Back to Resources | Expert Interviews

cyBARR Chats: HITRUST Edition FAQ Part 3

March 29, 2021 | HITRUST

WATCH:

Michelle: [00:00:00] Hi everyone. And welcome to our third episode of cyBARR Chats HITRUST edition. Today we’re covering two very important topics with HITRUST manager Swathi West. So let’s jump right in with the first. Swathi, what is the most important discussion to have with your HITRUST authorized external assessor organization before starting the HITRUST CSF readiness or validated assessment?
Swathi: [00:00:27] Great question Michelle, to take a step back before we start thinking about HITRUST readiness or validated assessment, it is essential to understand that HITRUST will only certify implemented systems. It does not certify facilities, people services or products like mobile applications, you know, just to make it a little bit easier.
If you think about a hospital building, right. HITRUST won’t certify the building itself, but, you know, for example, it will certify the system that’s collecting EPHI or even their customer service or support systems like that. So to be HITRUST CSM certified, the should be fully installed and configured.
This is why, when thinking about certification, it is very crucial to know the scope of the system that you would like to get HITRUST certified. You know, I personally would say that is the most important discussion to have with your external assessor. Um, just also, you know, keep in mind when you’re thinking about scope, it is very crucial.
So to think about different business units, different facilities and departments, different applications. Now we’re going to restructure and even third parties, because these are all the questions your assessors will ask you. And these are all the questions that are part of the scoping as well. Um, you know, that, like I said, scope is the most important discussion to have with your assessor and the scope can be tailored.
To, you know, different clients, you know, not one client will have the same scope, right? So it can be tailored to different clients. And we here at BARR, we can facilitate those discussions and, you know, we can help you navigate through all that where, you know, to kind of get the tailored scope that would fit your needs to get HITRUST CSF certified.
Michelle: [00:02:12] So Swathi, can an organization get SOC plus HITRUST certification, and what are some of the benefits and drawbacks to going that route and who should go that route?
Swathi: [00:02:22] There are a couple options, Michelle, you know, we could either do a SOC plus HITRUST CSF reporting or SOC plus HITRUST CSF certification, SOC plus CSF reporting.
You know, BARR will express an opinion on whether the client controls are suitably designed and operating effectively to meet the HITRUST CSF. Security certification criteria or HITRUST CSF, comprehensive security criteria. You know, the main difference is, you know, security criteria would be all the security controls that are applicable or HITRUST.
But when you’re talking about HITRUST CSF, comprehensive security controls would just include the controls that are only required for certification. So we could you know, either or select that depending on the client needs again. And, you know, we’ll, we’ll. Do you will express an opinion on thatand in addition to that, we also will be able to test whether the controls, you know, are applicable for trust services criteria by AIC.
So, you know, now just to keep it again, a little bit simple, we’re testing SOC and also HITRUST controls to make sure they are designed and operating effectively, you know, benefits of this would be, you know, in most cases, we could facilitate both HITRUST and, you know, SOC audits simultaneously, if that way we were able to save a lot of time, right.
And also we improve efficiencies for both our clients and also us. And some of the drawbacks with this with this route would be, you know, increase of scope when we’re talking with clients, it was just only SOC, but you’re also adding HITRUST to it. So it’s always important to [00:04:00] understand that we might have to add additional criteria.
So with the SOC we’re only doing availability, but then, you know, now we’re adding HITRUST or whether it’s a security or comprehensive criteria, then we’re adding more you know, additional criteria we might have to willing confidentiality or you know, process integrity and other things like that.
So there’s definitely increase of scope that we also have to think about. And another important thing to keep in mind. Is that any findings that we have from HITRUST would also reflect in the report because you were with the SOC audits we’re only getting the findings from the SOC reports, but then we’re including HITRUST.
