International corporate entities, insurance firms, medical practices, hospitals, state and federal government agencies and other companies that operate in the healthcare sector are charged with the crucial responsibility of protecting, storing and transmitting patient information and other data.
In this era of constant cybersecurity breaches, accomplishing this task is both complex and challenging. In order to assist companies in successfully addressing the numerous compliance requirements set forth in standards such as HIPAA, NIST and HITECH, a consortium of leading companies in the fields of information security, business and healthcare have pooled their resources and expertise to form the nonprofit Health Information Trust Alliance (HITRUST).
This consortium has released the HITRUST Common Security Framework that seeks to integrate the controls established in the major healthcare-related regulations and standards. Once you understand the steps involved in complying with the HITRUST CSF, you and your team can determine how far you should take your company in the certification process.
What is the HITRUST Self Assessment?
Although your company may want to ultimately receive a full HITRUST CSF certification, you cannot achieve this milestone without first conducting your own internal HITRUST assessment. This process involves implementing a baseline review that takes a comprehensive evaluation of all of your programs and systems to determine where improvements should be made. In order to accomplish this task, your company will compare all of its infrastructural components against the required controls contained in the HITRUST framework. Utilizing the set of measures found in the myCFS tool, your organization can identify areas of strength and weakness, make any necessary changes and thus prepare yourself for the final step of certification.
Who Should Conduct Your HITRUST Self Assessment?
Going through the steps of a HITRUST assessment is a specialized undertaking. Ideally, it should be performed by a team or member of your staff who is well-versed in the IT governance and application controls involved in supporting the systems reviewed by the HITRUST framework. If your organization has these human resources at its disposal, you should be able to perform this pre-certification step without the need to enlist the services of an outside assessor.
Requirements Before Implementing A HITRUST Self-Assessment
In order to perform a HITRUST assessment, you will need to gain access to the online myCSF tool provided by HITRUST. You can choose between a less expensive report-only option or a costlier annual subscription. If you opt for the former, your results will only be available to you for 30 days. By contrast, a subscription enables you to refer to them throughout the life of the plan.
The Scope of MyCSF Questions
The online tool used during the self-assessment is designed to help you in determining which controls will apply to your organization. You will be expected to specify the following information:
- The type of corporation or organization you have and the industry in which you operate
- Number of users, customers, employees or transactions per day
- Accessibility of your systems from public locations
- Mobile device access to your systems
- Third party access to your systems
- Number of interfaces between yours and other systems
- Which regulatory frameworks affect your organization (NIST, ISO 27001, HIPAA, HITECH, etc.).
Most companies have at least 120 controls to be analyzed along with narratives to be written and copious amounts of documentary evidence to be compiled and downloaded. Since the scope covered by the myCFS tool is wide, expect to devote significant time and resources toward administering it. The estimated amount of time that you and your team will spend will be at least 120 hours.
What Happens After the Self-Assessment?
Once you complete your work with the myCSF tool, your next step is to submit it online to MYTRUST. Following that, you will receive an assessment report that summarizes all of the information you included in your assessment. In addition, you will receive a Letter of Self-Assessment providing assurance that you went through the process. It should be noted, however, that this is different from a letter of certification.
Investing time into the self-reporting process can provide companies with several benefits. Most important, you can use this process as an opportunity to gather vital information about your systems in order to evaluate them and identify potential weaknesses. Correcting them during this stage can ultimately make the HITRUST certification process run more smoothly in the long run.
Many of the major healthcare organizations, including Anthem, Highmark and Humana among others, are now requiring that the organizations with whom they partner conduct a HITRUST assessment. If you want to ensure that your systems are secure and are in compliance with industry standards, the HITRUST self-assessment should be the first step on your certification journey.