Archives of HITRUST Assurance Advisories 2017 (click to expand)

HAA 2017-001: Processing of Validated Assessment Reports

Impacted Policy/Program Name

CSF Assurance Program

Date

March 6, 2017

Advisory Type

Process Change

Advisory Details

This bulletin is to communicate a change in the assurance process regarding the processing of validated assessments and the time allowed to respond to a HITRUST Quality Assurance (QA) request.

After a validated assessment has been submitted, HITRUST responds within 24-48 hours with a QA Letter. This letter requests supporting evidence for those controls selected for QA, those controls that have been assigned a Measured/Managed score, and those controls marked as N/A. Supporting evidence should be provided within 14 days of the issuance of the QA Letter. If supporting evidence is not provided within that time frame, HITRUST will only issue a Readiness Assessment report in lieu of a validated report. No certification will be awarded.

Rationale

Establishing a deadline for receiving QA materials will help ensure a timely and efficient process for generating draft reports. As evidence is supposed to be gathered throughout the assessment process, submitting artifacts in support of a QA request should be a minimal effort. Assessor organizations that have gathered evidence throughout the effort should not be impacted by this advisory. The timely processing of a client’s assessment through QA is best achieved if the QA Letter is responded to promptly. Failure to respond in a timely manner may indicate that an assessor has not collected, nor is maintaining, adequate working papers in support of their assessments. This may lead to a conclusion that adequate validation has not occurred and may therefore result in the issuance of a Readiness Assessment report.

Timetable for Implementation

Immediate: This bulletin is a clarification to the existing process and will impact all assessments submitted to HITRUST as of the date of issuance of this advisory.

HAA 2017-002: Using SOC Reports in support of HITRUST CSF Validated Assessments

Impacted Policy/Program Name

CSF Assurance Program

Date

July 31, 2017

Advisory Type

Clarification

Advisory Details

This advisory is being issued to address situations where a service organization has decided to pursue a SOC report and a HITRUST CSF Validated assessment report, and engages separate organizations to perform the work supporting the two reports. When this occurs and the HITRUST Authorized External assessor organization intends to rely on a SOC report that was performed as part of an AICPA SOC engagement, there are certain considerations which should be addressed during engagement planning.

Rationale

First, determine if you are entitled to use the SOC Report:

Since SOC reports are limited distribution reports, the service organization (unless it is a user of its own service) and its HITRUST Authorized External Assessor organization are typically not intended users (user organizations) of a SOC report issued by the service organization that contains an independent opinion provided by the service auditor. For any organization to be an intended user of a SOC report, they have to be users of the service that is covered within the service organization’s SOC report. If the user organization and its HITRUST Authorized External Assessor are not intended users of the report, they cannot directly place reliance on the SOC report for purposes of testing to support a HITRUST CSF Validated assessment.

Next, determine if you can place reliance on report if an intended user:

If, however, the user organization, and by extension its HITRUST Authorized External Assessor organization, are intended users of the SOC report, they may be able to place reliance on the SOC report. This reliance is subject to the understanding/expectation that in a HITRUST CSF assessment the control requirements are very prescriptive. So, for the assessor to rely on the SOC report, it would need evidence of that granular level of detail, both in the section that describes the controls as well as in the auditor’s section where the controls were tested and the results of those tests were disclosed. For example, simply having in the description that the service organization has password management policies and procedures and the service auditor simply stating it tested the password management system would not suffice. The report would have to contain more detail and the assessor organization would need to obtain a copy of the associated testing workpapers to support the operating effectiveness of the control for inclusion in its workpapers, which is not a probable scenario in the market place. If work papers are successfully obtained, the assessor organization must follow the professional standards that are in place when reperforming the work of others, which include but are not limited to assessing the competency, objectivity and independence of the firm performing the SOC report work. The assessor organization would also have to draw their own conclusions on the evidence obtained through the execution of their own independent procedures.

