Determining the scope of an assessment against the HITRUST Common Security Framework (CSF) is one of the first and most important tasks of the entire HITRUST assessment process. The assessment scope is a major factor in the level of effort required to complete an assessment, and is important to relying entities in determining if the services they use are assessed against the HITRUST CSF. However, for organizations with large or complex IT environments, the task of determining the scope of their HITRUST assessment(s) may seem daunting.
A commonly asked question relates to organizations with multiple platforms or environments:
"If I have multiple platforms that house PHI, all with different processes, do I need multiple certifications?"
The key word in that question is “need”. According to HITRUST standards, there is no stated requirement for organizations to segregate different platforms, services, locations, etc. into separate CSF Certification reports. The HITRUST CSF is a very flexible framework, allowing the scope of an assessment to be as narrow as a single application or as broad as an entire organization. Perhaps a more appropriate question that these organizations need to ask is "If I have multiple platforms that house PHI, all with different processes, do I WANT multiple certifications?" The short answer: it depends. The longer answer is that organizations must consider several factors when determining the scope of their HITRUST assessment(s).
The very first factor is determining the purpose of the assessment (answering the question "why am I doing this?"). Is it to meet internal or external compliance requirements? Is it to support individual business associate requirements? Is it to generally improve the security posture of the organization? All of the above? Determining the purpose of the assessment work is the foundational first step in the scoping process, and without this information, scoping an assessment becomes extremely difficult and more complex.
Once the purpose for the assessment has been established, organizations can identify the systems (and/or facilities) to be assessed. Organizations should then identify the common controls and processes in place across those systems, differentiating the centralized controls that map to each system from the controls that are independently managed for each system. This differentiation will give the organization a clearer picture of how their systems can be grouped together, and subsequently, of how to best structure their HITRUST assessment(s).
Given the flexibility of the HITRUST CSF framework, it may be advantageous for organizations to perform multiple assessments in line with the grouping of their systems, as discussed above. This will allow each individual assessment to be more focused, and will reduce the level of effort required to complete an individual system’s assessment as compared to a single assessment covering disparate systems and processes.
A common example of the multiple assessment approach is an organization that provides IT infrastructure and support as a shared service to various business units. The organization can perform a HITRUST assessment over its shared IT services (leveraging the common controls in place across the shared systems), and perform individual assessments over each applicable business unit or application (segregating the controls that are independently managed to reduce the overall effort in completing each assessment).
Another common example is an organization that completely segregates all of its platforms / environments, hosting each environment on its own infrastructure that is managed by its own team using their own processes. In this instance, the lines of demarcation are very clear, and the organization is likely best served by performing a separate HITRUST assessment for each environment.
Ultimately, the scope of an organization's HITRUST assessment(s) depends on the requirements of the organization, their IT landscape, and the requirements of their relying entities. One organization may be best served by a single assessment that is broad in scope, while another organization's needs are best met with multiple assessments that are narrower in scope. Further, organizations can choose to perform their assessment(s) as a self-assessment or CSF Validated assessment, the latter being required if the organization wishes to achieve HITRUST certification. An authorized CSF Assessor can provide organizations with further guidance on the scope and assessment type that helps them best meet their compliance objectives and requirements.