Your healthcare organization is at the point in your cybersecurity journey where you’re ready for the next step. You want to ensure the security of your data and increase customer trust. Now what? Working with a HITRUST Authorized External Assessor like BARR can guide your organization through a HITRUST validated assessment and Quality Assurance (QA) review process, ultimately leading you to your HITRUST certification.
The HITRUST Common Security Framework (CSF) was developed in collaboration with healthcare and information security professionals to provide a prescriptive framework which simplifies security requirements. It’s the most widely-adopted security framework in the U.S. healthcare industry and is the only assessment that produces a validated certification report.
At BARR Advisory, we currently offer two types of HITRUST CSF assessments:
This is the second iteration of a two-part series in which we’re highlighting what to expect from the validation assessment and QA review of BARR’s HITRUST proven process. The first blog of this series outlines the HITRUST readiness assessment.
During the readiness assessment, BARR will assess initial controls and provide recommendations for remediation. Once these controls are remediated, they’ll be implemented for a period of 90 days prior to your assessment.
Let’s take a look at what you can expect during your validation assessment and how to obtain your HITRUST QA review plus certification.
The validation assessment includes a number of testing procedures to ensure compliance gaps have been appropriately identified and controls are implemented and operating effectively. Testing procedures include:
Once your organization is ready to begin the validation assessment, your engagement lead will set up a kickoff meeting where you’ll confirm expectations and establish a timeline. The key result of this kickoff meeting is to schedule the QA review with HITRUST.
Following the kickoff meeting, your engagement lead will provide you with a detailed HITRUST requirement questionnaire to begin working on. All of our engagements are submitted through BARR’s in-house communication tool, taskBARR.
Now that you’ve provided the requested evidence, your engagement team is ready to test each control following BARR’s procedures. During the assessment, your controls will be tested against the HITRUST Maturity Model. Your engagement lead will agree or disagree with your organization’s scoring using the five maturity levels and provide supporting comments.
According to the HITRUST Maturity Model, the five levels include:
After your assessment, testing will go under manager review. Following their review, the engagement lead will complete the administrative documentation.
The HITRUST QA review is the final stage of your journey toward certification. Below are the three steps to obtaining a successful QA review and certification.
Your completed assessment must be reviewed for quality assurance by an assigned Certified HITRUST CSF Practitioner with the Certified HITRUST Quality Professionals (CHQP) designation to ensure completeness and accuracy prior to submitting your assessment to HITRUST for review.
There are six required forms/documents that need to accompany the submission:
It’s important to note that the QA reviewer must be independent of the assessment team.
Once all documentation is uploaded to myCSF, your engagement lead will reach out to the CHQP for the final quality assurance review. After the review is complete, the engagement lead will submit the assessment to HITRUST and work with HITRUST QA to address any issues or concerns.
If approved, you will receive a certified report by HITRUST. After the final report is posted, the engagement lead will set up a time for an internal and external debrief. This process is repeated annually, as the i1 validation report is only valid for one calendar year from the date of submission. The r2 assessment repeats every two years with an interim period in between.
Now that you’ve reached HITRUST certification you can rest assured knowing that patient data is protected and your organization has significantly decreased the likelihood of data loss or a breach.
Our HITRUST team is available to answer any questions you may have about starting the certification process. Contact us today.