Also, during the HITRUST QA process, HITRUST will ask for testing evidence in support of the certification. Responding to this request along the lines of “relied on the SOC 2 testing” would not be sufficient. HITRUST would need evidence that the SOC 2 testing included the level of detail and rigor discussed in the previous paragraph. Besides the testing workpapers, this may require the assessor organization to perform a walk through to verify its understanding, along with a reference to the specific description/tests performed by the service auditor. It is important to understand if its client is an intended user of any SOC report to support a validated assessment engagement, a level of due diligence and independent verification in line with the published assessor guidance must be performed by the assessor organization. This would include determining if the testing that was done for the SOC reports was adequate and appropriate given the scope of the assessment report to address the HITRUST CSF requirement(s). It is also important for assessors to understand that even if they are an intended user of a SOC report as an extension of management, the intended use of that report must be appropriately understood in order for an assessor organization to rely on the report, which can be accomplished through a discussion with the service organization. Failure to abide by these rules may result in HITRUST not issuing a validated/certified report and could lead to sanctions being imposed on an assessor organization.

As a final consideration and given the sensitivity of workpapers, the CPA organization will likely be reluctant to provide access/copies of their workpapers to the HITRUST Authorized External Assessor organization. So where two different organizations are involved in producing a SOC report and a HITRUST CSF Validated assessment report, there will need to be discussions with service organization management and whether the sharing of testing procedures is an option.

Timetable for Implementation

Immediate: This bulletin is a clarification to the existing process and will impact all assessments submitted to HITRUST as of the date of issuance of this advisory.

HAA 2017-003: Interim Assessment Integrated Into MyCSF 2.0

Impacted Policy/Program Name
CSF Assurance Program
Date
August 24, 2017
Advisory Type
Process Change

Advisory Details
This bulletin is to communicate a change in the assurance process regarding the performance and processing of interim assessments.
In efforts to streamline the interim assessment process, HITRUST will be moving to an online process with the launch of MyCSF 2.0.
Rationale
Historically, assessors have had a great deal of latitude when it comes to the interim assessments for organizations that are HITRUST CSF Certified. As such, there has been a wide variance in the materials that are received in documentation of this assessment. By building the interim assessment into the MyCSF platform, HITRUST hopes to increase consistency in the documentation of results as well as provide increased efficiencies for Assessors and Assessed Entities.
Timetable for Implementation
Effective with release of MyCSF 2.0., Assessed Entities will not need to comply with the new process until they are migrated into MyCSF 2.0.

HAA 2017-004: HITRUST CSF Validation Requirements

Impacted Policy/Program Name
CSF Assurance Program
Date
September 12, 2017
Advisory Type
Assurance Requirements

Advisory Details
This bulletin is to remind assessor organizations about the expectations of the assurance process regarding the performance of testing of control requirements for assessments.
The validation process of the HITRUST CSF Assurance Program requires validation of all control requirements (100%) that are generated in an assessment based on the Assessed Entity’s risk factors. In addition, the expectation is that this testing be performed on site with a few exceptions. The exceptions are:

  • Reliance on a third-party attestation in lieu of testing
  • Inheritance of scores from a current validated assessment
  • In cases where an organization deploys a virtual workforce (work from home) where making a visit is impractical.

HITRUST reserves the right to expand the QA process to include additional controls (up to 100%) and support for scores on a case-by-case basis at its sole discretion
Rationale
This reminder is being issued due to feedback that some Assessors may be performing most, if not all, testing remotely, and that testing may not include 100% of the control requirements in an assessment. HITRUST takes the integrity of the assurance program seriously and will take steps to ensure that program requirements are being met in all cases.
Timetable for Implementation
Already effective per HITRUST CSF Assurance Program requirements.

Archives of HITRUST Assurance Advisories 2016 (click to expand)

HAA 2016-001: Clarification of HITRUST CSF assurance requirements related to an assessed entity outsourcing selected HITRUST CSF controls.

