In early September, HITRUST released three Assurance Advisories that aim to improve the quality, consistency, and efficiency of the HITRUST submission process, as well as HITRUST’s assurance program methodology. You can read all about these in this LBMC blog post.

On September 12, 2019, HITRUST released two additional Assurance Advisories. This time provided new guidance for placing reliance on the results of previously performed audits, assessments, and inspections. In an effort to continually enhance and expand its CSF Assurance Program to ensure the highest level of quality is maintained, HITRUST’s new guidance allows an organization to complete an assessment with less time and fewer resources by leveraging the work of others.

The HITRUST press release can be found at https://hitrustalliance.net/hitrust-releases-guidance-relying-work-others/. Below, LBMC Information Security breaks down these advisories, what it means to organizations and assessors, and when the changes become effective. 

HAA 2019-010: Updated Documentation Requirements for Relying on Third-party Reports

What’s changing:

This update adds clarification on timing, scope, and documentation requirements for relying on the results of previously-performed control testing, for both inheriting the results of other HITRUST CSF Assessments and relying on audit reports and certifications issued by third-party assessors, such as SOC 2. Specifically, when placing reliance on a third-party audit report, new requirements state:

  • In order to place reliance on a third-party audit report, both the External Assessor and HITRUST must be authorized recipients of the report.
  • When designing a reliance strategy, the External Assessor must perform a mapping between the HITRUST CSF requirements and the testing in the third-party audit report. This mapping, which is also provided to HITRUST, ensures a meaningful reliance strategy and demonstrates the basis for reliance on the third-party audit report.

Third-party reports can be relied upon for up to 1 year, as determined by comparing the HITRUST validated assessment fieldwork start date to the period end date for period-of-time reports or the final report date for point-in-time reports or forward-looking certifications.

What does this mean for assessed organizations?

The option to leverage results of other HITRUST CSF Assessments and third-party audit reports and certifications performed within the prior year remains a viable option to achieve assessment efficiency and potential cost savings. This update is intended to provide additional clarity and transparency about the expectations and prevent any over-reliance or unwarranted reliance on the work of others. Organizations will need to ensure the External Assessor and HITRUST are authorized receipts of the report. External Assessors remain accountable for validating the implementation of the HITRUST CSF Assessment and will need to perform sufficient review, mapping, and documentation efforts to ensure all reliance is appropriate.

When is this effective?

This change is effective on all assessment objects submitted and accepted on or after December 31, 2019.

HAA 2019-011: Relying on the Work of Internal Assessors

What’s changing:

This update introduces a new role in the CSF Assurance process – the Internal Assessor. This role creates an opportunity for personnel with in-depth knowledge of an organization’s IT controls (such as internal audit, risk management, and compliance teams) to directly participate and support the CSF Assessment process by performing testing and verification on various aspects of the process. In order to be recognized as an Internal Assessor, an organization must complete the application process, meet objectivity and resource qualification requirements, and be approved by HITRUST. External Assessors can rely on work performed by approved Internal Assessors.

As with the previous advisory, more information will be released by HITRUST no later than October 1.

What does this mean for assessed organizations?

Organizations who utilize the Internal Assessor role can create opportunities for greater assessment efficiency and customer cost savings. Organizations who already perform pre-testing efforts in advance of their HITRUST CSF Validated Assessment can not only reduce costs, but also eliminate duplication efforts. This update also introduces more flexibility in fitting the HITRUST CSF assessment procedures into the assessed entity’s broader compliance activities.

When is this effective?

This change is effective upon recognition as Internal Assessor assigned to an organization.