Audit and Assurance

Expand all | Collapse all

Experience with HITRUST certification journey

  • 1.  Experience with HITRUST certification journey

    Posted 11 Apr, 2019 19:14
    have you undergone a HITRUST certification audit? what has your experience been? how complicated and onerous is the journey toward achieving certification?


  • 2.  RE: Experience with HITRUST certification journey

    Posted 12 Apr, 2019 06:42
    My clients have gone through the HITRUST CSF certification process. Generally, as long as scope and expectations are clearly set it is manageable - will need a very engaged internal project leader to keep things moving internally at the organization. It can be a lot of controls and a lot of documentation to pull together. If you have the budget, leveraging a CSF Assessor (see list of firms below) is highly recommended during the readiness phase to ensure there are no surprises and to keep you honest.

    https://hitrustalliance.net/csf-assessors/

    ------------------------------
    Ben Phillips, CPA, CITP, CISA
    Crowe LLP
    ------------------------------



  • 3.  RE: Experience with HITRUST certification journey

    Posted 13 Apr, 2019 17:21
    Thank you!
    Is it true that there are about 75 to 149 control objectives, however the number of control practices (control activities) can be an average of a few 100 to upto 1100 depending on many factors (eg laws)? If yes, do you have any thoughts on how small organizations who haven't explored HITRUST achieve this? For example; I have heard that HITRUST for Hipaa can be about 400 control practices which seems like a really huge number to comply with...


  • 4.  RE: Experience with HITRUST certification journey

    Posted 14 Apr, 2019 18:46
    Nick - I would recommend checking out the HITRUST alliance website. It has quite a few nice resources and free webinars - in addition - the organization itself is very helpful. For example - they have a RIght Start Program that makes it more affordable for start-ups or earlier stage companies.

    At the end of the day - if your organization is interested - I would highly recommend partnering with a firm that is a certified HITRUST CSF Assessor through HITRUST. They will guide you down the right path.

    https://hitrustalliance.net

    ------------------------------
    Ben Phillips, CPA, CITP, CISA
    Crowe LLP
    ------------------------------



  • 5.  RE: Experience with HITRUST certification journey

    Posted 29 Feb, 2020 21:52
    Hi Ben
    Do you have any templates in excel format for preparing Hitrust control requirements tracking

    ------------------------------
    Abdul Javid
    Cybersecurity Manager
    ------------------------------



  • 6.  RE: Experience with HITRUST certification journey

    Posted 15 Apr, 2019 01:30
      |   view attached
    Hi Nick

    We (Health Care Service Corporation) were the first payor to be HITRUST certified. You can have over 500 controls to comply wit.;

    HITRUST is an assessment not a "audit,."   Compliance with HITRUST is not on par with a "traditional audit."  That is not to say it isn't difficult.   It has it's place and demonstrates that the basic blocking and tackling are being performed.

    HITRUST uses a 5x5 control maturity and scoring model to evaluate the HITRUST CSF's control requirements
    •  5 maturity levels for each control requirement;
    •  5 scoring levels for each control maturity level
    HITRUST visited the Chicago Chapter back in November 2018.  I have attached a copy of their presentation.

    Check out  https://frsecure.com/blog/hitrust-101-scoring-basics/  It may help you understand their scoring methodology.

    Happy to connect and discuss further.

    ------------------------------
    Pamela (Pam) Nigro
    Sr Director of Info Security/GRC
    ------------------------------

    Attachment(s)