Impacted Policy/Program Name

CSF Assurance Program Requirements

Publication Date

January 12, 2016

Effective Date

Immediate: This bulletin is to clarify existing policy.

From

Ken Vander Wal, Chief Compliance Officer, HITRUST

Advisory Type

Requirement Clarification

Policy/Program Clarification Details

This bulletin clarifies the treatment of controls required for Certification in situations where certain controls are outsourced to a third party, and the impact of outsourced controls on a HITRUST CSF validated assessment.

Organizations may not transfer risk or the obligation to obtain satisfactory assurances relating to HITRUST CSF controls. It is the assessed entity’s responsibility to ensure that all assessed controls, either supported directly or through use of a third party, are in place and functioning according to HITRUST CSF requirements.

Under no circumstances are outsourced controls or those supported by a third party considered “Not Applicable” when performing a CSF Assessment. All controls must be tested by an approved External Assessor, or the External Assessor must determine the controls have been satisfactorily tested by another independent party consistent with HITRUST CSF Assurance Program requirements. For example, External Assessors may be able to rely on a current CSF Certification report, CSF Validated Report, or a current SOC 2 report that is based on the HITRUST CSF criteria.

Rationale

HITRUST has seen a growing trend in the outsourcing of certain HITRUST CSF controls. In many instances, the validated assessment is submitted with the outsourced controls listed as “Not Applicable” or the External Assessors are being provided assessments performed with limited understanding of the scope, methodology, or assurance of the accuracy relating to the controls in question. HITRUST has been returning these assessments back to the External Assessor in order to perform the required testing and score the controls in question. HITRUST is releasing this bulletin to clarify the HITRUST CSF Assurance Program requirements related to the outsourcing of controls. This should allow External Assessors to more clearly communicate this requirement to their clients and prevent costly re-work related to outsourced controls.

Timetable for Implementation

Immediate: This bulletin is to clarify existing policy.

HAA 2016-002: HITRUST CSF Assurance Program requirement change related to timely submission of corrective action plans that are required as part of certification report issuance.

Impacted Policy/Program Name

CSF Assurance Program Requirements

Publication Date

January 12, 2016

From

Ken Vander Wal, Chief Compliance Officer, HITRUST

Advisory Type

Requirement Change

Policy/Program Change Details

This change will require submission of all corrective action plans that are REQUIRED for certification within 30 days of the posting of the corresponding draft report. Failure to submit the required corrective action plans within the 30 day timeframe will result in the report being issued final as VALIDATED and not CERTIFIED. The Letter of Certification included in the report will be replaced with a Letter of Validation.

Rationale

HITRUST’s policy is to issue a final report no later than 30 days after the draft report is posted. HITRUST cannot issue a final report in cases where there are REQUIRED corrective actions as a condition of CERTIFICATION without the required corrective action plans. HITRUST has been experiencing long delays and/or failures in receiving required corrective actions in a timely manner. This has had an adverse effect on HITRUST’s ability to achieve its desired SLA with regard to processing of these reports. It is believed that this new policy will encourage organizations to be more diligent and submit corrective action plans within the allotted timeframe.

Timetable for Implementation

Effective Date: January 15, 2016

Enforcement Date: April 1, 2016

HAA 2016-003: HITRUST CSF Assurance Program Change Related To The Addition Of A Required Control For Certification In HITRUST CSF V8.

