How is the HITRUST assessment process conducted?

The HITRUST assessment is comprised of several steps that an organization must undertake to comply with the stringent standards of the HITRUST CSF. The following details a general overview of the process in four steps.

1. Readiness assessment

The initial stage of a HITRUST assessment has been reconstituted as the HITRUST Basic, Current-State (BC) Assessment, and it is called the Readiness Assessment. This self-assessment relies on HITRUST CSF tools and methodologies meant to assist organizations in the investigation of the in-place operational process. 

The readiness assessment is an extremely crucial step toward alignment of your organization to the HITRUST requirements. This is because it primarily is to be carried out before  assessment processes are realized formally. 

The process of readiness evaluation can be improved through the participation of organizations with HITRUST-approved external reviewers due to the provided guidance that allows a realization of a better readiness evaluation process, better chances of positive assessment, and an increased speed in the assessment process.

2. Gap analysis and remediation

A detailed gap analysis follows an assessment of readiness. The project coordinator or the HITRUST Authorized External Assessor is to proffer strategies for the improvement of areas that lag within the organization. 

Since HITRUST regulations keep on updating, periodic assessments are needed in order to bridge the gaps in your security program. The gap analysis will point out what changes are needed to operational procedures, policies, access controls, and documentation to make sure they meet the HITRUST CSF requirements in effect today. 

Often assessment questionnaires outline the scope and corrective action plans that must be laid out as a result of carrying out this analysis.

3. Validation assessment

Validation assessment is a very important phase wherein the assessor designated must be an authorized third party that comprehensively and properly assesses defined controls in required categories. 

This assessment usually comprises on-site activities, which involve interviewing key personnel, document review, evaluation of security measures, sampling, penetration testing, and vulnerability scans. 

All the requirements are cross-verified against the attributes such as Policy, Process/Procedure, and Implementation. The scoring of compliance relates to the extent that the controls are fully compliant, partially compliant, or non-compliant. 

After the assessment, HITRUST reviews and verifies scores, which are then sent to the authorities, who then validate and publish them officially.

4. Quality assurance test

After the validated assessment has been delivered, HITRUST carries out a Quality Assurance Test to verify the right implementation of security controls. This test is carried out using various testing techniques and typically lasts between 4 to 8 weeks. 

The HITRUST Quality Assurance Review adds to the credibility of the assessments and gives more assurance to the organizations that are going through the HITRUST review process. A final CSF Validated Assessment Report that reflects the CSF certification status is made available by HITRUST after the completion of the review.