Compliance steps for success: Preparing for your HITRUST external assessment 

Executive buy-in is vital for HITRUST compliance. Your organization should engage executives early to promote a culture of security and compliance across the organization, align HITRUST goals with strategic objectives and ensure ample resources, both financial and human, are allocated.

Before starting your HITRUST compliance process, you should appoint a HITRUST Project Manager (PM) or liaison to oversee security and compliance efforts. This individual will be responsible for assembling a team of security experts, coordinating HITRUST engagement and managing evidence collection. Also, you should clearly define the roles and responsibilities of all employees and security teams, including incident response and endpoint management teams, from the beginning.

The HITRUST PM or liaison should meet with leadership, stakeholders and personnel handling sensitive information to establish key security policies and procedures following relevant regulations. They must identify security gaps, use appropriate tools, plan the project and document each step thoroughly. HITRUST advises appointing a PM or liaison at least two months before the audit.

Organizations may opt for their HITRUST PM or liaisons to attend CCSFP training and obtain certification in the HITRUST framework due to its comprehensive methodology and scoring. This certification can also enable certified individuals to act as internal assessors.

As with any compliance assessment, define your scope at the outset, delineating the systems and supporting infrastructure to be evaluated under the HITRUST framework audit. Without a clear directive, it can be a challenging task. Begin by reviewing these areas of focus:

• Business units/user entities: Evaluate each business unit to understand the types of data being handled and the systems in use
• Infrastructure: Identify critical systems within your organization that house or transmit sensitive data. Once the relevant business units and systems are identified, trace supporting infrastructure throughout the entire IT stack to identify key sub-service organizations
• Contractual requirements: Examine related contractual commitments with user entities to determine the regulatory factors formally defined as requirements
• Regulatory factors: Consider other pertinent compliance timelines in the organization (SOC, HIPAA, NIST, etc.) to prepare a comprehensive compliance scope across these frameworks

Upon determining business units and systems for the audit, you’ll want to document your organization’s lifecycle of sensitive information, including data flows and classification. At this juncture, it is advisable to engage a certified HITRUST external assessor as clients are recommended to begin collaborating with their external HITRUST assessor during the scoping exercise.

Collaborating with your external HITRUST assessor will not only assist in determining the landscape and ensuring critical components, including systems and regulatory factors, are appropriately included, but also will significantly enhance crucial understanding of your organization’s HITRUST maturity when selecting the appropriate assessment. At Baker Tilly, our extensive experience with complex clients and environments provides valuable insights into these processes.

After defining the scope, the next step is to assess your organization’s readiness against the HITRUST framework. The purpose of a readiness assessment is to evaluate your organization's current security posture in relation to the HITRUST CSF and identify any gaps in security practices as they relate to the controls.

A comprehensive readiness assessment should include a review of policies and procedures. For an r2 assessment, each HITRUST control must have a corresponding policy and procedure. However, for i1 or e1 assessments, only a limited number of controls require specific policies and procedures, focusing solely on evidence-based implementation. As you identify gaps from your readiness assessment, it will become clear what additional technical testing may be needed, such as vulnerability scanning and penetration testing. It is advisable to consult with your external assessor for the best practice recommendations on addressing gaps identified during the readiness assessment.

At Baker Tilly, we are commonly asked when concluding the post-analysis readiness assessment: “How quickly can I get certified?” It may seem simple, but the answer depends on many factors: assessment type, scoping, number of identified gaps, etc. Most organizations require six months to a year to complete the scoping process, readiness assessment and certification. To maximize efficiency, you should work closely with your external assessor to develop a timeline and discuss the dependencies of achieving certification.

Upon completion of the readiness assessment, your organization should be left with a number of gaps and associated recommendations for remediation, giving your project coordinator a roadmap to successful implementation.

HITRUST requires a minimum of 90 days, a bake-in period, following a major implementation before your organization may begin the validation assessment toward certification. Your external assessor will engage with you through a detailed process of gathering evidence, conducting walkthroughs, testing and analyzing evidence and making conclusions on the scoring of the controls. Provided all goes well, your external assessor should conclude your organization is at a threshold to pass for certification and will submit your assessment to HITRUST for their review and final decision.