Impacted Policy/Program Name
CSF Assurance Program Requirements
Date
January 12, 2016
From
Ken Vander Wal, Chief Compliance Officer, HITRUST
Advisory Type
Requirement Change

Policy/Program Change Details
This change adds CSF control 01.t Session Time-out to the CSF controls REQUIRED for certification with the 2016 CSF version 8 release. Failure to include CSF control 01.t after the 2016 release will prevent organizations from submitting their assessments for HITRUST validation and certification. This addition increases the total number of CSF controls required for HITRUST CSF certification from 64 to 65.
Rationale
HIPAA § 164.312(a)(2)(iii), an addressable implementation specification that requires organizations to “implement electronic procedures that terminate an electronic session after a pre-determined time of inactivity,” is currently supported by CSF control 01.h, Clear Desk and Clear Screen Policy, for the purpose of HITRUST CSF certification. Although CSF control 01.h requires the use of a protected screen and keyboard locking mechanism if a user is logged into a computer or terminal, CSF control 01.t more specifically addresses the intent of the language in the HIPAA specification.
Timetable for Implementation
Effective Date: Assessments generated with Version 8 of the HITRUST CSF
Enforcement Date: Assessments generated with Version 8 of the HITRUST CSF

HAA 2016-004: HITRUST CSF Assurance Program Change Related To The Addition Of A Required Control For Certification In HITRUST CSF V8.

 

Impacted Policy/Program Name
CSF Assurance Program Requirements
Date
January 12, 2016
Advisory Type
Requirement Change

Policy/Program Change Details
This change adds CSF control 01.e, Review of User Access Rights, to the CSF controls REQUIRED for certification with the 2016 CSF version 8 release. Failure to include CSF control 01.e after the 2016 release will prevent organizations from submitting their assessments for HITRUST validation and certification. This addition increases the total number of CSF controls required for HITRUST CSF certification from 65 to 66 after the addition of 01.t, Session Time-out, per HAA 2016-003.
Rationale
HITRUST has received numerous inquiries from healthcare organizations over the past several years about including the review of user access rights in the controls required for certification. “Recertification” of user access is a common if not ubiquitous item on internal and external audits and an essential component of privilege management. Recertification helps prevent “access creep” for workforce members that transfer from one position to another within an organization, as well as provide the organization with another check on the validity of initial privileges granted to new workforce members and additional assurance that access for terminated workforce members has been revoked. Ensuring that only current workforce members have access helps reduce the overall attack surface for malicious cyber threat actors and further inhibits the ability of these malicious actors to escalate user privileges and subsequently maintain them if an account is successfully compromised.
Timetable for Implementation
Effective Date: Assessments generated with Version 8 of the HITRUST CSF
Enforcement Date: Assessments generated with Version 8 of the HITRUST CSF

HAA 2016-005: New Controls For HITRUST CSF V8

Impacted Policy/Program Name
CSF Assurance Program Requirements
Date
August 3, 2016
Advisory Type
Requirement Change

Policy/Program Change Details
This advisory reminds External Assessor Organizations of the addition of CSF control 01.e, Review of User Access Rights, and CSF control 01.t, Session Time-out, to the CSF controls REQUIRED for certification with the 2016 CSF version 8 release. (See HAA 2016-003 and -004.) Failure to include CSF controls 01.e and 01.t will prevent organizations from submitting their assessments for HITRUST validation and certification against the CSF version 8 release. These two additional requirements increase the total number of CSF controls required for HITRUST CSF certification from 64 to 66.
Rationale
See HAA 2016-003 and HAA 2016-004.
Timetable for Implementation
Effective Date: 1 July 2016

HAA 2016-006: Certification To Require All CSF Controls Within 5 Years

Impacted Policy/Program Name
CSF Assurance Program Requirements
Date
August 3, 2016
Advisory Type
Requirement Change

Policy/Program Change Details
HITRUST policy has been to increase the number of control required for CSF certification over time: 45 controls were required in 2009 for the initial release of the HITRUST CSF, and 66 controls are now required for certification against the v8 release. HITRUST has decided to accelerate the process of adding controls required for CSF certification and incorporate all 135 CSF security controls in CSF Categories 0 thru 12 within five (5) years. HITRUST organizations and assessors should plan for significant increases in the number of control requirements assessed for certification in all future releases until such time as all 135 controls are addressed.
Rationale
The level of due diligence required to obtain satisfactory assurances around an entity’s information protection program has changed significantly in recent years and—along with increased use of the HITRUST CSF to support scorecards against external frameworks such as the NIST Framework for Improving Critical Infrastructure Cybersecurity, combined HITRUST CSF and AICPA SOC 2 reporting, and cyber-insurance underwriting—HITRUST recently committed to its Board of Directors to integrating all the HITRUST CSF control requirements into the certification process within five (5) years.
Timetable for Implementation
Immediate: This bulletin is to clarify existing policy.

