The HITRUST
Assessment Process

Since its inception in 2007, the HITRUST framework has become very popular with organizations globally – including businesses of all types in the HITRUST XChange program. As a certified HITRUST accessor firm and licensed CPA firm, A-LIGN has helped companies and organizations of all sizes prepare for HITRUST certification.

What is HITRUST?

The HITRUST Common Security Framework (CSF) is a comprehensive and scalable framework designed to manage an organization’s regulatory compliance and risk management. The HITRUST CSF is often used by organizations in the healthcare industry but has been increasingly adopted by organizations in other industries that don’t handle healthcare data.

The HITRUST CSF approaches compliance through a “assess once, report many” approach, allowing organizations to choose the frameworks and controls that they want to be tested against. By combining regulatory requirements and recognized frameworks from ISO, NIST, HIPAA/HITECH, PCI DSS and COBIT into one comprehensive system, the HITRUST framework has been adopted by organizations of all sizes. With the implementation of HITRUST CSF v9.2, the benefits of the HITRUST framework can now be applied to organizations in any industry, regardless of whether they’re in healthcare or handle Personally Identifiable Information (PII).

About the HITRUST Assessment Process

The A-LIGN HITRUST assessment process is composed of five steps. Through every phase, A-LIGN works closely with your organization to determine the appropriate scope and expectations, helping to position you for an optimal outcome in the final assessment.

Step 1: Define Scope

When an organization needs to undergo HITRUST, an A-LIGN subject matter expert (SME) will meet with them to define the scope and choose what type of HITRUST assessment to undergo. The SME will give context to security controls that your customer needs to authorize, including what business units are affected, what is covered by controls and what subsidiaries are affected. Together, our SME and your organization will review and define the systems in scope (such as infrastructure-as-a-service or software-as-a-service) and set the stage for the rest of the HITRUST process.

The HITRUST CSF is driven by several strict requirements; if the scope is incorrectly outlined, you could either have too many or too few requirements needed for certification. By ensuring scoping is correct, your organization can save time and money as you prepare for the HITRUST assessment process.

Step 2: Obtain Access to the MyCSF Portal

After the scope is defined, the organization needs to obtain access to the MyCSF portal by contacting the HITRUST Alliance. The organization will create the assessment object and grant access to the A-LIGN assessors. Once they have access, the organization can start uploading any evidence, policies and procedures they have in place for the assessors’ initial review.

Step 3: Gap Assessment/Self-Assessment

During the gap assessment, A-LIGN assessors go onsite at the organization and take the time to understand the organization’s environment and the flow of data between systems in scope. The assessors go through every requirement to understand what controls the organization has, identify the gap and provide tangible recommendations for the organization to remediate the gaps. The gap assessment identifies and ranks gaps in your organization by risk level, providing you opportunities for remediation before undergoing the validated assessment. As the organization remediates the gaps, the A-LIGN assessors continuously review the evidence to ensure they are meeting the requirements.

Step 4: Validated Assessment Testing

The HITRUST CSF assessment typically has 120-138 questions and may be assigned to specific individuals. The assessment workflow can be managed in MyCSF, and notifications and reminders can be automated. The status of the assessment is easily monitored and reported to management.

During the validated assessment testing phase, A-LIGN assessors will review and validate the client scores, then submit your final assessment to the HITRUST Alliance for approval. The HITRUST Alliance then decides whether to approve or deny your organization for certification. This process can take anywhere from four to ten weeks, depending on HITRUST’s volume of QA reports. If the HITRUST Alliance denies your organization’s application for certification, they will issue you a validated report that outlines the gaps that need remediation. If the HITRUST Alliance approves your organization’s application, they will issue you a certified report.

Step 5: Interim Assessment Testing

Once the client organization becomes certified, the certification is valid for two years before a full recertification needs to be completed. At the one-year anniversary of certification, the certified organization must have an interim assessment conducted. A-LIGN will test a subset of the prior year’s controls to ensure the ongoing effectiveness of those controls, as well as assess any measured and managed score increases from the prior year and identify and document any scope changes.

For recertification, the client organization must maintain its security controls and strive to improve its overall average scores across the HITRUST requirements to maintain and continue that certification.

The A-LIGN Difference

A-LIGN’s experience and commitment to quality helped over 130 clients successfully achieve HITRUST certification. Our vigorous process outlined above helps you prepare for the HITRUST assessment, and our team of HITRUST experts are here to answer any question you might have through every step of the process by answering all inquiries within twenty-four hours. With A-LIGN, you’re on the right path to HITRUST certification success.

Interested in pursuing the HITRUST CSF for your organization? Contact A-LIGN at 1-888-702-5446 to speak with one of our cybersecurity and compliance professionals.