Assurance Advisories

HITRUST Assurance Advisories are communications that notify HITRUST CSF Assurance Program stakeholders of enhancements, changes, and/or provide additional guidance regarding the HITRUST CSF Assurance Program Requirements and supporting methodologies and tools. All Assurance Advisories contain important information regarding adoption requirements, scope, and timing, which can impact HITRUST CSF Assurance Program stakeholders.

All HITRUST CSF Assurance Program stakeholders should review each Assurance Advisory to understand the potential impact on them.

 

Summary of HITRUST Assurance Advisories 2021 (click to expand)

HAA 2021-004: MyCSF Enhancements for v9.x and later CSF versions

Impacted Policy/Program Name
HITRUST CSF Assurance Program

Date
June 7, 2021

Advisory Type
Assurance Change

Overview

HITRUST continually evaluates necessary changes in MyCSF based on community feedback and internal review. Through this review, HITRUST has identified enhancements to improve the overall assessment process. HITRUST is making the corresponding enhancements to the MyCSF platform which will apply to assessments utilizing HITRUST CSF versions 9.x and later.

Measured and Managed Maturity Level Options

Description

Within HITRUST CSF Validated assessments, scoring of the Measured and Managed maturity levels is not required. If included in the assessment, scoring of the Measured and Managed levels also subjects the assessment to additional QA checks resulting in additional processing time. As a result, HITRUST will update MyCSF to provide Assessed Entities with the ability to optionally remove these levels from their assessments if they do not plan on scoring them. The optional removal of these maturity levels from the assessment should help prevent accidental scoring and streamline data entry into MyCSF.

Implementation

Effective immediately, any newly created HITRUST CSF Validated assessment will require the Assessed Entity to select whether Measured and Managed maturity levels will be evaluated when configuring the assessment. The configuration option will appear within the “Assessment Options” menu and will ask “Will you be scoring Measured and Managed?”.

If “Yes” is selected then the Measured and Managed maturity levels will be included within each requirement statement for scoring.

If “No” is selected the Measured and Managed maturity levels will not be available for scoring. When downloading an offline assessment, the Measured and Managed maturity levels will remain in the downloaded Excel file. However, upon uploading the offline assessment, no Measured or Managed scores will be reflected in MyCSF if the option to score these levels was not selected in the “Assessment Options” menu.

Measured Level Independent and Operational Selections

Description

When evidence is attached to a requirement statement supporting a score in the Measured maturity level, the Subscriber must select whether the evidence is related to an “Operational” or “Independent” measure. To simplify the evidence attachment process, this selection will no longer be needed within MyCSF. The Subscriber will only need to select that the evidence applies to the Measured maturity level. It is still expected that the External Assessor will document within the testing results whether the measure was scored as “Operational” or “Independent”.

Implementation

Effective June 24, 2021, any newly created HITRUST CSF assessment will no longer display an option to select whether the evaluated measurement is “Independent” or “Operational”.

For offline assessments, the column in the “Requirement-Document Mapping” tab labeled “Measured: Operational or Independent?” will be renamed to “Maturity Measured Related?” with the only valid responses as “True” or “False”.

For existing assessments that have not previously been submitted to HITRUST for processing, this can be enabled upon request. To do so please email Support requesting the disablement of the Operational and Independent checkboxes for the Measured maturity level and include the following information:

  • Organization Name as it appears in MyCSF
  • Assessment Name as it appears in MyCSF

Scoping Factor Edit Checks

Description

HITRUST CSF assessments will include additional edit checks on the CSF version 9.x scoping factors listed below to avoid inconsistent responses.

  • Is the system(s) accessible from the Internet?
  • Does the system allow users to access the scoped environment from an external network that is not controlled by the organization?
  • Is any aspect of the scoped environment hosted on the cloud?

The inconsistent answers were required to be changed during HITRUST’s QA which added additional processing time to certain assessments. This change is being made to avoid the possibility of inconsistent responses to these factors.

Implementation

HITRUST CSF assessments created on or after June 24, 2021 will include additional edit checks for the scoping factors listed below to avoid inconsistent responses. The rules will be applied to the following scoping factor questions:

Number Scoping Factor Question Responses
1 Is the system(s) accessible from the Internet? If “Yes”, then #2 will automatically be answered as “Yes”
2 Does the system allow users to access the scoped environment from an external network that is not controlled by the organization? If “Yes”, then #1 will automatically be answered as “Yes”
3 Is any aspect of the scoped environment hosted on the cloud? If “Yes”, then #1 and #2 will automatically be answered as “Yes”

 

When the system enforces the rule, the correct answer will be automatically populated and a message in MyCSF will inform the user that this rule was applied.

For any existing assessments where the three identified scoping factors were previously answered the new rules will not be applied; unless one or more of the three identified scoping factor responses were updated at which point the new rules would be applied.

Additional Resources

Click here for a list of anticipated questions and answers.

HAA 2021-003: CAP Identification Changes

Impacted Policy/Program Name
HITRUST CSF Assurance Program

Date
June 7, 2021

Advisory Type
Assurance Change

Overview

HITRUST assessments for CSF versions 9.x and later will no longer create CAPs for gaps that only exist at the Policy and/or Procedure maturity levels. This change is being made to continue HITRUST’s emphasis towards the Implemented maturity level, as described in HITRUST Assurance Advisory 2021-002, without compromising the integrity or Rely-Ability of the HITRUST CSF Certification.

Implementation and Timeline

HITRUST will not create a required CAP for a gap identified in the Policy and/or Procedure maturity level if there is not a gap at the Implemented maturity level. This change will be applied to start on June 24, 2021, as follows:

HITRUST CSF Validated Assessments

For any existing HITRUST CSF Validated Assessment, Table 1 summarizes how the change will be applied by HITRUST MyCSF state. For any HITRUST CSF Validated Assessments participating in the Assurance Enhancements Beta Program, you will receive an alternate communication to describe how the change will be applied to your participating assessments.

Table 1

MyCSF State Application of the Change and Notification
Not Started
Answering Assessment
Assessment Submitted to HITRUST
Undergoing QA
Awaiting External Assessor Response to QA
External Assessor Response Received
Undergoing Compliance Review
Compliance Review Complete
MyCSF will automatically apply the change to the assessment. When the draft reports are posted, CAPs will be generated such that a required CAP will not be created if gaps only exist at the Policy and/or Procedure maturity levels.
Draft Report Posted – Awaiting CAP Responses
Draft Report Posted – CAPs Complete
  • The assigned QA Analyst will manually apply the change to the assessment.
  • A notification of any CAPs that were moved to gaps will be sent to the Assessed Entity, External Assessor, and assigned QA Analyst.
  • The assessment will be returned to the Compliance Review Complete state and the assigned QA Analyst will post a revised draft report to MyCSF.
Final Report Posted No changes will be applied to MyCSF by default.
Please see the Reissuing Reports section of this Advisory for more information.

 

HITRUST CSF Readiness Reports

All HITRUST CSF Readiness Assessments created on or after June 24, 2021 will automatically be configured to not create a required CAP if gaps only exist at the Policy and/or Procedure maturity levels.

For any existing HITRUST CSF Readiness Assessment, Table 2 summarizes how the change will be applied by MyCSF state.

Table 2

MyCSF State Application of the Change and Notification
Not Started
Answering Assessment
Assessment Submitted to HITRUST
  • MyCSF will automatically apply the change to the assessment.
Draft Report Posted
  • MyCSF will automatically apply the change to the assessment.
  • The assessment will be returned to the Assessment Submitted to HITRUST state and the assigned HITRUST Analyst will post a revised Draft Report to MyCSF.
Final Report Posted No changes will be applied to MyCSF by default.

Please see the Reissuing Reports section of this Advisory for more information.

