I am often asked who is responsible for determining and selecting which principle(s) will be included in the scope of the SOC 2 examination, but the answer may not always be what service organizations want to hear.

The HITRUST Alliance, in its efforts to keep the framework up-to-date, provides new releases annually, being Version 8 of its Common Security Framework (CSF) their most recent one (Version 7 was released in January 2015).  The updates to the framework are based on feedback from the HITRUST community, current risks and trends, as well as a way to incorporate updates from the various frameworks and requirements that are mapped and used as baseline requirements in development of the CSF.

They don’t call it a Compliancy and Ethics Program (CEP) for nothing. Though sometimes overlooked, ethics play an important role in the success of an organization’s compliance culture. Compliance professionals have grown accustomed to differing opinions regarding compliancy topics. Some individuals may have a compliance-focused viewpoint while others see topics from an ethical perspective. In either case, both sides likely feel strong convictions about their stance, and aren’t open or willing to be swayed in a different direction.

So, you’ve been asked for a HITRUST certification? Odds are, 100 questions are racing through your head. Why would my organization be asked to hold this certification? What does certification even entail?

Security is vital to the healthcare industry. Thirteen percent of CIOs, CTOs and CSOs reported being targeted by external threat attempts almost once a day, and 12 percent reported about two or more attacks per week. Furthermore, 16 percent of healthcare organizations admitted they are unable to detect in real time if their systems are compromised.

Healthcare service providers are being told that they must begin their HITRUST Validated Assessment process soon, especially to meet the 2017 deadline for HITRUST Certification.  The looming deadline and the lack of familiarity with the validation process are causing some fear.  But have no fear! This article will provide guidance on the process and the necessary information needed to navigate the Validated Assessment process and obtain certification.

Let’s face it — compliancy isn’t what it used to be. With mounting pressure for companies to embrace innovative technologies to maintain competitive edge, the compliance landscape has become extraordinarily complex, and compliance leaders aren’t the only ones stressing about it. In a recent Robert Half Management Resources survey, more than 2,200 CFOs in the United States admitted that meeting regulatory compliance mandates is their second biggest stressor, right behind staying current with technology.

Is HITRUST certification pass/fail or all or nothing? Must you achieve all 149 controls?  Although organizations are expected to implement all 149 controls as specified by their risk factors, HITRUST certification is based on a third-party assessment of 64 high risk controls. The high risk controls are determined by an analysis of past breach data while ensuring necessary coverage of the HIPAA Security Rule’s standards and implementation specifications. All third party assessments submitted via MyCSF is validated by HITRUST; however, organizations must achieve a 3+ maturity rating on the majority of the assessment domains to achieve certification. For a limited number of controls that are not operating at a 3+ level, you must create a corrective action plan (CAP). Organizations may also formally accept a very limited amount of risk and still achieve certification.