5 Components to Consider When Scoping HITRUST Assessments
If you don’t already play, a basic game of darts starts you with a sum of points. The idea is to hit spots on the board worth more points that you’ll subtract from your starting total, with the bullseye being worth the biggest deduction. The player who reaches zero first wins.
Darts can be a frustrating game for those of us amateurs who just play at the local pub, but admittedly, it’s probably still more fun than a HITRUST certification. Still, when you’re scoping said assessment, the idea is much the same as the game—rather than points, you need to “subtract” the parts of your organization that aren’t in-scope before you can proceed.
But how to do that? How to know what is in scope for your organization?
In this article, we’ll try to help you understand exactly that. Scoping is critical for every compliance initiative—when it comes to HITRUST, there are several components you should consider. We’ll outline five of the big ones in detail.
As HITRUST assessors ourselves, we’ve helped clients through this process many times, which has given us this insight into these commonalities we now want to share with you. Having read this, you’ll be in a better position to answer a major question and thereby nail a bullseye of certification as you do move forward.
Five Factors That Can Affect Your HITRUST Scope
So what are these different facets that you should consider when determining what’s in and what’s out? Here’s a bird’s eye view to start:
- Type of HITRUST Assessment
- Outsourced Services
- HITRUST Factors
Let’s go into detail on each of these items.
1. What Type of HITRUST Assessment Do You Want?
This is one of the most important factors to consider, because other than scope, this is probably the other largest determinant of your process. You have the following options for your assessment:
- HITRUST Basic, Current-State (bC) Assessment;
- HITRUST Implemented, 1-year (i1) Validated Assessment; or
- HITRUST Risk-Based, 2-year (r2) Validated Assessment,
If you haven’t already chosen a direction here, let’s explore each and why your organization might choose one of these specific paths:
HITRUST Basic, Current-State Assessment
This Verified Self-Assessment can help introduce you to the HITRUST CSF, but HITRUST does not offer certification for it.
HITRUST Implemented, 1-year (i1) Validated Assessment
The i1 Validated assessment type evaluates your organization’s system or platform against a standard set of 219 controls that leverage security best practices and threat intelligence.
HITRUST Risk-Based, 2-year (r2) Validated Assessment
The r2 Validated assessment type evaluates your organization’s system or platform on a comprehensive risk-based approach.
The type of report will also affect your eventual scope in different ways:
- Should you choose a Basic assessment, you’ll have more flexibility. Because this one is not submitted to HITRUST for certification, your scope can even change during your assessment to help you adjust to what you discover.
- With the i1, you’ll have a static and defined amount and type of controls. The only adjustment you’ll make to your scope will be choosing which systems or platforms are to be certified.
- In a little reversal, the r2’s requirements are dynamic and depend directly on which systems or platforms you choose. Each application or platform may have different system requirements and inputs, which may impact how many and the difficulty of the requirements in your assessment.
This is a very high-level overview of all your options, but if you’d like a little more detail, read our separate article for the full deconstruction of the types of HITRUST assessments. HITRUST also offers information on the subject, if you’re interested.
2. What Systems/Platforms Should Be in Scope for Your HITRUST Assessment?
Now that you know what type of HITRUST assessment you want and need to select, this is your natural next step.
Importantly, HITRUST only certifies implemented systems and platforms —they will not certify the entire organization or systems in development.
With that being said, there are a few qualifying questions you can ask when deciding which of your systems to include:
- Do your clients rely on this system or platform? If so, that system or platform should be in-scope.
- Is critical client data being stored, transmitted, received, or processed within the system? Again, if so, this system should be in-scope.
- Is the system or platform critical to the operation of your organization? If so, that doesn’t mean the system should be included. But if it is critical to your operation, it’s definitely worth an extra look.
One thing we will say about what systems to not include in your HITRUST certification scope—we recommend not adding auxiliary platforms to your assessment. While there may be some benefit to including them, it’s also likely that working with those systems may unnecessarily complicate the work and cause serious delays in your process of getting HITRUST certified.
3. What Facilities Should Be in Scope for Your HITRUST Assessment?
Typically, this question is much easier to answer than those first two. But you should definitely figure out your assessment type and systems to include before deciding on this.
Because generally, you should include in your HITRUST scope those facilities that store, process, or transmit data to and from the scoped system(s) or platform(s). That may mean a few different locations, including places like internally-hosted data centers, offices, call centers, processing facilities, or others.
4. What Outsourced Services Should Be in Scope for Your HITRUST Assessment?
Partnering with third parties is very common these days. Figuring out how they factor into your compliance projects can be complicated, but for HITRUST it works like this:
- For i1 Validated assessments, you can carve third parties out (meaning, they are not in-scope).
- For the r2 Validated assessments, however, you must include any third-party services provided to the scoped system or platform and facilities as part of your overall assessment.
- That includes SaaS providers, cloud providers, shredding services, IT service providers, outsourced development providers, and others.
It’s important to restate that not every third party you use should be included in the assessment—only those that affect your scoped in systems or platforms.
So, if your organization outsources the accounting department, but that unit does not have access to the scoped system or platform, you wouldn’t include them in your HITRUST certification assessment.
5. What HITRUST Factors Are You Including in Your HITRUST Assessment?
If you’re thinking you’ll do the i1 Validated assessment, you can skip this section.
But if you do opt for the r2 Validated assessment, you’ll also have to select factors from the HITRUST MyCSF application. The factors you choose will affect the magnitude and the amount of the implementation requirements you’ll be assessed against, which will affect your scope.
The factors include, but are not limited to:
- Organization type;
- Number of records held;
- Records accessible by third-party personnel; and
- Records accessible from the internet.
You can select different “Regulatory Factors” as well, such as CMMC, HIPAA, FISMA, and others. HITRUST has developed a MyCSF Help User Guide to help you understand HITRUST’s interpretation of many different factors.
Next Steps for Your HITRUST Certification
Maybe you’ve seen an opportunity to enter a market through HITRUST certification, or maybe your organization is required to achieve HITRUST certification based upon a contractual obligation. Whatever the reason, the journey to HITRUST certification may seem as daunting as throwing a bullseye at the dartboard.
But now it’s a little less so since you now have a basic understanding of how to go about scoping your assessment—one of the most critical decisions you’ll need to make. To maintain your momentum on this journey, read our other HITRUST content to simplify your process even further:
About Michael Seegel
Michael Seegel is a Senior Manager with Schellman. Prior to joining Schellman in August 2018, Michael worked as an IT Audit Manager, specializing in managing SOC 1 & 2 Type II engagements. Michael also has prior experience performing HITRUST assessments, ISO 27002 audits, IT SOX compliance, and ERP implementations. As a manager at Schellman, Michael primarily focuses on performing HITRUST assessments for organizations in or doing business with healthcare organizations. Michael currently holds the CPA, CISSP, CISA, and CCSFP certifications.