HITRUST Assessments: Relying on the work of others

HITRUST has been a trusted framework since it was founded in 2007. It was created to champion programs that safeguard sensitive information and manage information risk. Intraprise Health is one of the first certified HITRUST assessors and is 100% healthcare focused.  We know the importance of ensuring organizations are secure in the highly regulated healthcare arena. With two seats on the HITRUST Assessor Council and one on the Quality Assurance Subcommittee, we work closely with HITRUST to ensure your organization receives an assessment and reporting option that is ‘rely-able’ for all stakeholders.

HITRUST recently released updated guidance for placing reliance on the results of previously performed audits, assessments, and inspections. These policy and methodology updates create opportunities for greater assessment efficiency and customer cost savings.

HITRUST has historically afforded two opportunities for External Assessors (formerly referred to as HITRUST CSF Assessors) to rely on the results of previously performed control testing, one being inheritance of the results of other HITRUST CSF Assessments, and the other reliance on audit reports and certifications issued by third-party auditors (such as SOC 2 Type II reports) that meet the requirements as established by the CSF Assurance program. The recently released updates clarify these options by specifying associated timing, scope, and documentation requirements.

These updates also introduce opportunities for Internal Audit or other departments, meeting specific objectivity and resource qualification requirements, to directly participate and support the CSF Assessment process, more specifically creating a new role in the CSF Assurance process called Internal Assessor. Internal Assessors will aid in the CSF Assessment process by performing testing and verification on various aspects of the process. External Assessors must approve the work of an Internal Assessor but now have the option of relying on work performed by an assessed entity’s Internal Assessors, which not only creates efficiencies and cost savings, but also greater organizational alignment as it relates to information security and privacy control requirements. The Internal Assessor role in the CSF Assurance process will bring benefits to both External Assessors and assessed entities:

• Assessed entities already performing robust pre-assessment testing in advance of their HITRUST CSF Validated Assessment can expect lower overall HITRUST CSF Assessment costs, as duplicate testing performed by their assessor can be reduced.
• Teams with deep knowledge of the organization’s internal controls (such as Internal Audit, Risk Management, and Compliance) can now have a defined role in the overall HITRUST CSF Assessment process.

Relying on the work of others can be a strategic advantage. Furthermore, it can reduce the certification timeline but it is important that the Internal Assessor coordinates with the External Assessors prior to completing any work.