 

Reissuing Reports

Assessed Entities who are interested in optionally having a Final Report reissued to reflect this change must meet both of the following criteria in order to qualify:

  • Have a recently issued Final Report (that used the prior CAP logic), which is defined as follows:
    • For HITRUST CSF Validated Assessment reports: An active certification in the ‘Final Report Posted’ state within MyCSF
    • For HITRUST CSF Readiness reports: A report dated no earlier than June 24, 2020
  • Currently be an active MyCSF subscriber with access to the completed assessment (assessment cannot be archived).

Assessed Entities who purchased only the HITRUST CSF Readiness or Validated Assessment report without subscribing to MyCSF are ineligible to have their report reissued.

Qualified and interested Assessed Entities should contact their Customer Success Manager to obtain pricing information and initiate the reissuance process.

For Assessed Entities who do have their final report reissued, the following actions will be taken:

    • Upon initiation of the reissuance process:
      • For HITRUST CSF Validated Assessments, the existing certified assessment within MyCSF will be decertified and the existing HITRUST CSF Validated Assessment report will be considered invalid.
      • For HITRUST CSF Readiness Assessments, no action will be taken.
    • For both HITRUST CSF Validated and Readiness Assessments, a clone of the original assessment will automatically be made and put into a state of ‘Draft Report Posted – CAPs Complete’ for HITRUST CSF Validated Assessments or a state of ‘Assessment Submitted to HITRUST’ for HITRUST CSF Readiness Assessments. Upon creation of the clone, the original assessment will be automatically archived.
    • A QA analyst will post the revised final report to MyCSF to the cloned assessment.
    • For HITRUST CSF Validated Assessments:
      • The cloned assessment will be marked as certified using the date from the original assessment, so this change does not alter or extend the date of certification.
      • If applicable, the previously completed Interim Assessment will be linked to the cloned assessment.

 

Impact on Interim Assessments for Reissued HITRUST CSF Validated Assessments

For Assessed Entities who choose to optionally reissue a HITRUST CSF Validated Assessment report, there could potentially be an impact on their Interim Assessment. To understand the potential impact on their Interim Assessment, Assessed Entities and their External Assessors should review the following scenarios.

Scenario 1 – The Interim Assessment has not been generated by MyCSF
The Interim Assessment will be automatically generated based upon the new cloned Validated Assessment.

Scenario 2 – The Interim Assessment has been generated by MyCSF but has not been submitted to HITRUST
Upon initiating the reissuance process, the existing Interim Assessment will be refreshed to remove any requirements that were CAPs but have been moved to gaps based upon the change in CSF Validated Assessment and maintain at least one requirement per domain within the Interim Assessment.

Scenario 3 – The Interim Assessment has been submitted to HITRUST, but the Interim Letter has not been posted
No changes will be applied to the Interim Assessment. HITRUST will link the existing Interim Assessment to the cloned Validated Assessment.

Scenario 4 – The Interim Assessment has already been completed
No changes will be applied to the Interim Assessment. HITRUST will link the existing Interim Assessment to the cloned Validated Assessment.

Additional Resources

Click here for a list of anticipated questions and answers.

HAA 2021-002: HITRUST CSF Validated Assessment Enhancements

Impacted Policy/Program Name

CSF Assurance Program

Date

June 7, 2021

Advisory Type

Assurance Quality

Overview

HITRUST recognizes that implementation of a control is a key element that contributes to a mature and robust control environment. As such, HITRUST will be updating the scoring rubric to further emphasize the Implemented maturity level. In anticipation of the update to the scoring rubric and prior to the release of version 10 of the HITRUST CSF, enhancements are being implemented for current version 9 (v9.x) assessments which are intended to both streamline the assessment process and increase attention on the Implemented maturity level.

Policy and Procedure Incubation Period

Description

The minimum number of days that a remediated or newly implemented policy or procedure must be in place is reduced from 90 days to 60 days. This does not impact the minimum number of days that a control must be in operation when scoring the Implemented, Measured, or Managed maturity levels, which will remain at 90 days.

Implementation

The change in the incubation period for the Policy and Procedure maturity levels is effective immediately. Implementation of the revision will be as follows:

  • For assessments that have not yet been submitted to HITRUST, Policies and Procedures that have been in place for a minimum of 60 days can be scored as Fully Compliant, assuming they meet all other aspects of strength and coverage as dictated by the scoring rubric and other HITRUST requirements.
  • For assessments that have been submitted to HITRUST for the performance of Quality Assurance (QA) procedures but do not yet have a Draft Report, the assigned analyst will evaluate the Policy and Procedure maturity levels for any selected requirements against the revised 60-day requirement. Please be aware that the analyst will not return the assessment to allow for rescoring of any requirements not selected for QA procedures based upon the revised incubation period.
  • For assessments that have a Draft Report posted but have not yet been finalized or have a Final Report posted, no changes will be made based upon the revised incubation period.

Policy and Procedure Level Scoring

Description

In anticipation of a new scoring rubric that includes enhancements to simplify the scoring of the policy and procedure maturity levels, HITRUST is modifying scoring requirements for the Policy and Procedure maturity levels in the current rubric. Through simplifying the assessment process for Policy and Procedure maturity levels, HITRUST intends to increase the focus on the Implemented maturity level.

Implementation

Effective immediately, enforcement of the following requirements are being modified:

Maturity Level Current Strength Criteria Revised Strength Criteria Scoring Considerations
Policy i. Demonstrably approved by management,

ii. Demonstrably communicated to stakeholders in the organization and members of the workforce, and

iii. Clearly communicates management’s expectations of the control(s) operation (e.g., using “shall”, “will”, or “must” statements).

A documented policy must specify the mandatory nature of the control requirement in a written format which could reside in a document identified as a policy, standard, directive, handbook, etc.
  • A policy at the Assessed Entity that meets the Revised Strength Criteria for Policy will be at Tier 4 strength in the scoring rubric and would need to be evaluated for coverage to determine the final score.
  • A policy at the Assessed Entity that does not meet the Revised Strength Criteria for Policy will be at either Tier 1 or Tier 0 strength in the scoring rubric based on whether the current criteria for an undocumented policy has been met.

    Coverage would still need to be evaluated to determine the final score, and the scoring considerations for this criteria remain unchanged.

Procedure i. Demonstrably approved by management,

ii. Demonstrably communicated to stakeholders,

iii. Outlines stakeholder responsibilities, and

iv. Discusses operational aspects such as how, when, who, and on what the action/control/requirement is to be performed.

A documented procedure must address the operational aspects of how to perform the requirement. The procedure should be at a sufficient level of detail to enable a knowledgeable and qualified individual to perform the requirement.
  • A procedure at the Assessed Entity that meets the Revised Strength Criteria for Procedure will be at Tier 4 strength in the scoring rubric and would need to be evaluated for coverage to determine the final score.
  • A procedure at the Assessed Entity that does not meet the Revised Strength Criteria for Procedure will be at either Tier 1 or Tier 0 strength in the scoring rubric based on whether the current criteria for an undocumented procedure has been met.

    Coverage would still need to be evaluated to determine the final score, and the scoring considerations for this criteria remain unchanged.

 

To further clarify this change, please see the examples outlined here.

For validated assessments that are currently undergoing QA procedures, the analyst will utilize the Revised Strength Criteria when evaluating the Policy and Procedure maturity levels for the sampled requirement statements. Please be aware that the analyst will not return the assessment to allow for rescoring of any requirements which were not selected for QA procedures.

HITRUST CSF Certification Letter Issuance

Description

HITRUST issues a CSF Certification Letter for validated assessments which meet the certification threshold. The certification letter currently includes the Assessed Entity’s organization overview and scope information. An additional stand-alone certification letter will now be released that does not include the Assessed Entity’s assessment scope information. This letter is being issued to allow Assessed Entities the flexibility to provide the correct level of detail they wish to share regarding their environment.

