HITRUST continues to hold its place as the Gold Standard for a robust, prescriptive information security organization and framework.
By Keith Kenna, PMP, HCISPP, CCSFP
Vice President, Program Management
Intraprise Health, BluePrint Health Information Security Services
Navigating the pathway to HITRUST certification is complex and can be daunting to even the most security savvy among us.
At Intraprise Health, we believe there are four topics essential to understanding the pathway to HITRUST certification, including:
- The Value of HITRUST
- Background on the HITRUST Common Security Framework (CSF)
- Our Methodology for Preparing Clients
- Evaluation Criteria and Scoring
The graphic below highlights the three phases to achieving HITRUST certification. When we work with a client on an assessment, we help them identify areas in their program that need improvement, work with them on how to achieve resolution, and guide them towards achieving scores that merit certification.
Here are some of the questions we commonly receive about HITRUST Certification and the CSF.
How many requirements will my organization be assigned?
- The total number of requirements your organization will be responsible for demonstrating compliance to is dependent on how the assessment is scoped. A domain could contain anywhere from 2 requirements to over 40 requirements.
What is the minimum score we need to achieve certification?
- Although creating a robust security program is the focused of the Common Security Framework, when achieving HITRUST CSF certification, keep in mind that there is no total or overall score. You will receive a score for each of the 19 domains mentioned earlier. Based on the maturity of your program in each domain area, you should score a 71 or higher. The minimum score to achieve certification is 62, however, you must submit a corrective action plan (CAP) with milestones, estimated completion dates and owners. The good news is that you can become certified while advancing your program.
How many staff members do I need assigned to this project to get through the certification process?
- We know that this is a challenge for most organizations. We have seen that it’s best to have a single FTE, such as a project manager, who owns it. That person will need to rely on staff from functional areas, like compliance, system administration, and human resources.
How do we know that we’re ready to submit for HITRUST CSF certification?
- Your third-party assessor, like those on our team, carry out your facilitated assessment and they would tell you what should be strengthened in your program in order to meet the requirements for all 19 domains.
My academic medical institution just wants to submit the hospital for CSF Certification. Is that possible?
- Yes, you can look at your total entity and decide on which verticals you want to submit for certification. Because the self-assessment can be tailored to your organization, we can address the requirements that apply to the organization at a system-level or service/program-level and refine the scope of the assessment.
Would you like to discuss the certification process with someone knowledgeable from our HITRUST team? Contact us by completing the simple form on our information page here.