BLOG

Blog Post by Angela Fitzpatrick, ITRM Manager at Meditology Services

---

Audience: This blog article is recommended for any organizations that are considering pursuing HITRUST certification, recertification, or alignment with HITRUST CSF security control requirements.

Not all HITRUST assessor organizations are created equal. Your selection of a HITRUST assessor firm can have a material impact on your ability to achieve certification within targeted budgets and timeframes. Failure to achieve certification or delays in the process can jeopardize key contracts and cost the business irrecoverable time and money.

This blog is a quick reference guide for selecting a qualified and experienced assessor to help your organization achieve certification on time and within budget.

What to Look for in an Assessor

Here are some key questions to ask potential assessors during the vetting and selection process.

1.  How long has the assessor firm been conducting HITRUST assessments and certifications?

There is a steep learning curve for assessors to understand the intricacies of HITRUST CSF controls, assessment and scoring criteria, and the process for achieving certification. There are many control requirements within the HITRUST CSF that require “translation” and guidance to practically implement in real-world settings.

An assessor should provide more than just a “pass or fail” audit service and should be at your side with seasoned experience to help you implement policies, processes, and controls that are practical and cost-effective for organizations of your size and scale. You need to know that your assessor has the experience and confidence to advise on specific control implementations that have passed HITRUST certification muster many times over for other clients.

Assessors that are experienced auditors but new to HITRUST will inevitably experience growing pains in designing and developing certification and audit processes that are efficient and effective. There are many moving pieces and documentation requirements that can overwhelm assessors going through the early years of building their assessment models. You will save considerable time, money, and headaches by working with an assessor firm that has already honed their craft over the years.

Many new players have emerged in the HITRUST certification arena in recent years. This has caused an influx of newly certified assessors and staff. While technically trained and qualified by HITRUST to perform audits, these resources may lack the practical experience to guide you through the certification journey efficiently and effectively.

Although HITRUST vets all firms for fundamental qualifications, this vetting process focuses on evaluating the capability to perform validated assessments and does not guarantee successful results or certification.

Assessors that have been around the block performing assessment and certifications will also have troves of insights, examples, artifacts, and guidance that can greatly accelerate your remediation and adoption of control requirements.

2.  Does your assessment team have experience implementing HITRUST in operational healthcare settings?

Security control frameworks tend to sound great on paper but can be wildly difficult to implement in practice. Healthcare is arguably one of the most complex ecosystems to navigate and adopt strong security control requirements. It is a tremendous benefit to engage a HITRUST assessor that has been in your shoes and has successfully implemented HITRUST in organizations of similar size and complexity to your own.

Assessment firms that specialize in auditing non-healthcare entities may also be challenged with interpreting and applying security controls in healthcare settings. You don’t want to be one of the handful of healthcare clients undergoing an audit and using processes and structures that have been designed for other regulatory frameworks and industries.

3.  Does your assessor have strong audit depth?

You may want to be wary of firms that service healthcare in a consulting capacity but have limited audit experience. Efficient and effective audits require a well-oiled machine of information gathering, evidence collection and review, and reporting processes. These processes often take years to optimize and can introduce project risks for your certification initiative if assessors are still working out the kinks.

4.  Is the price tag too good to be true?

HITRUST certification is not a simple or quick process. Assessors that offer steeply discounted or under-market pricing may be incented to cut corners or deliver bare bones audit support. An assessor firm should be a partner for your organization that is invested in your long-term success. It is very difficult for assessor firms to offer the depth of support and services to be at your side throughout the certification journey if the funding is not there to support it.

5.  Is your assessor firm also qualified to issue SOC 2 Type 2 attestations?

Some healthcare organizations and businesses pursue a combination of HITRUST CSF and SOC 2 Type 2 attestations to address varying customer expectations and requirements. Pursuing separate certifications with different audit firms can result in redundancies and increased costs and distractions to the business.

There is substantial overlap between SOC2 trust principles requirements and HITRUST CSF certification requirements. Organizations can gain efficiencies and drive cost and time savings by combining audits and collecting, assessing and reporting evidence from stakeholders once rather than one multiple occasions in a given audit year.

Only a subset of HITRUST Assessor firms are qualified to deliver both HITRUST and SOC 2 reports. Selecting a dual-service firm is also recommended if SOC 2 is a possible option in the future; this avoids having to go back to the market to hire a separate firm for this purpose. The supply chain landscape is shifting rapidly, and many large healthcare customers require HITRUST and/or SOC 2 certifications pre-contract. Acquiring both certifications up front can be an investment in fast-tracking and enabling the next sales cycle proactively.

Conclusion

Your selection of a HITRUST assessor firm is no trivial undertaking. There are many services firms to choose from and it can be a bit overwhelming to know where to begin when evaluating and vetting potential options.

Meditology has been delivering HITRUST services since its inception over a decade ago; our experience with the HITRUST CSF is second to none. Our qualifications include:

• Meditology focuses exclusively on serving the healthcare industry with a core competence in IT Risk Management, Security, and HITRUST compliance.
• Meditology is an accredited HITRUST CSF Assessor with deep technical experience, having conducted hundreds of HITRUST readiness and security risk assessments based on the CSF for healthcare organizations and business associates across the country.
• Meditology’s Managing Partner, Cliff Baker, served as the lead architect for HITRUST Common Security Framework (CSF).
• Each member of Meditology’s leadership has at least 15 to 20 years of directly relevant healthcare IT security consulting and operational leadership experience including serving as CISOs for healthcare entities
• Several members of Meditology’s leaders are alumni of “Big 4” firms and understand leading processes and approaches to performing certification audits.
• Meditology has delivered thought leadership to the industry on HITRUST, including webinars, conference presentations, and white papers and is a sought-after firm for security expertise.

Meditology is a top-ranked healthcare security and privacy firm servicing healthcare entities of all shapes and sizes. We were designated the #1 Best in KLAS firm for 2019 and 2020 for cybersecurity advisory services.