Implementation

Effective immediately, HITRUST will begin issuing two versions of the certification letter for validated assessments that meet the certification threshold. Below is a breakdown of the information presented in each letter:

Content CSF Certification Letter with Scope Stand-alone Certification Letter
Signed Certification Letter from HITRUST ✓*
Assessment Context
Scope of Systems in the Assessment

*Stand-alone certification letter also references that a copy of the certification letter with scope information is available.

Additional Resources

Click here for a list of anticipated questions and answers.

HAA 2021-001: Reservation System for Scheduling HITRUST Quality Assurance for HITRUST CSF Validated Assessments

Impacted Policy/Program Name
HITRUST CSF Assurance Program

Date
April 15, 2021

Advisory Type
Assurance Change

Policy/Program Change Details

Summary

On July 1, 2021, HITRUST will enable a Reservation System within the HITRUST MyCSF platform, requiring Assessed Entities to schedule the start of quality assurance (QA) procedures for HITRUST CSF Validated Assessments. The Reservation System is designed to:

  • Eliminate the uncertainty around when HITRUST’s QA procedures will begin,
  • Allow Assessed Entities and their HITRUST Authorized External Assessor Organizations to schedule resources to respond to HITRUST’s QA feedback, and
  • Provide the opportunity for QA to occur closer to the submission date.

Key Considerations

Making a Reservation

  • All Assessed Entities will be required to make a reservation prior to submission of their HITRUST CSF Validated Assessment. The reservation can be made any time prior to submission; however, HITRUST encourages Assessed Entities to make their reservations as early as possible. The Reservation System will allow reservations up to one year in advance.
  • A Validated Assessment Report Credit is required to make a reservation. If you do not have a Validated Assessment Report Credit, you will receive a prompt to contact your Customer Success Manager in order to purchase a Validated Assessment Report Credit.
  • The submission date of the assessment to HITRUST must be entered into MyCSF as part of the reservation process. Assessed Entities should work carefully with their HITRUST Authorized External Assessor Organizations to plan their submission date as this is the deadline to submit the assessment to HITRUST. Failure to submit the assessment by the submission date will result in cancellation of the reservation, and a new reservation will need to be made.
  • Reservation slots occur within QA Blocks. QA Blocks are one-week periods where HITRUST will begin QA procedures. Each QA Block contains a set number of reservations that are possible, with MyCSF displaying the QA Blocks that are available to reserve.
  • By the end of the QA Block, HITRUST will have begun QA procedures on the assessment. For assessments in the normal QA workflow, organizations should typically expect to hear from HITRUST within seven to ten business after the end of the QA Block. Failure to hear from HITRUST during the week of your scheduled QA Block does not indicate that QA has not started.
  • Prior to booking a reservation, Assessed Entities will need to acknowledge the Cancellation Policy. The Cancellation Policy outlines the date by which the Assessed Entity can make a modification or cancel the reservation without incurring a fee.

Expedited Reservations

HITRUST also offers expedited reservations. Expedited reservations offer access to QA Blocks that may otherwise be at capacity and also includes priority processing of the assessment. Available expedited reservations will be shown within certain QA Blocks. To purchase an expedited reservation, the Assessed Entity will need to contact their Customer Success Manager.

Starting your Reservation

After submitting a Validated Assessment to HITRUST, the Assessed Entity will typically receive confirmation that your assessment was accepted by HITRUST. If the assessment was returned by HITRUST, the Assessed Entity and HITRUST Authorized External Assessor Organization should work together to remediate the assessment and resubmit. If the assessment is not resubmitted and accepted by HITRUST prior to the start of the QA Block, the reservation will be canceled. In order to ensure acceptance of an assessment prior to the start of the QA Block, HITRUST reminds Assessed Entities and External Assessors that they can submit in advance of the ‘Submission Date’ defined in their reservation.

Implementation and Timeline

For any Validated Assessments submitted to HITRUST for processing on or before June 30, 2021, HITRUST will continue to process assessments on a first-come, first-served basis with a priority for Assessed Entities that purchased expedited processing.

On July 1, 2021, the reservation system will be enabled for all HITRUST CSF Validated Assessments that have not previously been submitted to HITRUST. A reservation will be required to be made prior to submission to HITRUST.

Additional Information

A walk-through of the process within MyCSF can be found here, along with anticipated questions and responses.

Summary of HITRUST Assurance Advisories 2020 (click to expand)

HAA 2020-005: Enhancing Assurance Advisories

Impacted Policy/Program Name
HITRUST CSF Assurance Program

Date
July 14, 2020

Advisory Type
Assurance Program Communications

Policy/Program Change Details

HITRUST “CSF Implementation & Assurance Implementation Bulletins” will now be referred to simply as “Assurance Advisories” and will classified into two distinct categories: “Assurance Change Advisories” and “Assurance Quality Advisories.”

“Assurance Change Advisories” will be used to communicate:

  • Enhancements to the MyCSF platform which significantly impact the Assurance program.
  • Significant modifications to the assessment methodology and assurance program requirements, such as modified assessment documentation requirements.
  • Introduction of a new component of the assessment methodology or a program requirement.

“Assurance Quality Advisories” will be used for:

  • Clarifying existing assessment methodology components, assurance program requirements, and expectations of assessors and assessed entities based on HITRUST’s experience in performing quality assurance reviews of assessment submissions.
  • Highlighting new, emerging, or otherwise noteworthy circumstances that may affect how assessments are conducted under the existing assessment methodology and assurance program requirements.

All advisories will continue to provide a timeline for implementation by both assessed entities and External Assessors.

Rationale

Categorizing advisories by type will provide additional clarity around changes to the Assurance program which impact assessed entities and External Assessors. Furthermore, the creation of “Assurance Quality Advisories” provides a new vehicle to share guidance and clarification regarding existing assessment methodologies and program requirements to the HITRUST community.

Timetable for implementation

Effective for all subsequent Advisories.

HAA 2020-004: HITRUST CSF Bridge Assessments

Impacted Policy/Program Name

HITRUST CSF Assurance Program

Date

April 15, 2020

Summary

HITRUST recognizes the challenges that assessed entities may be facing in completing their HITRUST CSF Validated Assessments and the subsequent possible impact of not maintaining HITRUST CSF Certification. The HITRUST CSF® Assurance Program, upon which certification is based, incorporates a number of mechanisms to ensure the assurances provided by a HITRUST CSF Validated Report are ‘rely-able’ when the report is issued, and remain ‘rely-able’ up until the time a report expires. Therefore, given the extent of degradation in the level of assurance over time, HITRUST is unable to extend the validity of a HITRUST CSF Certification past its two-year anniversary date.

HITRUST also recognizes that any solution addressing these challenges must maintain the integrity of the HITRUST CSF Assurance Program, introduce minimal additional costs and duplication of effort, and provide a reasonable level of assurance for anyone seeking to rely upon it.

The HITRUST CSF Bridge Assessment provides an interim solution to assist organizations in addressing these challenges, allowing assessed entities to demonstrate a continued level of control effectiveness and assert continued progress towards the next HITRUST CSF Validated Assessment.

Limitations of Forward-Looking Certifications

HITRUST’s forward-looking HITRUST CSF Certification provides value by providing appropriate assurance that an assessed entity’s scoped control environment will operate as intended over a specific period of time. As control environments and threats inevitably change over time, the assurances gained by an assessment will also lessen over time. This degradation of assurance is anticipated and factored into the HITRUST CSF Assurance Program’s assessment and quality assurance methodologies and underlying risk analysis model. The interim assessment, performed at the one-year anniversary of HITRUST CSF Certification, is designed to help ensure the assurances provided by certification can be reasonably relied upon through its second year up until the point of expiration. A new HITRUST CSF Validated Assessment must then be performed in order to provide reasonable assurances for another two years.

