HITRUST Self-Assessments Explained: The Advantage External Assessors
In the famed series Lord of the Rings, the unlikely hero Frodo Baggins offers to carry the terrible burden of the One Ring to Mordor in order to destroy it and save all of Middle Earth from evil. Immediately after he makes this decision, he says, “Though I do not know the way.”
In deciding to get HITRUST certified, you’ve decided to “carry this burden” of compliance—à la Frodo—and that’ll mean completing all the necessary steps, including the initial self-assessment process. And while Frodo may have found his way to Mordor on his own (eventually), he had the wizened wizard Gandalf step up for him in the moment and say, “I can help you there,” making the journey easier.
The same is true for HITRUST external assessors. Though the self-assessment is made of questions that you must answer, having the help of a guide likely means a simpler time of your HITRUST process as a whole. As one such HITRUST assessor, we’re going to explain what we mean.
In this article, we’ll go over HITRUST basics and introduce the self-assessment, including what kind of questions you can expect. Then, we’ll detail how bringing in an external assessor can change your outlook, including how our team approaches the entire HITRUST process.
Maybe you choose to select your Gandalf early on—maybe you don’t. But after reading this, you’ll understand the advantages to better inform that decision.
What is HITRUST?
Initially developed to address the many security, privacy, and regulatory challenges facing healthcare organizations, the HITRUST set of security and privacy controls and safeguards—referred to as the HITRUST CSF—uses a risk-based approach. Having since become more industry-agnostic, it includes controls derived from the HIPAA, HITECH, NIST, ISO, PCI, FTC, and COBIT frameworks, as well as federal and state privacy laws.
A growing number of large healthcare groups—including Elevance Health / Anthem, Health Care Services Corp. (HCSC), Highmark, Humana, UnitedHealth Group, and others—are requiring any partner organizations handling ePHI to complete a HITRUST assessment. (Maybe that sounds familiar.)
But—whether you’re in healthcare or not—perhaps you’re just independently opting to become HITRUST certified to secure your environments, reduce risk, and prepare for future audits and inquiries related to information security.
No matter why you’re getting a HITRUST certification, for many organizations, the first step may be to perform an r2 Readiness Assessment within the MyCSF online tool. That’ll include:
- Answering a set of scoping questions to determine which HITRUST CSF implementation requirements will apply to you.
- Going through a ‘trial run’ to identify any areas that may need to be improved before your r2 Validated Assessment.
How to Perform a HITRUST Self-Assessment
To get going on that, you’ll need access to the MyCSF online tool provided by HITRUST, which is required for any type of HITRUST assessment. We recommend maintaining an annual subscription to the MyCSF online tool—it’s useful in that the information you enter during a Readiness Assessment is maintained and can be carried over to reduce the burden when undergoing a subsequent r2 Validated Assessment.
Scoping Your HITRUST Self-Assessment
After you get access to MyCSF, you’ll need to determine which type of assessment you are preparing for, at which point you’re ready to complete the aforementioned questionnaire.
Your answers to these administrative and scoping questions are used to determine which HITRUST implementation requirements will apply to your organization’s assessment. Examples of the scoping questions include the following:
- What is your organization type / industry?
- Number of customers, employees, users, or transactions per day?
- Is the system accessible from the internet or a public location (e.g., kiosks)?
- Are mobile devices used in your environment?
- Do third parties access your system or transmit data?
- Number of active interfaces from your system to other systems?
- Which regulatory factors affect your organization (FISMA, PCI, state-specific privacy regulations, etc.)?
Do You Need an External Assessor for Your HITRUST Self-Assessment?