HAA 2016-007: Organizational Risk Factors Updated For CSF V8 Release

Impacted Policy/Program Name
CSF Assurance Program Requirements
Date
August 3, 2016
Advisory Type
Modification

Policy/Program Change Details
Organizational risk factors were revised as follows:
RiskFactorsTable.jpg
Note the CSF implementation level that would be selected for an applicable CSF control is determined by one and only one of the multiple risk factors listed in the table for each healthcare vertical in the order of preference indicated. System risk factors generally only impact implementation level selection for system controls; however, regulatory factors can force selection of a higher implementation level for either organizational or system controls as previously discussed. Geographic scope (e.g., multi-state) is also retained.
Rationale
In August of 2014, as part of this ongoing maintenance of the CSF, HITRUST chartered an industry working group to examine the current risk factors and make recommendations for improvement if needed. Upon review, the working group determined that modifications to the volume of business in the organizational factors were needed.
The consensus of working group members was that a significant determinant of relative risk amongst organizations is the number of individual records that they hold and/or process, regardless of the class (or vertical) in which the organization resides. The rationale is based primarily on common use of the average cost of a breach per individual record compromised to estimate the costs of a specific breach. Further, the total number of individual records that could potentially be compromised then provides an estimate of the organization’s maximum exposure in the event of such a catastrophic breach.
However, since in HITRUST’s experience not all healthcare organizations can provide a precise estimate of the total number of individual records they hold, the working group decided to provide an alternative risk factor based on the number of individual records processed annually.
Timetable for Implementation
Effective Date: July 1, 2016 (when used with the CSF v8 Release or later)

HAA 2016-008: Deadline To Submit CSF V7-Based Assessments

Impacted Policy/Program Name
CSF Assurance Program Requirements
Date
August 3, 2016
Advisory Type
Clarification

Policy/Program Change Details
HITRUST will continue to accept and process validated assessments under CSF v7 until December 31, 2016 which is six (6) months after the release of CSF v8. It should be noted that once a new version of the CSF is released, any new assessments or changes to existing assessments will cause the assessment to update to the current/latest version of the CSF.
Rationale
HITRUST recognizes any increase in requirements, even one as small as 10% in the HITRUST CSF v8 release, may not have been considered when preparing for a CSF validated assessment. This grace period allows organizations that purchased assessments based on the CSF v7 controls or that may have already begun their assessments with CSF v7 to complete them.
Timetable for Implementation
Effective Date: July 1, 2016
Enforcement Date: December 31, 2016

HAA 2016-009: Intent Of Readiness Assessments

Impacted Policy/Program Name
CSF Assurance Program
Date
August 3, 2016
Advisory Type
Clarification

Policy/Program Change Details
HITRUST continues to recommend that “readiness assessments” be conducted for an organization’s entire HITRUST CSF-based information protection program, i.e., against all 135 security controls as scoped to their environment rather than only those controls required for CSF certification.
Rationale
This will help ensure both the approved HITRUST Authorized External Assessor and the assessed organization are always aware of the status of the information protection program and can readily support a CSF controls assessment, regardless of type (e.g., a security assessment used for certification or a comprehensive security assessment used to generate a regulatory scorecard).
Timetable for Implementation
Immediate: This bulletin is to clarify existing policy.