As a result, HITRUST cannot reasonably extend HITRUST CSF Certification past its two-year anniversary date and still provide the ‘rely-ability’ fundamental to the HITRUST CSF Assurance Program. HITRUST CSF Certifications aren’t alone in this regard; few—if any—other forward-looking information assurance mechanisms can be extended for periods greater than two years while still offering the meaningful assurances that stakeholders now expect.

HITRUST CSF Bridge Assessment

HITRUST has subsequently developed an approach that may be useful to some stakeholders under extraordinary circumstances in which a HITRUST CSF Certification holder is unable to complete their next HITRUST CSF Validated Assessment prior to the expiration of their existing HITRUST CSF Certification. A HITRUST CSF Bridge Assessment allows HITRUST CSF Certification holders to demonstrate a continued level of control effectiveness while making progress towards their next HITRUST CSF Validated Assessment.

To mitigate the excessive degradation in assurance that occurs at the end of a HITRUST CSF Certification period, 19 requirement statements will be randomly selected by the HITRUST MyCSF® platform from the entity’s previous validated assessment to serve as a HITRUST CSF Bridge Assessment. A HITRUST Authorized External Assessor will then test these requirement statements to confirm their maturity did not degrade since the previous assessment. This testing will be reviewed in an expedited manner by HITRUST and—barring indications of control degradation, significant changes in the environment, or significant QA issues—HITRUST will issue a HITRUST CSF Bridge Certificate. Once awarded this certificate, the assessed entity will have 90 days from the expiration date of the previous HITRUST CSF Certification to submit a completed validated assessment to HITRUST.

Important considerations related to HITRUST CSF Bridge Assessments:

  • A HITRUST CSF Bridge Assessment object can be created MyCSF at any time in the 60 days prior to the existing HITRUST CSF Certification’s expiration through 30 days after the expiration date of the HITRUST CSF Certification.
  • A HITRUST CSF Bridge Assessment object can be submitted to HITRUST no more than 30 days before and up to 30 days after the expiration date of the HITRUST CSF Certification.
  • The testing performed in the HITRUST CSF Bridge Assessment does not need to be performed again in the delayed validated assessment. In other words, HITRUST will not require re-testing of these 19 requirement statements.
  • HITRUST CSF Bridge Assessment submissions from HIEs, HINs, and healthcare providers will be prioritized for QA until further notice.
  • HITRUST’s anticipated processing time for a HITRUST CSF Bridge Assessment submission is two-three weeks.

HITRUST CSF Bridge Certificate

A HITRUST CSF Bridge Certificate is a forward-looking, temporary certificate issued by HITRUST that is valid for 90 days from the expiration date of the organization’s previous HITRUST CSF Certification. A HITRUST CSF Bridge Certificate adds value in providing a minimal but reasonable level of assurance that the entity’s scoped control environment is unlikely to have degraded materially since the last validated assessment and by indicating that the entity has committed to obtaining a HITRUST CSF Validated Report in the next 90 days.

Other important considerations related to HITRUST CSF Bridge Certificates:

  • A HITRUST CSF Bridge Certificate is not a replacement for a HITRUST CSF Validated Report with Certification as it does not provide an equivalent level of assurance.
  • A HITRUST CSF Bridge Certificate is also not an extension to an existing HITRUST CSF Certification (which still expires on the two-year certification anniversary).
  • The 90 days covered by the HITRUST CSF Bridge Certificate are deducted from the new HITRUST CSF Certification’s two-year validity period.

Qualification Requirements

To qualify for this, assessed entities:

  • Must have an active HITRUST CSF Validated Report with Certification,
  • Are likely to miss their validated assessment submission due-date, and
  • Haven’t missed that due date by greater than 30 days.

Not all entities holding an active HITRUST CSF Certification will need to perform a HITRUST CSF Bridge Assessment, as a HITRUST CSF Bridge Certificate is designed for missed due date scenarios due to an extant emergency or crisis, such as the current COVID-19 pandemic. For entities facing such a scenario, a HITRUST CSF Bridge Certificate may afford necessary additional time. However, entities should not assume that HITRUST CSF Bridge Certificates will be universally accepted by business partners and regulators demanding continuous HITRUST CSF Certification status. Entities should consult with their stakeholders and relying parties to determine if a HITRUST CSF Bridge Certificate will be accepted while they await receipt of a new HITRUST CSF Validated Report with Certification.

Timeline

HITRUST CSF Bridge Assessments will be available starting April 15, 2020. While HITRUST reserves the right to terminate this option without notice, we intend to make these assessments available through the calendar year 2020.

Organizations interested in undergoing a HITRUST CSF Bridge Assessment should contact their HITRUST Customer Success Manager and a HITRUST Authorized External Assessor.

More Information

Please see the HITRUST CSF Bridge Assessment Overview Deck for more information.

11/18/2020 Update: HITRUST has determined that the bridge assessment option will remain available until further notice. If this option is terminated, an advisory on the removal of this option will be communicated.

HAA 2020-003: Assessment Scoping Factor Enhancements Designed to Reduce the Effort Associated with and Increase the Accuracy of CSF Assessments

Impacted Policy/Program Name

CSF Assurance Program

Date

March 30, 2020

Advisory Type

MyCSF Functionality

Policy/Program Change Details

HITRUST is making the following changes to the assessment scoping factor questions in MyCSF for HITRUST CSF Validated Assessments and HITRUST CSF Readiness Assessments:

  • Adding more than ten additional technical scoping factor questions to better capture inherent risk factors present in the assessed environments and tailor the HITRUST CSF requirements included in assessments accordingly.
  • Re-wording the existing technical scoping factor “Is the system(s) accessible by a Third Party?” to further clarify the definition of a third party.
  • Removing the “Are Mobile devices used in the environment?” technical scoping factor.
  • Adding additional HITRUST CSF requirements to existing technical scoping factors.
  • Adding additional information around certain factors as part of the help page.

Additionally, MyCSF will now require an assessed entity to provide a documented rationale for each technical scoping factor answered “No.” This rationale should contain sufficient detail to allow the External Assessor and HITRUST QA to evaluate the “No” answer. These rationales will also appear in the HITRUST CSF Validated Assessment Report.

Rationale

The changes related to MyCSF’s assessment scoping factors will:

  • Reduce the number of requirement statements that appear in the assessment when a factor is marked as “No.”
  • Reduce the amount of repetitive “This is not applicable because…” responses that are currently documented during assessments and reflected in HITRUST CSF assessment reports. Assessed entities will instead be asked to explain the absence of inherent risk factors once rather than multiple times throughout the assessment, thus reducing the level of effort required to complete and review the assessment.
  • Add clarity around the terminology used in assessment scoping factors.

Timetable for implementation
Effective for all new objects created on or after June 1, 2020.

6/1/20 Update:

  • The changes described in this advisory are now live in MyCSF’s production environment. Twelve newly added technical scoping factor questions (e.g., “Are hardware tokens used as an authentication method within the scoped environment?”) have been introduced.
  • These newly added scoping factor questions only serve to remove / filter requirements from being included in an assessment and do not add any requirements to the assessment. When determining which requirements to include in an assessment object, MyCSF first uses all other scoping information to identify the necessary requirements and THEN removes any requirements associated with the twelve newly added scoping factor questions when these questions are answered as “No”.
  • All HITRUST CSF assessments benefit from these newly added questions. Instead of having to explain why similar requirements aren’t applicable to the assessment multiple times (at the requirement level), assessed entities now need to explain that the associated risk factor doesn’t apply once (at the scoping level). Because of this change, HITRUST anticipates the number of requirements marked as Not Applicable on assessments to drop considerably. As an added benefit, the speed by which HITRUST’s QA takes place will improve as a result of us needing to review fewer requirements marked as Not Applicable.
  • HITRUST has made these new scoping factor questions available on all assessment objects, including those created before 6/1/20 so that they may optionally benefit from these newly added scoping factor questions. By default, the newly added questions default to a visible option of “Please choose an option” which is treated by MyCSF as “Yes”. The net effect of defaulting to a “Yes” value is the same as not having the scoping factors present at all: Because these questions are only reductive (never additive), no requirements are added or removed from any previously created assessment object without action from the assessed entity.
  • Organizations with previously created assessment objects who wish to take advantage of these newly added scoping factors, and have not yet submitted their assessment to HITRUST, are encouraged to visit the “Admin & Scoping > Factors” page, answer the newly added scoping factor questions (providing the required “No” explanations where necessary), and then press the “Refresh Assessment” button. Requirements linked to any questions answered “No” will then be removed from the assessment object.
  • No action is required for Organizations with previously created assessment objects who do not wish to take advantage of these newly added scoping factor questions.

