On September 3, 2019, HITRUST released three Assurance Advisories that aim to improve the quality, consistency, and efficiency of the HITRUST submission process, as well as HITRUST’s assurance program methodology. As one of the largest and most tenured assessors in the southeast, LBMC Information Security is here to help you stay informed of these changes.

Below are details on the changes announced in the advisories, what it means to organizations and assessors, and when the changes become effective. After analyzing the advisories, we’ve documented guidance below on impacts to organizations going through an assessment for the first time as well as organizations who are already certified.

HAA 2019-007: Updated PRISMA Attribute Weights

What’s changing:

HITRUST assessments are scored based on the PRISMA Maturity model and take into consideration certain weights for each of the 5 maturity levels when performing this scoring. HITRUST has updated the individual weights for each of the Prisma maturity levels as follows:

hitrust_weights

What does this mean for assessed organizations?

Previously, the largest percentage of weighting applied to documentation alone, via the policy and procedure maturity levels. Now, the weighting of the implemented maturity level (focusing on implementation and operation of controls) is increasing and is worth double any other maturity level. There are numerous organizations both mature and in the early stages of their information security program that benefit from this update. The update shifts the focus to understanding a control requirement and implementing it correctly rather than just having an up-to-date policy and procedure documentation. For organizations going through HITRUST for the first time, the focus will still likely be on policy, process, and implementation. For more mature organizations, the update for measured and managed adds more weight to selecting and implementing mechanisms to treat identified risk (including avoiding, optimizing, transferring, or accepting risk).

When is this effective?

The updated weights will be effective on all validated and self-assessment objects created on or after December 31, 2019. Assessment objects created prior to December 31, 2019 will continue to observe the current PRISMA attribute weights. Interim assessments performed after December 31, 2019 will observe the PRISMA weights in effect at time of performance of the original validated assessment.

HAA 2019-008: Automated Quality Checking of HITRUST CSF Assessment Objects

What’s changing:

HITRUST will be implementing over 30 distinct automated quality checks within the MYCSF tool that will be triggered during object handoff and submission for validated assessments and self-assessments. MyCSF users can also manually run these checks to understand what may be missing from their submission.

What does this mean for assessed organizations?

Submitting a HITRUST assessment requires multiple steps from the assessed entity as well as the assessor. The quality checks ensure all these steps and their nuances are followed to ensure HITRUST object submissions are consistent across the board.  Examples of the types of checks we will see include scoring checks (flagging requirements that score for managed, but not measured, or measured, but not implemented, etc.) and comment checks (looking for verbiage that indicate testing is not complete or raises questions about applicability).  LBMC is pleased that HITRUST continues to improve its quality assurance process to ensure timely delivery and quality of reports. This change has two direct benefits:

  • Reducing the amount of time between submission of an assessment to delivery of the draft report.
  • Increasing the quality of the HITRUST assessment results as the quality checks are applied to all the baselines in-scope for the assessment.

When is this effective?

This change will go live in MyCSF on December 31, 2019.

HAA 2019-009: Updated Scoring Rubric

What’s changing:

The HITRUST scoring rubric utilized by organizations and their assessors in making scoring level determinations is significantly changing.  The change is intended to improve usability and add clarity.  For example, the new rubric replaces qualitative terms (e.g. none, some, all, etc.) with quantitative scoring ranges (e.g. 0-10%, 66-89%, etc.) and removes ambiguous terms such as “management action” and “ad hoc”.  The updated scoring rubric can be seen here: https://hitrustalliance.net/content/uploads/HITRUST-CSF-Control-Maturity-Scoring-Rubrics.pdf

What does this mean for assessed organizations?

HITRUST controls were often evaluated based on if they were in place or not. These results were often very binary and did not consider instances where a security program could be between two maturity scores. With this update, the HITRUST scoring rubric defines maturity scoring ranges for control effectiveness. The earlier approach was solely compliance based and as such looked at if the current state was compliant with a baseline requirement (e.g. antivirus is 50% compliant with the control requirement). The new scoring rubric offers a lookup table with specific guidance around the strength of a maturity level along with the scoring ranges and percentage of points that can be awarded.

When is this effective?

The updated scoring rubric will be applied to assessment objects submitted and accepted on or after December 31, 2019.  For organizations planning to submit a validated assessment by the end of 2019, it is important to ensure your assessor submits with enough time to ensure the assessment is accepted before December 31, 2019.

Do you have additional questions about the advisories and the related impact to your organization?  Contact us to learn more!

Learn more about HITRUST