You are here

Self -Assessing Your Organization Utilizing the HITRUST Cybersecurity Framework (CSF)

Written by: Matthew T. MacDonald, CISA, CCSFP

As you and your organization better understand the new HITRUST framework, you may decide to start on the road to HITRUST certification. The first step in this process is performing a “self-assessment”, or “baseline” review.  The HITRUST Alliance gives organizations an opportunity to perform a self-assessment in order to identify and address areas of improvement within their programs.

The assessment is a high-level review of control objectives, where organizations can compare their programs against the required controls. The ultimate goal of a self-assessment is to utilize the results of review to remediate control gaps utilizing recommendations from the HITRUST framework and the MyCSF tool. This will help organizations determine their readiness for HITRUST Certification.

Getting Started on a Self-Assessment
For most organizations that have no experience with the HITRUST framework, a self-assessment allows companies to take a high-level approach to control reviews and implementation requirements without the rigorous documentation review process that occurs during validated assessments. A self-assessment is the starting point to determine the baseline of your organization’s controls, but a HITRUST Certification can only be achieved by utilizing an approved HITRUST assessor firm.

The best way to start your HITRUST self-assessment is by talking to HITRUST or an approved HITRUST assessor firm, and determining which applications and areas within your organization you would like to have reviewed. This will help you and your team focus your risk assessments on the areas that you would like prepared to review for potential certification.

After this has been completed, you can begin the self-assessment. Compare the results of your risk assessments to the baseline outlined in the HITRUST framework, and determine what areas you have at least the minimum required controls in place to meet compliance. You and your team will then identify any control gaps you have in the assessed areas, and can then put a remediation plan in place to meet the previously missed standard.

This exercise can also help your organization determine if your scope needs to be altered. For instance, internal applications will likely have different level of management, data, access, and security controls expected than an external application. Understanding what needs to be in-scope, and focusing only on the applications and areas that you would like certified can help keep the HITRUST certification more manageable.

Who Should Perform the Self-Assessment?
Typically, employees with job responsibilities related to IT governance, risk management and internal control framework analysis would be the most suitable for performing the HITRUST self-assessment. These individuals will have the most experience in dealing with application or IT governance controls that provide support for systems that are being reviewed with the HITRUST framework.

When to Call Outside Help
There are situations in which it might be beneficial for your organization to get assistance from an outside source. Organizations can contract with certified HITRUST assessors to help facilitate their review. This often occurs when an organization’s environment is immature, or has never been through an intense Information or Security audit. If this is new for your organization, you run the risk of risk assessments not being done by industry standards, and this can affect the ability to procure certification. Also, if an organization knows they need HITRUST CSF, a self-assessment can be part of the scope of the contract, leaving internal resources to work on other projects. It is critical that the scoping exercise is executed correctly. Incorrectly scoping the HITRUST environment wastes your team’s time and head’s your organization down an incorrect path.

Bringing in a certified HITRUST assessor allows you to get expert context to controls that may or may not be in place, while also gaining insight into the remediation of gaps that are identified. You can be sure that industry standards are being followed, and your results are complete and accurate. If you decide to utilize an outside source, be prepared with answers to the following information:

  • How deep are your identifying threats to records?
  • Where are your records located?
  • How do records interact with each other?
  • How do you know your methodology is sound? (If you marked something moderate risk instead of high risk, can you explain how it fits its definition?)
  • What is the correct scope of the HITRUST environment based on what my organization has to report on?

On the road to HITRUST certification, self-assessment is a necessary first step. Be sure you have the appropriate people in place to accurately evaluate your applications, and that you utilize your risk assessment results to remediate all control gaps. Whether implemented by your team or a certified HITRUST assessor, you can learn everything you need to move a little closer to your organization’s certification.

If you have more questions related to your HITRUST certification, please reach out to Matthew T. MacDonald, CISA, CCSFP, Senior IT Assurance Consultant at 617-261-8119 or mmacdonald@wolfandco.com.