HAA 2020-002: Impact Of COVID-19 On Assessment Timelines

Date

March 16, 2020

Advisory

To help ensure the rely-ability of HITRUST CSF Validated Reports and Certifications, assessors and assessed entities must observe several requirements related to MyCSF access, training, assessments, reporting, and control implementation timing. These timing requirements are outlined in the HITRUST CSF Control Maturity Scoring Rubric, the HITRUST CSF Assurance Program Requirements, and the HITRUST CSF Assessment Methodology and include (but are not limited to):

  • External assessor’s validated assessment fieldwork window (maximum):
    • 90 calendar days prior to the date of submission of the validated assessment object to HITRUST.
  • Minimum number of days that a remediated or newly implemented control must operate prior to assessor testing:
    • 90 calendar days past the control’s implementation or remediation.
  • Maximum age of testing performed by an Internal Assessor being relied upon by an External Assessor:
    • 90 calendar days, as determined by comparing the External Assessor’s fieldwork start date of the internal assessor’s fieldwork start date.
  • Window during which HITRUST will accept grammatical changes to a draft report:
    • 30 calendar days from issuance of draft report.
  • Days allowed for Corrective Action Plans (CAPs) to be entered into MyCSF:
    • 30 calendar days from issuance of draft report.
  • Interim assessment object submission due date:
    • No later than the 1-year anniversary of the HITRUST CSF Certification (based on the HITRUST CSF Validated Report’s date).
  • Validated assessment object submission due date for re-certification efforts:
    • No later than the 2-year anniversary of the HITRUST CSF Certification (based on the organization’s previous HITRUST CSF Validated Report date).
  • Duration of MyCSF access for report-only customers:
    • 90 calendar days for validated assessments and 60 calendar days for interim assessments.
  • Validity window for the CCSFP certification:
    • Three years, subject to remaining current with required training. Practitioners are required to complete an online, annual refresher course each of the two years following classroom component completion and attend the full class again the third year to maintain the CCSFP certification. The training is due no later than the end of the month that corresponds with the certification’s original anniversary date.
  • Validity window for the CHQP certification:
    • Two years, and the full CHQP course and accompanying certification exam must be retaken no later than the end of the month that corresponds with the certification’s original anniversary date.

HITRUST acknowledges that the ability to consistently adhere to these timing-related requirements may be affected by the ongoing spread of COVID-19. While HITRUST has waived the External Assessor’s on-site requirement, HITRUST is not at this time issuing a blanket waiver for any timing requirements as doing so goes against the overall integrity of the CSF Assurance Program and the rely-ability of assessment reports.

However, HITRUST may issue discretionary, limited modifications or exceptions to these timing requirements to organizations who request them. Such requests should be sent in writing to HITRUST’s Compliance team at compliance@hitrustalliance.net. All timing extension and modification requests will be evaluated by HITRUST. Assessed entities and their assessors should not assume that all requests will be approved. For those organizations that may be delayed in obtaining a HITRUST CSF Certification or in completing a HITRUST CSF assessment, we encourage you keep all stakeholders apprised of the status of your HITRUST efforts.

HAA 2020-001: Waiver Of On-Site Requirement For Validated Assessments

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

March 5, 2020

Advisory Type

Assurance Program Methodology

In light of the recent spread of COVID-19, HITRUST encourages assessors to exercise judgement when planning assessment-related travel. Given that HITRUST assessments take place across the US as well as internationally, we acknowledge that some HITRUST assessments will be affected more than others. Assessors should work closely with their clients to adjust travel plans as deemed necessary. To provide assessors added travel flexibility, HITRUST is waiving the requirement that in-person / on-site validation procedures be performed at the assessed entity’s facilities. This temporary waiver is effective immediately.

In situations where assessors choose to leverage alternative approaches such as video conferencing to perform necessary walkthroughs and observations, assessment documentation must clearly reflect the nature, timing, and extent of the alternative approaches used.

We will continue to work closely with assessors to monitor the effectiveness of alternative walkthrough and observation approaches and the ongoing necessity of this waiver. An additional advisory will be posted at a later date to reinstate the on-site fieldwork requirement.

Summary of HITRUST Assurance Advisories 2019 (click to expand)

HAA 2019-011: Relying On The Work Of Internal Assessors

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

September 11, 2019

Advisory Type

Assurance Program Methodology

Policy/Program Change Details

HITRUST will soon release updates to the CSF Assurance Program which allows “External Assessors” (previously referred to as “HITRUST Authorized External Assessors”) to place reliance on the work of “Internal Assessors”. This updated guidance will be posted no later than October 17, 2019 as updates to the HITRUST CSF Assurance Program Requirements and HITRUST CSF Assessment Methodology documents.

The new role of “Internal Assessor” aids in the CSF Assessment process by performing in-house testing in advance of an External Assessors’ validated assessment fieldwork. Internal Assessors are in-house, contracted, or outsourced CCSFPs who are typically positioned within or engaged by an assessed entity’s Internal Audit Department but could be positioned within or engaged by any department meeting specific objectivity requirements, resource qualification requirements, and approval by HITRUST (through a defined application process).

Rationale

This methodology update creates opportunities for greater assessment efficiency and customer cost savings. This change is expected to bring several benefits to External Assessors and assessed entities. For example:

  • Assessed entities already performing robust pre-assessment testing in advance of their HITRUST CSF Validated Assessment can expect lower overall HITRUST CSF Assessment costs, as duplicate testing performed by their External Assessors can be reduced.
  • Internal personnel with deep knowledge of the organization’s internal controls (in groups such as Internal Audit, Risk Management, and Compliance) can now have a defined role in the overall HITRUST CSF Assessment process.
  • Assessed entities and their External Assessors now have more flexibility in fitting the HITRUST CSF assessment procedures into the assessed entity’s broader compliance activities.

Timetable for Implementation

Effective upon recognition as Internal Assessor assigned to an organization.

HAA 2019-010: Updated Documentation Requirements For Relying On Third-Party Reports

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

September 11, 2019

Advisory Type

Assurance Program Methodology

Policy/Program Change Details

HITRUST will soon release updated guidance for placing reliance on the results of previously performed audits, assessments, and inspections. This updated guidance will be posted no later than October 17, 2019 as updates to the HITRUST CSF Assurance Program Requirements and HITRUST CSF Assessment Methodology documents.

HITRUST has historically afforded the following two approaches for “External Assessors” (previously referred to as “HITRUST Authorized External Assessors”) to rely on the results of previously performed control testing:

  1. Inheritance of the results of other HITRUST CSF Assessments, and
  2. Reliance on audit reports and certifications issued by third-party auditors (such as SOC 2 Type II reports) that meet the requirements as established by the CSF Assurance program.

