Is your organization involved in HITRUST or looking to take that path in the near future? If so, there are some important changes to be aware of that may change your timeline and approach.
Throughout each year, HITRUST releases Advisories as needed, in one of two categories: Assurance Change Advisories and Assurance Quality Advisories. These advisories notify the public of enhancements, changes, or additional guidelines regarding the HITRUST CSF Assurance Program Requirements and its related tools and methodologies.
Below is a summary of a few of the key advisories that were recently released:
Assurance Change Advisories for 2021
MyCSF Enhancements for CSF v9.x and later (HAA 2021-004): This advisory includes multiple enhancements that HITRUST is making to the MyCSF platform, which include:
- As an assessment can be completed without scoring Measured and Managed maturity levels, the ability to choose if Measured and Managed is even included in your assessment is now an option.
- If Measured and Managed will be included and scored, there will still be efficiency gained by not having to select for each control if the Measure is ‘operational’ or ‘independent’. It should be noted that describing ‘operational’ or ‘independent’ within testing results is still required.
- There will be additional edit checks on the scoping factors for any CSF 9.x versions. This allows for greater consistency in scoping responses and reduction of HITRUST Quality Assurance (QA) review time.
CAP Identification Changes (HAA 2021-003): A Corrective Action Plan, or CAP, is generated for controls that require remediation within a HITRUST Assessment because they fall below a given threshold considered as ‘passing’. Starting as of June 24, 2021, HITRUST will no longer generate a CAP for gaps that only exist at the policy and/or procedure/process maturity levels, if there is no gap at the Implemented maturity level. This will help reduce the overall number of CAPs an organization will need to respond to for its Interim Assessment.
Reservation System for Scheduling HITRUST Quality Assurance for HITRUST CSF Validated Assessments (HAA 2021-001): Starting July 1, 2021, HITRUST will be implementing a reservation system within the MyCSF platform as a way for an assessed organization to sign up for HITRUST QA processing. It will help reduce the time it has taken for HITRUST to complete its QA process, and allow organizations to better plan for and develop more specific timelines and have resources ready to respond, all of which will drive the ability to receive final deliverables closer to the completion/submission of the assessment. Entities will make a reservation for a given week in which they believe they will be ready to submit their assessment. HITRUST then promises to start the QA process on the assessment by the end of the week scheduled. There are stipulations for scheduling, rescheduling, and canceling, so please read the full advisory for more information.
Assurance Quality Advisory for 2021
HITRUST CSF Validated Assessment Enhancements (HAA 2021-002): If you are familiar with working with the HITRUST CSF security and privacy framework and rubric in the past, you may remember that prior to an assessment being performed, the organization was required to have all new or remediated controls operating for at least 90 days prior to the assessment period. Already in effect at this time, HITRUST has updated these requirements to allow for policy and procedure updates or implementation up to 60 days prior to the assessment. However, implementation of controls remains at 90 days prior. There have also been some adjustments made to the criteria/definitions for the policy and procedure/process requirements. A new rubric is not yet available with these details, but they can be found within the Advisory.
To review these advisories in full detail, please visit the HITRUST website (Advisories - HITRUST Alliance).
If you need help understanding what these advisories mean for your organization and its HITRUST journey, please feel free to reach out at firstname.lastname@example.org.
FoxPointe Solutions is solely responsible only for the content of FoxPointe Solutions authored information and is subject to change at any time. Any forward-looking statements are not predictions. FoxPointe Solutions is not responsible for any errors or omissions, or for the results obtained from the use of this information. Questions regarding your legal or compliance position should be addressed through your legal counsel, security advisor and/or your relevant standard authority. Nothing contained herein should be used nor relied upon as advice nor constitute a consultant-client relationship.