HAA 2016-010: Testing Protocols For Control Inheritance

Impacted Policy/Program Name
CSF Assurance Program Requirements
Date
August 3, 2016
Advisory Type
Guidance

Policy/Program Change Details
This advisory clarifies the treatment of controls required for certification in situations when certain controls are outsourced to a third party and they are inherited by the assessed entity.
Organizations may not transfer risk or the obligation to obtain satisfactory assurances relating to HITRUST CSF controls. It is the assessed entity’s responsibility to ensure that all assessed controls, either supported directly or through use of a third party, are in place and functioning according to HITRUST CSF requirements.
All controls must be tested by an approved External Assessor, or the External Assessor must determine the controls have been satisfactorily tested by another independent party consistent with HITRUST CSF Assurance Program requirements. Where the testing involves inheriting the control from another HITRUST CSF Validated Assessment, the assessor should obtain the current status of the relied upon HITRUST CSF Validated Assessment to ensure it is still valid and in good standing. If that is the case, no further testing of the control should be required.
Rationale
HITRUST has seen a growing trend in the outsourcing of certain HITRUST CSF controls. Often this involves a hosting or third-party service provider arrangement. In order to keep the assessment process as efficient as possible, HITRUST has introduced the concept of inheriting validated controls from a hosting or service provider. This should streamline the validation that takes place for an organization that uses a participating hosting provider by only testing the controls the assessed entity is responsible for and not having to re-test controls that were previously validated by the host provider. The inheritance feature should also transfer the scores for these controls which will eliminate the manual transfer of scores and provide greater consistency of results. HITRUST is releasing this advisory to clarify the HITRUST CSF Assurance Program requirements related to the inheritance of controls.
Timetable for Implementation
Effective Date: Immediate

HAA 2016-011: HITRUST Implements External Assessor Timesheet Functionality

Impacted Policy/Program Name
CSF Assurance Program Requirements
Date
August 3, 2016
Advisory Type
Guidance

Policy/Program Change Details

HAA 2016-012: HITRUST Authorized External Assessor Access To MyCSF

Impacted Policy/Program Name
External Assessor Access to MyCSF
Date
December 15, 2016
Advisory Type
Policy Change

Policy/Program Change Details
This bulletin is to communicate some changes in policy regarding the access levels and functional capability of External Assessors within the MyCSF tool.
The first policy change deals with the test (scoping) objects available to External Assessors. External Assessor test objects will be moved to and created in the MyCSF Demo environment. The number of assessment objects in the Demo environment will be determined by the participation tier of the Assessor firm with large assessors receiving 50, medium assessors 25 and small assessors 10 test objects. These objects will expire after nine months and will no longer be exportable.
A related policy change removes the capability to export content from the Production MyCSF environment (test objects that might have previously been used to do this are now in the Demo environment) unless they are working with a client that has purchased that capability. External Assessors requiring an electronic copy of an assessment to evidence the work that was performed, may request an electronic PDF copy be published to the MyCSF portal for archival purposes. Requests for archive copies of assessments can be made to support@hitrustalliance.net.
The last policy change addresses those engagements where External Assessors are assisting a client with a Readiness Assessment. Assessors can now be assigned to the Self-Assessment objects of their clients without the need for a client email address and additional MyCSF user ID.
Rationale
HITRUST has had numerous requests from External Assessors regarding increasing the number of test objects and having the ability to preview forthcoming releases of the HITRUST CSF. Implementation of this policy will afford Assessors the preview capability they desire and increase the number of assessment objects, while better enforcing the MyCSF test objects intended use. Test objects in MyCSF assigned to External Assessors are limited to internal use only and are afforded to allow for scoping and pricing of potential assessment engagements.
These changes will also allow External Assessor firms to better assist their clients with readiness assessments without having to create multiple IDs in MyCSF.
Timetable for Implementation
March 1, 2017
View the Frequently Asked Questions for this advisory.

Chat Now

This is where you can start a live chat with a member of our team