These updates clarify these two options by specifying associated timing, scope, and documentation requirements. External Assessors are encouraged to take particular note of the following new requirements that must be observed when placing reliance on a third-party audit report:

  • Both the External Assessor and HITRUST Services Corp. must both be authorized recipients of the third-party audit report. Reliance cannot be placed on third-party audit reports for which neither HITRUST or the External Assessor are authorized to receive.
  • When designing a reliance strategy, the External Assessor must map the applicable / scoped HITRUST CSF requirement statements to the controls / requirements tested in the third-party audit. In the absence of this mapping, the External Assessor cannot form a meaningful reliance strategy and lacks an adequate, demonstrable basis for reliance on the third-party audit report. To support HITRUST’s QA efforts, this mapping as well as the third-party audit report must be made available to HITRUST.

Rationale

These methodology updates are expected to:

  • Help highlight any over-reliance or unwarranted reliance on the work of other auditors and External Assessors.
  • Provide needed clarity and transparency around HITRUST’s expectations around timing, scope, and documentation when reliance is placed on the work of others.

Timetable for Implementation

Observance of these new reliance documentation requirements will be mandatory for assessment objects submitted and accepted on or after December 31, 2019.

The term “Accepted” means that HITRUST has confirmed to the assessor that all required documents were included in the submission. If documents are missing, the submission is reverted back to the assessor for correction. Upon acceptance of a submission, the assessment object is added to the Assurance team’s queue to await full QA procedures. Average acceptance time of the submission process is one to three business days.

HAA 2019-009: Updated Scoring Rubric

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

September 3, 2019

Advisory Type

Assurance Program Methodology

Policy/Program Change Details

HITRUST’s scoring rubric, which assists organizations and their assessors in assessment scoring level determinations, has been overhauled. Key changes include:

  • Definitions for assessment terminology, assessment examples and guidance on important concepts have been added.
  • Scoring lookup tables have been created for each of the five levels of HITRUST’s PRISMA maturity model (Policy, Procedure, Implemented, Measured, and Managed).
  • Replacement of qualitative terms such as none, some, and all with quantitative ranges.
  • Removal of ambiguous terms such as “management action” and “ad hoc”.

Rationale

The rubric’s has been enhanced to bring improved usability, added clarity, and better harmonization with the assessment guidance provided in HITRUST’s Risk Analysis Guide.

Timetable for Implementation

The updated scoring rubric will be made available for download at https://hitrust.wdgital.com/csf-assurance-related-programs/ on or before September 20, 2019.

Observance of the new rubric will be mandatory for assessment objects submitted and accepted on or after December 31, 2019. All validated assessments that are in progress and intend to observe the old scoring rubric must be accepted by HITRUST prior to December 31, 2019. Interim assessments performed after December 31, 2019 will observe the rubric in effect at time of performance of the validated assessment.

The term “Accepted” means successful check-in of an object. Submission of a validated assessment within MyCSF is the first step towards acceptance. After submission, the Assurance team performs certain quality checks; should any of these checks fail, the submission is reverted to the Assessor for remediation. Average acceptance time of a submission to HITRUST is one to three business days.

Since only validated assessments accepted prior to December 31, 2019 will be QA’d by HITRUST in observance of the previous scoring rubric, it is strongly recommended that Assessors work with their customers to ensure submissions in MyCSF are made with enough time to allow for HITRUST acceptance.

HAA 2019-007: Updated PRISMA Attribute Weights

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

September 3, 2019

Advisory Type

Assurance Program Methodology

Policy/Program Change Details

The point values, or “weightings”, of the five levels of HITRUST’s PRISMA maturity model are changing. The below graphic shows that the Policy weight is being reduced to 15 points, the Procedure weight is being reduced to 20 points, the Implemented weight is being increased to 40 points, the Measured weight is being reduced to 10 points, and the Managed weight is being increased to 15 points.

Advisory-007.png

Rationale

These updated weights better reflect the value that each maturity level brings to an organization’s risk management stance. For example, the increased weighting of the Implemented level (which is now worth double any other single level) aligns to the priority that mature organizations place on the implementation and operation of controls relative to other maturity levels.

Timetable for Implementation

The updated weights will be effective on all validated and self-assessment objects created on or after December 31, 2019. Assessment objects created prior to December 31, 2019 will continue to observe the current PRISMA attribute weights. Interim assessments performed after December 31, 2019 will observe the PRISMA weights in effect at time of performance of the original validated assessment.

HAA 2019-006: Extension To The Qualification Requirement For Assessor Quality Assurance (QA) Personnel

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

March 29, 2019

Advisory Type

Assurance Requirements

Policy/Program Change Details

This bulletin is to inform External Assessor organizations about an extension to the qualification requirement for Assessor quality assurance (QA) personnel.

Assessor firm personnel who will perform the assessment QA review prior to submission to HITRUST will be required to complete an online course and pass a test to become a Certified HITRUST Quality Professional (CHQP). Only those individuals holding an active Certified CSF Practitioner (CCSFP) certification are eligible to become a CHQP. This course and test will be available online starting in May 2019.

Assessor firms have until July 31, 2019 to have a minimum of two (2) resources certified as CHQPs. All Validated Assessment submissions on or after August 1, 2019 will be required to have a QA review performed by a CHQP as evidenced by sign-offs on the Assessor Quality Checklist. Submissions after August 1, 2019 without proper CHQP involvement will be rejected by HITRUST.

This advisory only applies to the timeline for compliance with the Assessor firm QA reviewer qualification requirement. All other advisories will be enforced according to the dates listed in the advisories.

Rationale

This change is to ensure that Assessor firm personnel performing QA in support of HITRUST validated assessments understand the expectations of the role and can demonstrate this understanding by passing the exam. In addition, it ensures that all Engagement Executives have the required knowledge of the HITRUST CSF and HITRUST Assurance Program requirements.

The extension is being granted to allow Assessor firms enough time to get their resources trained after the course is made generally available by HITRUST.

Timetable for Implementation

Effective for all validated assessments submitted on or after April 1, 2019.

HAA 2019-005: Changes Related To Interim Reviews

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

January 15, 2019

Advisory Type

Assurance Requirements

Policy/Program Change Details

This bulletin is to inform HITRUST CSF Certified Organizations and HITRUST Assessor Organizations about changes to the interim review.

The Interim Review has been replaced with an Interim Assessment. The Interim Assessment differs from what has been known as the Interim Review by requiring:

  • Full testing of selected control requirements (INCREASED TESTING REQUIREMENT);
  • Rescoring of the tested control requirements (NEW);
  • Full QA of testing by HITRUST (INCREASED LEVEL OF EFFORT); and
  • For assess-only reports, full verification that recreated assessment matches assessment used for issuing of the previous full report (NEW).

As a reminder and consistent with HITRUST Assurance Advisory 2017-01 issued in August of 2017, Interim Assessments will be performed with the HITRUST MyCSF. There will be an Interim Assessment processing fee of $2,900. The processing fee will be waived for organizations that have an active subscription to the HITRUST MyCSF.

Rationale

This change is to ensure the consistency and quality of work performed during an Interim Assessment and increase the rigor and oversight by HITRUST; resulting in an increase in assurance level provided by the Interim Assessment and support for maintaining the HITRUST CSF Certification for the additional year.

Timetable for Implementation

Effective for all validated assessments submitted on or after April 1, 2019.

For inquiries regarding this update, please contact us at support@hitrustalliance.net.

HAA 2019-004: Changed To Further Ensure HITRUST Approved Assessor Quality And Consistency

 

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

January 15, 2019

Advisory Type

Assurance Requirements

Policy/Program Change Details

This bulletin is to inform HITRUST Authorized External Assessor Organizations about changes to the qualification requirement for Engagement Executives and Assessor Quality Assurance (QA) personnel. It also reiterates the role of the Engagement Lead.

The first change is a requirement for both the Engagement Executive and the Assessor QA reviewer to be CCSFPs. Prior to this change, the Engagement Lead and either the Engagement Executive or the Quality Assurance Reviewer were required to be CCSFPs.

