If you are providing services to healthcare organizations, you may often be asked, “Do you have a HITRUST Certification?” followed by “Well, if we use your product, you will need to get certified by HITRUST”.
But before you jump in and promise to achieve that goal quickly, you might want to assess your organizational readiness for HITRUST. Our experience as HITRUST Assessors has helped us develop our Top 8 Requirements to Help You Prepare for HITRUST that will allow you to develop a response to “When can you get HITRUST certified?”
- Organizational Commitment – HITRUST is a major commitment for an organization. It will require significant heavy lifting from the IT Security Team and may require that others within the organization make changes to their operations to meet the significant demands. For HITRUST to be successful, you will need executive support and a commitment to providing the required resources.
- Policies – The HITRUST Control framework (CSF) incorporates numerous regulations and standards, including ISO, NIST and HIPAA. One of the HITRUST requirements is that your organization has documented policies that clearly communicate management’s expectation of the required control operation for each of your HITRUST requirements. If your policies are not based on NIST or ISO requirements, they will need to be upgraded prior to beginning your certification process.
- Procedures – Each of your policies must be supported by detailed procedures outlining the following:
- How you are implementing the policy;
- When the procedures should be performed;
- Who is performing each procedure; and
- Details on timing and documentation of the procedures.
- Risk Assessment – HITRUST requires that your organization has performed a comprehensive risk assessment of your security operation based on a formal methodology that evaluates multiple factors that could impact the security of your covered information.
- Business Continuity – HITRUST will require that you have a formal business continuity plan that evaluates potential events that could impact your critical operations and a formal strategy to address those risks.
- Technical testing – HITRUST will require that you have implemented technical controls to help validate the security of your system. These may include quarterly or annual vulnerability testing, penetration testing, and annual checks on the technical security configuration of your systems.
- Documentation – HITRUST will require you can provide evidence of your control implementation. For example, if your current change management procedures are ad hoc and based on discussions with your team you will need to implement a formal change management procedure outlining your testing and approval process to meet the HITRUST requirements.
- Timing – HITRUST requires that all your policies, procedures and control implementation be in place for 90 days prior to testing by your external assessor. When you think about how long it will take you to accomplish all the requirements, remember to add 90 days to your timeline to allow for the required evidence of implementation required by HITRUST.
Recently, CompliancePoint and Altruista Health discussed Altruista’s experience in obtaining their first HITRUST Certification. This webinar provides additional detail on some of the requirements listed above and outlines Altruista’s experience with the HITRUST Certification process.