HITRUST Risk-Based, 2-year (r2) Validated Assessment

Strategies to earn and maintain certification

Managing the process and resources to become HITRUST certified takes time and can be very involved. Our team offers some tried-and-true strategies.

You don't have to go through your HITRUST assessment alone – our team is here to help you through the process.

HITRUST has updated its portfolio of assessments to include options that are more cost-effective and streamlined. Organizations working toward attaining the most comprehensive certification, the HITRUST Risk-Based, 2-year (r2) Validated Assessment, should plan for a more intensive journey than organizations pursuing the e1 or i1 certifications. As an External Assessor, Crowe can help by offering some effective strategies.

Quality assurance: Common areas of focus

Requirement statement interpretation

One of the benefits of the HITRUST CSF^® framework is that it provides each organization with a custom, prescriptive set of requirement statements. As leaders think through how to interpret requirement statements for their organization, they should consider any applicable organizational context, such as written policies and procedures, the IT environment (for example, data and systems), and existing control processes and methodology, including requirements performed by a third party and the organization’s use of “not applicable” to indicate which requirements do not apply.

Time should be built into the planning phase for the process of interpreting requirement statements and gathering evidence, ideally starting several weeks to months before the assessors are scheduled to test the organization’s evidence to support its set of requirement statements. Any requirements that trigger questions should be discussed internally as well as with the assessor and even with HITRUST if needed. This is equally important for organizations going through their second or third assessment as it is for first-time organizations, as the HITRUST CSF version updates can bring new requirements.

Success strategies for requirement statement interpretation include the following:

Become familiar with HITRUST requirement statements early.
Take advantage of available HITRUST resources (such as illustrative procedures, assessor teams, and HITRUST support).
Consult and confirm in advance to avoid surprises.

Assessment timing

Two important 90-day time frames come into play during the assessment:

The control should be in place for at least 90 days before assessor testing is started.
Assessors have up to 90 days to complete their work before submitting assessments to HITRUST.

Success strategies for assessment timing include the following:

Develop a timeline to help manage stakeholder expectations.
Estimate the level of effort to gather control evidence.
Schedule assessor fieldwork after any new controls have been implemented for at least 90 days and evidence is ready and available for testing.
For a HITRUST Risk-based 2-year (r2) Validated Assessment, any policy or process documentation that was created due to gaps must be in place 60 days before the testing takes place.

Requirement scoring

It’s important to pay attention to the specifics of each requirement statement. Here’s an overview of the HITRUST maturity model:

Policy. The policy covers what management expects to be done – and it’s important that it’s both approved by management and published for the organization.
Process. Separate, more detailed content provides guidance on how to accomplish the policy.
Implemented. What’s actually being done in practice is documented and able to be shown as evidence, including both sampling and nonsampling requirements.
Measured and managed. Separate from the implementation, control performance can be monitored based on specific measures and metrics, both operational and independent (including who is measuring and with what frequency as well as what the content is). The measured and managed maturity levels are optional for certification.

Corrective action plan (CAP) management: What to expect

Recommended strategies for CAP management and principles

CAPs describe the organization’s specific plans for correcting gaps identified during an assessment. Overall, CAPs should be measurable, feasible, supported, and monitored. The due date on each CAP will be reviewed during the interim assessment in the second year of the r2 certification. Organizations should use their existing IT risk and compliance processes where possible, while focusing on the required CAPs and prioritizing quick wins. If a CAP is not completed by the due date and the date needs to be extended, the organization should have a discussion with its assessor firm and explain the need to change the date and set a new, reasonable deadline.

3 common gaps and the level of effort needed to fill them

These three gaps are seen consistently in HITRUST certification and are common causes of the need for CAPs:

Drafting, approving, and publishing the policy and procedure. The first-time effort is moderate to high, due to the additional content needed to address requirement statements. However, any subsequent efforts are low, as only the maintenance of existing content is needed.
Acquiring or configuring technology. The first-time effort is low to moderate, as certification most often includes changes to system configurations but might include new technology acquisition. Subsequent efforts can be low to moderate, depending on the updates being made to existing technology.
Implementing or formalizing the manual processes. The first-time effort is moderate to high due to first-time gaps and implementing new controls. Subsequent efforts are low to moderate and depend on the shifts made to increase formality or consistency.

How CAPs are determined

MyCSF converts scores in the following categories to a scale of 1- to 5+. These are target scores:

Requirement statement. Here, the target score is 3+, otherwise there will be a gap.
Control references. The target score for this category is also 3+, and if that’s not met, a CAP will be required.
Assessment domains (19 topical control areas). The target score of 3+ indicates no deficiencies, and the certification threshold is at least a 3.

Interim assessments

Timing and background

An interim assessment, which can be done only by organizations that are already HITRUST certified, assesses organizations against the same HITRUST CSF version as a full certification. These assessments are performed prior to the one-year mark to extend certification through a second year. So, as an example, for an organization originally certified on Oct. 31, the MyCSF interim assessment object is automatically created 90 days before certification expires. If an organization would like to start earlier, it can create the assessment object 120 days before the certification date. Then, the organization would gather the control evidence to prepare for assessor fieldwork, typically 30 days prior to the expiration. The scope includes a sample of one control from each domain plus a review of any CAPs that were identified in the first-year assessment. Once testing is completed, the assessor submits the assessment to HITRUST on or before the one-year certification date.

Can certification be extended

As part of the interim assessment process, for organizations to extend the prior year’s certification through the second year, the assessor is required to evaluate these three areas and report the evaluation to HITRUST:

Scope. Any significant changes to in-scope systems, scoping factors, or the environment could risk an organization’s certification.
CAPs. Failing to make sufficient progress on any CAPs could affect certification.
Controls. Significant changes in control performance could also inhibit certification.

Continuous improvement activities

Control monitoring

To implement control monitoring, organizations should identify any existing processes that also can help monitor HITRUST controls. Ongoing monitoring might include creating IT, security, or risk committees; tracking metrics through dashboards; and creating alerts or activity reports. Then, the costs and benefits of implementing additional monitoring processes should be considered. Organizations should consider any separate assessments – such as internal audit or compliance testing, third-party security testing, and security program reviews – as independent measures and metrics supporting the HITRUST controls. If adequate monitoring is in place, the organizations should give themselves credit through measured and managed scores.

HITRUST CSF frameworks updates

HITRUST CSF frameworks are updated regularly with both major and minor releases, so organizations should check for any updates at least once per year.