The second change focuses on the Assessor personnel who perform QA reviews prior to the submission of assessments to HITRUST. People in this role will be required to complete an online course and pass a test to become a Certified HITRUST Quality Professional (CHQP). This is in addition to the CCSFP requirement. Communication will go out once the online course and exam are available.

Attached to this advisory are additional details on the responsibilities of the Engagement Executive, QA Reviewer and Engagement Lead.

Rationale

This change is to ensure that Engagement Executives understand the HITRUST CSF Assurance Program and are able to perform an effective executive-level review. The requirement for Assessor QA reviewers to complete an online course is to ensure that reviewers understand the expectations of their role and can demonstrate their understanding by passing the exam.

Timetable for Implementation

Effective for all validated assessments submitted on or after April 1, 2019.

For inquiries regarding this update, please contact us at support@hitrustalliance.net.

Attachments

Responsibilities of Engagement Executives, Quality Assurance Reviewers and Engagement Leads

HAA 2019-002: Change Regarding The Number Of Qualified HITRUST Certified CSF Practitioner (CCSFP) Hours For HITRUST CSF Validated Assessments

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

January 15, 2019

Advisory Type

Assurance Requirements

Policy/Program Change Details

This bulletin is to inform HITRUST Assessor Organizations about a change to the assurance process regarding the number of qualified (CCSFP) hours required for validated assessments.

HITRUST Certified CSF Practitioner (CCSFP) resources must comprise 50% of assessment hours. This requirement is inclusive of QA hours.

Rationale

This change is to ensure the competency and quality of resources performing validation work.

Timetable for Implementation

Effective for all validated assessments submitted on or after April 1, 2019.

For inquiries regarding this update, please contact us at support@hitrustalliance.net.

HAA 2019-001: Providing Direction For HITRUST Approved Assessor Organizations

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

January 15, 2019

Advisory Type

Assurance Requirements

Policy/Program Change Details

This bulletin is to inform HITRUST Authorized External Assessor Organizations about a change to the HITRUST CSF Assurance Program regarding the performance and documentation of the testing of control requirements for assessments.

HITRUST Authorized External Assessors are required to submit the following documentation with all validated assessments:

  • Test Plan that covers testing of all required controls. It must meet the minimum test plan requirements documented in the HITRUST CSF Assurance Program Requirements.
  • 100% of working papers. They must meet the minimum working paper requirements documented in the HITRUST CSF Assurance Program Requirements. We have attached a copy of the Assurance Program Documentation Requirements to this advisory.
  • HITRUST Authorized External Assessor Quality Checklist signed by the Engagement Executive and Assessor QA Resource. The Quality Checklist can be found in the HITRUST MyCSF and should always be downloaded from the HITRUST MyCSF to ensure use of the latest version. We have also attached a copy to this advisory.

Rationale

This change is to ensure the consistency and quality of assessment documentation, ensure compliance with the HITRUST Assurance Program requirements, and make the HITRUST QA process more efficient. The HITRUST Authorized External Assessor’s QA process should identify and address most issues prior to submission to HITRUST.

Timetable for Implementation

Effective for all validated assessments submitted on or after April 1, 2019.

For inquiries regarding this update, please contact us at support@hitrustalliance.net.

Attachments

HITRUST CSF Assurance Program Documentation Requirements

HITRUST Authorized External Assessor Quality Checklist

Summary of HITRUST Assurance Advisories 2018 (click to expand)

HAA 2018 Assurance Advisories

No assurance advisories were published in 2018.

Archives 2017/2016

For more information, contact: support@hitrustalliance.net.

Assurance Advisories

HITRUST Assurance Advisories are communications that notify HITRUST CSF Assurance Program stakeholders of enhancements, changes, and/or provide additional guidance regarding the HITRUST CSF Assurance Program Requirements and supporting methodologies and tools. All Assurance Advisories contain important information regarding adoption requirements, scope, and timing, which can impact HITRUST CSF Assurance Program stakeholders.

All HITRUST CSF Assurance Program stakeholders should review each Assurance Advisory to understand the potential impact on them.

 

Summary of HITRUST Assurance Advisories 2021 (click to expand)

HAA 2021-002: HITRUST CSF Validated Assessment Enhancements

Impacted Policy/Program Name

CSF Assurance Program

Date

June 7, 2021

Advisory Type

Assurance Quality

Overview

HITRUST recognizes that implementation of a control is a key element that contributes to a mature and robust control environment. As such, HITRUST will be updating the scoring rubric to further emphasize the Implemented maturity level. In anticipation of the update to the scoring rubric and prior to the release of version 10 of the HITRUST CSF, enhancements are being implemented for current version 9 (v9.x) assessments which are intended to both streamline the assessment process and increase attention on the Implemented maturity level.

Policy and Procedure Incubation Period

Description

The minimum number of days that a remediated or newly implemented policy or procedure must be in place is reduced from 90 days to 60 days. This does not impact the minimum number of days that a control must be in operation when scoring the Implemented, Measured, or Managed maturity levels, which will remain at 90 days.

Implementation

The change in the incubation period for the Policy and Procedure maturity levels is effective immediately. Implementation of the revision will be as follows:

  • For assessments that have not yet been submitted to HITRUST, Policies and Procedures that have been in place for a minimum of 60 days can be scored as Fully Compliant, assuming they meet all other aspects of strength and coverage as dictated by the scoring rubric and other HITRUST requirements.
  • For assessments that have been submitted to HITRUST for the performance of Quality Assurance (QA) procedures but do not yet have a Draft Report, the assigned analyst will evaluate the Policy and Procedure maturity levels for any selected requirements against the revised 60-day requirement. Please be aware that the analyst will not return the assessment to allow for rescoring of any requirements not selected for QA procedures based upon the revised incubation period.
  • For assessments that have a Draft Report posted but have not yet been finalized or have a Final Report posted, no changes will be made based upon the revised incubation period.

Policy and Procedure Level Scoring

Description

In anticipation of a new scoring rubric that includes enhancements to simplify the scoring of the policy and procedure maturity levels, HITRUST is modifying scoring requirements for the Policy and Procedure maturity levels in the current rubric. Through simplifying the assessment process for Policy and Procedure maturity levels, HITRUST intends to increase the focus on the Implemented maturity level.

Implementation

Effective immediately, enforcement of the following requirements are being modified:

Maturity Level Current Strength Criteria Revised Strength Criteria Scoring Considerations
Policy i. Demonstrably approved by management,

ii. Demonstrably communicated to stakeholders in the organization and members of the workforce, and

iii. Clearly communicates management’s expectations of the control(s) operation (e.g., using “shall”, “will”, or “must” statements).

A documented policy must specify the mandatory nature of the control requirement in a written format which could reside in a document identified as a policy, standard, directive, handbook, etc.
  • A policy at the Assessed Entity that meets the Revised Strength Criteria for Policy will be at Tier 4 strength in the scoring rubric and would need to be evaluated for coverage to determine the final score.
  • A policy at the Assessed Entity that does not meet the Revised Strength Criteria for Policy will be at either Tier 1 or Tier 0 strength in the scoring rubric based on whether the current criteria for an undocumented policy has been met.

    Coverage would still need to be evaluated to determine the final score, and the scoring considerations for this criteria remain unchanged.

Procedure i. Demonstrably approved by management,

ii. Demonstrably communicated to stakeholders,

iii. Outlines stakeholder responsibilities, and

iv. Discusses operational aspects such as how, when, who, and on what the action/control/requirement is to be performed.

A documented procedure must address the operational aspects of how to perform the requirement. The procedure should be at a sufficient level of detail to enable a knowledgeable and qualified individual to perform the requirement.
  • A procedure at the Assessed Entity that meets the Revised Strength Criteria for Procedure will be at Tier 4 strength in the scoring rubric and would need to be evaluated for coverage to determine the final score.
  • A procedure at the Assessed Entity that does not meet the Revised Strength Criteria for Procedure will be at either Tier 1 or Tier 0 strength in the scoring rubric based on whether the current criteria for an undocumented procedure has been met.

