medium-sized organizations to streamline the process toward HITRUST certification. This is also a great option for larger, more developed organizations that may need a refresh on current security frameworks beyond HIPAA. 

Organizations can also choose to use a third party to help with this process. If you’re interested in another perspective on your audit, BARR can connect you with one of our expert partners to help you with this phase. 

A few other benefits to conducting a HITRUST readiness assessment include:

• Ensure project readiness
• Showcase your organization’s strengths 
• Prepare for areas of improvement
• Save time and improves efficiencies
• Differentiate your organization among competitors

Getting Started 

At BARR, once you commit to a mutually agreed upon timeline and proposal, your engagement lead will set up an internal and external engagement kickoff meeting. 

The point of the kickoff meeting is to establish timelines, points of contact, and gain general information about the organization, such as where the system is hosted, and how it’s accessed.

During the kickoff meeting you can expect to discuss:

• Roles and responsibilities
• Walkthroughs of the process and HITRUST questionnaire 
• Approach, timelines, and milestones
• Communications protocol and project management 

Assessing Your Controls

The meat of your readiness assessment lies in assessing your controls. This occurs in a three-part process in which your organization is required to complete a HITRUST questionnaire. From there, your engagement lead will use your responses to determine control gaps and provide remediation guidance. 

1.) HITRUST Questionnaire

Following the kickoff meeting, the engagement lead will provide you with the required HITRUST questionnaire. The purpose of this questionnaire is to allow for a detailed discussion about your organization and provide the opportunity for you to self-identify gaps, saving you time in the process. 

Your completed HITRUST questionnaire will indicate: 

• Controls that are implemented
• Controls that are not implemented
• Controls that are not applicable, which BARR will review for accuracy

2.) Address Control Gaps

For controls you have marked as not implemented, the engagement team will provide remediation guidance to assist in the implementation of each control. For controls in which you have marked as implemented, your engagement team will test each control following the HITRUST CSF illustrative procedures, identifying any additional control gaps as they may arise. 

As you’re nearing the end of the readiness assessment period, your engagement lead will provide you with a spreadsheet workbook identifying clear remediation tasks for you to complete before the validation assessment begins.

3.) Recommendations for Remediation 

At the completion of your readiness assessment, your organization will receive a gap analysis, which gives a true picture of where your organization is at, where you need to go, and how long it will take you to get there. 

Once the gap report is provided, BARR works with you to develop a plan together, which helps prioritize and solve any pain points prior to the validation assessment. Throughout this process, your engagement lead will continually work with you to ensure accurate and complete remediation of each gap. 

Looking Forward to the Validation Assessment Phase

A validation assessment is conducted by a HITRUST Authorized External Assessor, like BARR, and is the only assessment that produces a validated certification report. The validation assessment is the final phase before the quality assurance review, which can lead to certification. 

It’s important to note that BARR currently offers the HITRUST r2 Validated Assessment, which is the most comprehensive HITRUST assessment and repeats every two years with an interim period in between. If your organization is not quite ready for the r2, we also offer a more moderate assessment, the i1 Validated Assessment + Certification, which is a one-year process.

Stay tuned for our upcoming blog with more details on the HITRUST validation assessment and quality analysis review phase.  

Interested in working with our HITRUST team to start your certification process? Contact us today.