So it’s, it’s very important to understand that we would be having that additional findings. If we do have any from HITRUST also will reflect in the report, you know, like the results in the SOC, which that also might increase just because we’re adding HITRUST that might increase the number of exceptions that might be there in the report and either the process improvements or exceptions.
Um, so that’s, that’s another important you know, thing to keep in mind, another option, like I [00:05:00] said, would be SOC plus HITRUST CSF certification. We just talked about reporting where we’ll, you know, we’ll do an opinion, but now this is certification. So this is similar, just, you know, cause we were doing SOC plus HITRUST on top of that.
This is similar to the about option where we’re doing more, would express an opinion, whether the client who tools are suitably designed and operating effectively, whether you know, to meet the HITRUST CSF certification criteria or HITRUST CSF, comprehensive security criteria, just, you know, in addition to AICPAs applicable trust, service service criteria as well.
So like I said, we’re doing both SOC and HITRUST testing, but for this. Option. We include HITRUST CEUs of certification of, you know, for the previous one, we don’t have certification. It was just a reporting, but now we’re also including certification, which will be provided by HITRUST CSF itself. Um, you know, and then this, we could add, and we could take that report from provided, but HITRUST just [00:06:00] added in the unaudited section of the SOC report, combining both SOC and HITRUST.
You know, some of the benefits for this would be again, we could consolidate the evidences because we’re already testing for SOC or we’re already testing for HITRUST and we can use it vice versa. So it’s definitely efficient because we can consolidate the evidence that we requested the client and we being excellent assessors.
We test our clients’ controls. And then because we’re adding an actual third party, HITRUST, they will also review our client controls. And you know, that would be an excellent quality control throughout the assessment it’s going through two QA is at this point it would also provide greater value to our clients.
If you, if you think about just having one SOC, but now also we’re doing SOC plus HITRUST and we’re actually including HITRUST report and the you know, SOC plus HITRUST so that would. That would, everything would be in one report. So if the client is, you know, if the client’s customers are requesting the reports, that [00:07:00] would just be in one report and that would ultimately show our client’s security posture.
So I would say this is a great benefit. When you, when you think about SOC plus HITRUST of certification definitely, you know, potential drawbacks would be, this option might get a little expensive, uh, because. You know, we would want our client, clients should be buying the MyCSF subscription. And also there are other fees that are included with this option.
So definitely, you know, potential drawback would be a little bit, uh, expensive option rather than reporting. And also there might be some delay because like I said, we’re including HITRUST in the process. And with that. They’re doing testing and it would take a little bit more time. We have to test it. We submit to HITRUST and then HITRUST would need to complete its QA.
So I would say there’s a little bit delay that would definitely be in this option for your other part of the question, Michelle, who should opt for SOC plus HITRUST. I would say it greatly depends on our client’s customers. I mean, our clients contracts with their [00:08:00] customers, uh, you know, this is the first question we usually ask our clients to, what does your contract say?
We’re going to, you know, the basics with this, but still, it depends on the contracts right. At the end of the day. So does it say HITRUST certification or does it say SOC plus HITRUST reporting? So reviewing the contracts is the most important step. And, you know, I would say scope of the assessment again, because our.
Current clients were already doing their SOC 2 report. So adding. HITRUST to the same scope of SOC, you know, wouldn’t be that difficult. So definitely, you know, having that initial conversations, what’s your scope. What do you want to do? Like, do you want to add HITRUST on top of the same scope or, you know, we want to expand the scope.
So definitely that discussions around scope is very important. And also like we discussed earlier, if our clients are thinking about saving money or their time, or just need a better evaluation of their security posture. All of these different aspects would just, you know, have to be considered when we’re thinking about SOC plus HITRUST certifications or reports.
[00:09:00] Michelle: [00:09:00] Thank you, Swati. This is all such great information. We are looking forward to learning more about interim assessments and internal and external inheritance in our next HITRUST edition of cyBARR Chats. See everyone next time. Thank you.
Swathi: [00:09:14] Thank you.