    Coverage would still need to be evaluated to determine the final score, and the scoring considerations for this criteria remain unchanged.

 

To further clarify this change, please see the examples outlined here.

For validated assessments that are currently undergoing QA procedures, the analyst will utilize the Revised Strength Criteria when evaluating the Policy and Procedure maturity levels for the sampled requirement statements. Please be aware that the analyst will not return the assessment to allow for rescoring of any requirements which were not selected for QA procedures.

HITRUST CSF Certification Letter Issuance

Description

HITRUST issues a CSF Certification Letter for validated assessments which meet the certification threshold. The certification letter currently includes the Assessed Entity’s organization overview and scope information. An additional stand-alone certification letter will now be released that does not include the Assessed Entity’s assessment scope information. This letter is being issued to allow Assessed Entities the flexibility to provide the correct level of detail they wish to share regarding their environment.

Implementation

Effective immediately, HITRUST will begin issuing two versions of the certification letter for validated assessments that meet the certification threshold. Below is a breakdown of the information presented in each letter:

Content CSF Certification Letter with Scope Stand-alone Certification Letter
Signed Certification Letter from HITRUST ✓*
Assessment Context
Scope of Systems in the Assessment

*Stand-alone certification letter also references that a copy of the certification letter with scope information is available.

Additional Resources

Click here for a list of anticipated questions and answers.

Summary of HITRUST Assurance Advisories 2020 (click to expand)

HAA 2020-002: Impact Of COVID-19 On Assessment Timelines

Date

March 16, 2020

Advisory

To help ensure the rely-ability of HITRUST CSF Validated Reports and Certifications, assessors and assessed entities must observe several requirements related to MyCSF access, training, assessments, reporting, and control implementation timing. These timing requirements are outlined in the HITRUST CSF Control Maturity Scoring Rubric, the HITRUST CSF Assurance Program Requirements, and the HITRUST CSF Assessment Methodology and include (but are not limited to):

  • External assessor’s validated assessment fieldwork window (maximum):
    • 90 calendar days prior to the date of submission of the validated assessment object to HITRUST.
  • Minimum number of days that a remediated or newly implemented control must operate prior to assessor testing:
    • 90 calendar days past the control’s implementation or remediation.
  • Maximum age of testing performed by an Internal Assessor being relied upon by an External Assessor:
    • 90 calendar days, as determined by comparing the External Assessor’s fieldwork start date of the internal assessor’s fieldwork start date.
  • Window during which HITRUST will accept grammatical changes to a draft report:
    • 30 calendar days from issuance of draft report.
  • Days allowed for Corrective Action Plans (CAPs) to be entered into MyCSF:
    • 30 calendar days from issuance of draft report.
  • Interim assessment object submission due date:
    • No later than the 1-year anniversary of the HITRUST CSF Certification (based on the HITRUST CSF Validated Report’s date).
  • Validated assessment object submission due date for re-certification efforts:
    • No later than the 2-year anniversary of the HITRUST CSF Certification (based on the organization’s previous HITRUST CSF Validated Report date).
  • Duration of MyCSF access for report-only customers:
    • 90 calendar days for validated assessments and 60 calendar days for interim assessments.
  • Validity window for the CCSFP certification:
    • Three years, subject to remaining current with required training. Practitioners are required to complete an online, annual refresher course each of the two years following classroom component completion and attend the full class again the third year to maintain the CCSFP certification. The training is due no later than the end of the month that corresponds with the certification’s original anniversary date.
  • Validity window for the CHQP certification:
    • Two years, and the full CHQP course and accompanying certification exam must be retaken no later than the end of the month that corresponds with the certification’s original anniversary date.

HITRUST acknowledges that the ability to consistently adhere to these timing-related requirements may be affected by the ongoing spread of COVID-19. While HITRUST has waived the External Assessor’s on-site requirement, HITRUST is not at this time issuing a blanket waiver for any timing requirements as doing so goes against the overall integrity of the CSF Assurance Program and the rely-ability of assessment reports.

However, HITRUST may issue discretionary, limited modifications or exceptions to these timing requirements to organizations who request them. Such requests should be sent in writing to HITRUST’s Compliance team at compliance@hitrustalliance.net. All timing extension and modification requests will be evaluated by HITRUST. Assessed entities and their assessors should not assume that all requests will be approved. For those organizations that may be delayed in obtaining a HITRUST CSF Certification or in completing a HITRUST CSF assessment, we encourage you keep all stakeholders apprised of the status of your HITRUST efforts.

Summary of HITRUST Assurance Advisories 2019 (click to expand)

HAA 2019-008: Automated Quality Checking Of HITRUST CSF Assessment Objects

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

September 3, 2019

Advisory Type

Quality

Policy/Program Change Details

An upcoming enhancement to MyCSF will introduce automated quality checking of CSF assessment objects. Users of MyCSF will have the ability to run these checks at any time prior to submission of the object to HITRUST; however, the checks will be automatically run at each “hand off” of the assessment object, such as when an assessed entity submits the object to their assessor and when the assessor submits the object to HITRUST. Over 30 distinct quality checks will be included in this upcoming MyCSF enhancement.

All potential issues identified will be presented with a description of the issue, the flagged comment or scoring, recommendations on how to address, the option to override / accept the issue and to provide an accompanying explanation. All potential issues will need to be addressed or accepted (with explanation) before the assessment can proceed to the next step.

Automated quality checks will be performed on validated assessments and self-assessments. Interim assessments will not be subject to these automated quality checks.

Rationale

This change is beneficial to the HITRUST CSF Assurance Program by:

  • Increasing the consistency of the HITRUST CSF assessment reports, as these checks are applied systematically to all validated and self-assessments in the same manner.
  • Increasing the quality of the output of HITRUST CSF assessments, as these checks will be performed against 100% of the requirement statements included in an assessment.
  • Reducing the amount of time elapsing between submission of an assessment to HITRUST and delivery of the draft report from HITRUST. Efficiencies are gained during HITRUST’s Quality Assurance review of submissions, as certain quality issues will be identified prior to submission of the validated assessment object to HITRUST.

Note that these automated quality checks have been in use for several months outside of MyCSF by HITRUST’s Compliance and Assurance teams; the move of checks into MyCSF and earlier into the assessment lifecycle will not replace the QA checks performed by HITRUST’s Assurance team against validated assessment objects.

Timetable for Implementation

This change will go live in MyCSF on December 31, 2019.

HAA 2019-003: Ensuring Clarity Of Scope Of An Assessment

Impacted Policy/Program Name

HITRUST CSF® Assurance Program

Date

January 15, 2019

Advisory Type

Assurance Requirements

Policy/Program Change Details

This bulletin is to inform HITRUST Authorized External Assessor Organizations about a change to the assurance process regarding the documentation of the scope of the entity’s assessed environment.

HITRUST Authorized External Assessors must provide a verbose description of the assessed environment that includes both systems/products and facilities. This description must clearly define assessment boundaries. In addition to the verbose description, there will be a summary table that must be provided that would further clarify what is included and what is not included such that any discrepancy can be clearly resolved through the definition. We have attached an illustrative example to this advisory.

Rationale

This change is to ensure the clear communication of the environment that was assessed to readers of HITRUST CSF Validated Assessment reports.

Timetable for Implementation

Effective for all validated assessments submitted on or after April 1, 2019.

For inquiries regarding this update, please contact us at support@hitrustalliance.net.

Attachments

Scope Definition & Guidance

For more information, contact:: support@hitrustalliance.net.

Archive

Chat Now

This is where you can start a live chat with a member of our team