You absolutely can answer all the questions yourself, but it’s important to know that external assessor organizations—like Schellman—can be engaged at this early point to provide valuable assistance. With their help, you can significantly cut down on the potential errors and missteps often associated with the Self-Assessment process. Specific advantages to obtaining the assistance of a HITRUST-approved assessor include:
- Assurance that scoping questions are answered appropriately and result in the scope of controls
- Guidance on evidence commonly used to address each specific HITRUST security control
- Assurance that areas that do not meet HITRUST requirements are identified and not overlooked
- Training on creating corrective action plans (CAPs) for areas not meeting HITRUST requirements
- Often reduced cost associated with the r2 Validated Assessment process (if also performed by the same assessor)
Schellman’s Approach to Your HITRUST Self-Assessment
As a single-provider cybersecurity services firm, Schellman represents an option external assessor—we’re not only capable of providing HITRUST services, but we can fulfill your SOC, PCI, ISO, FedRAMP, and CMMC needs (among our other services) through a single legal entity.
You’ll have other choices when it comes to selecting your external assessor, but we’re still going to provide some insight into how our team would approach this step of your HITRUST process so that you’ll have at least some idea of what to expect, whether you work with us or not—including how we can help you obtain all the advantages mentioned above.
Here’s how Schellman assists organizations with their HITRUST Self-Assessments in seven steps:
1. Initial Discussions with Leadership.
If you’d prefer, we can attend management meetings in person or via conference call to help your stakeholders clearly understand:
- The HITRUST approach,
- The reasons behind a HITRUST assessment being requested (if applicable)
- The effort associated with each step of the process.
That way, everyone’s on the same page going in.
2. Scope the Assessment.
Now we get to the actual questions. You determine the scope of systems, applications, and locations included within your HITRUST assessment, but we can provide insight to help with that. This can be incredibly important, as, sometimes, getting a question precisely correct can be the difference between mistakenly adding over 100 requirements to your assessment.
But our experts can help ensure your answers to these questions are as accurate as possible so that you establish an appropriate scope.
3. Identify Evidence Required.
After you understand what requirements are applicable, we can then help identify specific evidence that will correctly speak to each control operating effectively.
As with the scoping questionnaire, this is another of the largest challenges we see with those performing the Self-Assessment independently—it’s very easy to misinterpret what documentation is required to adequately evidence the operating effectiveness of each control but as the ones set to do the future evaluating, we know what we need to see from you.
4. Streamline the Data Entry Process.
Although we can’t directly author the required process narratives in the MyCSF online tool—you must—we can help ensure that you get through it efficiently by guiding you on the appropriate level of detail and control points commonly identified for each control.
Our team would also be available to advise on how to properly define the maturity levels for control requirements if you’d like.
5. Review Full Data Entry, Maturity Level, and Evidence.
At this point, we can review all information and evidence entered into the MyCSF online tool and provide you with comments by item and/or by control.
6. Perform Gap Analysis and Offer CAP Training.
Having now gone over everything, our team can identify any control areas where the process or evidence available does not meet HITRUST standards.
If we find that you’ll need a corrective action plan (CAP) to pass a Validated Assessment, we can also provide training on creating and updating any CAPs as the processes are improved.
7. Submit the Self-Assessment.
With all that done, it’s time to send everything to HITRUST—Schellman can ensure that all required data and evidence have been entered and that the assessment is complete before you hit the submit button.
Moving Forward with Your HITRUST Validated Assessment
At that point, you’ll be ready to begin preparing for your Validated Assessment, and if you’re using Schellman for both, we’ll assist you in that phase as well.
But to get to this point, completing your HITRUST Self-Assessment is critical and can determine a lot about the rest of your journey. Now you know a little of what to expect from the questionnaire as well as just how much an external assessor can simplify this part of the process for you.
Maybe Schellman is the right Gandalf for your Frodo—maybe not. Whether you’d like to judge for yourself, or if you just have some specific questions about HITRUST, please contact us, as we’d be happy to assist you in any way we can.
About DOUG KANNEY
Doug Kanney is a Principal at Schellman based in Columbus, Ohio. Doug leads the HITRUST and HIPAA service lines and assists with methodology and service delivery across the SOC, PCI-DSS, and ISO service lines. Doug has more than 17 years of combined audit experience in public accounting. Doug has provided professional services for multiple Global 1000, Fortune 500, and regional companies during the course of his career.