HITRUST Validated Assessment Best Practices

HITRUST has solidified itself as one of the industry’s leading cybersecurity networks incorporating HIPAA, GDPR, PCI-DSS, and more. It encapsulates numerous control elements from the aforementioned frameworks and spreads them across nineteen domains ranging from Access Control, Incident Management, and Education, Training & Awareness just to name a few.  

With HITRUST only allowing ninety days to complete the Validated Assessment, you’ve probably wondered how it is possible to juggle an ongoing rigorous testing certification AND perform a regular 9-5 job.

Below, we identify some HITRUST Validated Assessment best practices and provide a roadmap to utilize while you are going through your HITRUST journey for a less stressful engagement.

HITRUST Validated Assessment Pre-planning (Thirty Days Before the Testing Window)

So, you’ve got the date solidified, controls in place (controls must be implemented ninety days before testing), and policies and procedures (must be in place sixty days before testing) ready to go.

Before the first control is even touched, there are a few administrative tasks you want to complete to keep yourself ahead of the curb. The best recommendation is to do these thirty days before your testing window so you can hit the ground running come testing time.

Inheritance: If you are submitting inheritance, you’ll want to get the appropriate controls mapped out and submitted to HITRUST before you begin testing. Sometimes the acceptance process can get drawn out if the provider is slow to respond and you won’t be able to make changes until the end if you start testing without it. This should be a top priority when getting started.

Populations & Samples: This can be a major roadblock in the beginning phase of testing as sampling is an integral part of the HITRUST process. It begins with pulling populations from a variety of different resources within your organization, which can be time-consuming within itself. Once those populations are identified, you’ll then provide the evidence from the aforementioned sample. This two-step process is lengthy, and many controls revolve around this process for its evidence. Along with submitting the inheritance, this is another task that should be at the top of your list before testing.

Creating a Project Plan: Either you fail to plan or plan to fail. Sitting down with your team and other stakeholders to create a roadmap provides a vision for the future. Laying out target completion dates for tasks will help the organization stay on schedule. This helps create accountability and a yardstick on how the overall project is progressing. This will be discussed more during the “testing phase.”

Review of Admin & Scoping Factors: It’s best not to wait until the testing phase begins to knock out these administrative tasks. This process must be completed before testing so no use in waiting until the testing period opens to have these submitted.

HITRUST Validated Assessment Testing Phase (Sixty Days)

This phase will be your meat and potatoes of the project and to make it easily digestible, it’s best when broken down into bite-size bits. To help give the next sixty days some direction, we’ve mapped out a strategy for you and your team to follow.  

One strategy we recommend is breaking the domains into testing “blocks,” which essentially means breaking up the testing window into three sections to track progress. The blocks are broken down further into domain submissions. You will be looking to submit 1-2 domains every week culminating in 5-8 domains submitted per block. This process will help make the next sixty days more manageable for you and your team. Instead of dedicating all your resources at the end for a mad scramble, this helps break it up over time so you’re better able to balance your day-to-day work and your ongoing HITRUST assessment.

It should be noted that the domains necessary do not need to be in the order below, but the cadence at which you submit the domains is what’s most important.

This approach also helps asses the overall health of the project. Having these milestone markers in place will help indicate how the project is progressing. If the team is ahead of the schedule or staying on track, it’s good to note the successes to keep the momentum in full swing. The inverse is also true if you find your team consistently missing these deadlines. You’ll need to sit down and look at what roadblocks are inhibiting you. Get them identified as soon as possible and take corrective action to get back on course. It’s best to look at this schedule on a weekly or bi-weekly basis to assess progress. Accountability will be key to ensuring a smooth HITRUST experience.

Here is an example schedule to follow for HITRUST submission:

Block 1 (fifteen days)

• Domain 1-2 (five days)
• Domain 2-5 (five days)
• Domain 6-8 (five days)

Block 2 (Fifteen Days)

• Domain 9 & 10 (five days)
• Domain 11 (five days)
• Domain 12 & 13 (five days)

Block 3 (Twenty Days)

• Domain 14 & 15 (five days)
• Domain 16 & 17 (five days)
• Domain 18 (five days)
• Domain 19 (five days)

HITRUST Validated Assessment Final Steps (Fifteen Days)

At this point in the assessment, there shouldn’t be a mad dash to the finish, but instead, a time to work on administrative items and cleaning up loose ends. Here is a recommended playbook for the final stages of the assessment.

Returned Controls & Administrative Tasks (Ten Days):  With only fifteen days left in the assessment, there isn’t much time for back on forth on finalizing controls. These ten days should be utilized for making decisions on control scores and completing domain testing. This could include obtaining the last pieces of evidence or compromising on testing scores to accurately reflect the evidence provided. The external assessor is using these ten days to shore up tasks on their end, so preparation is needed on both sides for a smooth submission date. This time will also be used to complete administrative tasks such as submitting a logo and signing the Validated Report Agreement & Representation Letter which could take a day or two to get formally processed.

Identifying CAPS & Submission (Five Days): With the finish line in sight, the last action items is to cross your T’s & dot your I’s. The last five days are used as a spillover in case any of the above items did not get completed. Hopefully, if the timeline is being met, your last major hurdle is generating and addressing CAPS (Corrective Action Plans). These can only be generated once all other administrative tasks are complete. These CAPS are identified by HITRUST as not meeting the scoring requirement for a specific control. You will need to formally address each CAP and give details on actions your organization will take to make the control sufficient in the future. These will be filled out in the portal at the individual control level. Once that is complete, you are finally ready to hit the submit button! All the hard work and planning has paid off. You’ll now be able to sit back and await the results.

CompliancePoint is an authorized HITRUST CSF Assessor. Our experienced team of healthcare and cybersecurity professionals can guide you through every step of your HITRUST certification. Contact us at connect@compliancepoint.com to learn more.