HITRUST Assessment Scoping Changes
Published On June 9, 2020
Blog Post by Angela Fitzpatrick, ITRM Manager at Meditology Services
Audience: This blog article is recommended for any organizations that are currently pursuing HITRUST certification, recertification, or are considering aligning with HITRUST CSF security control requirements.
Bottom line: New scoping questions have been added to MyCSF in order to remove redundant control requirements from assessments; the changes apply to all MyCSF objects created after June 1, 2020.
The HITRUST Alliance recently issued updates to the assessment scoping factor questions in MyCSF for HITRUST CSF Validated Assessments and HITRUST CSF Readiness Assessments. The change is designed to reduce the number of repeat requirement statements that are marked as “Not Applicable”.
Specific changes to the assessment scoping factors include:
- Twelve new technical scoping factor questions were added. These questions do not add twelve net new requirements; they are only used to remove or filter superfluous requirements during the scoping process.
- Instead of having to explain why similar requirements are not applicable to the assessment multiple times (at the requirement level), assessed entities now need to explain that the associated risk factor does not apply once (at the scoping level).
- The new scoping questions are available on all objects but are only required for objects created after June 1, 2020.
- By default, the newly added questions default to a visible option of “Please choose an option”, which is treated by MyCSF as “Yes”. The net effect of defaulting to a “Yes” value is the same as not having the scoping factors present at all. These questions are only reductive (never additive), so no requirements are added or removed from any previously created assessment object without action from the assessed entity.
- Organizations that wish to take advantage of the new scoping questions can answer “No” to these questions on the Factors page in MyCSF and provide an explanation. No action is required for organizations that previously created assessment objects who do not wish to take advantage of these newly added scoping factor questions.
New Scoping Questions:
- Is any aspect of the scoped environment hosted on the cloud?
- Does the system allow users to access the scoped environment from an external network that is not controlled by the organization?
- Does the scoped environment allow dial-up/dial-in capabilities (i.e. functional analog modems)?
- Is the scoped information sent and/or received via fax machine (i.e. an actual machine, excluding efax or scan to email)?
- Do any of the organization’s personnel travel to locations the organization deems to be of significant risk?
- Are hardware tokens used as an authentication method within the scoped environment?
- Does the organization allow personally-owned devices to connect to scoped organizational assets (i.e., BYOD - bring your own device)?
- Are wireless access points in place at any of the organization's in-scope facilities?
- Does the organization perform information systems development (either in-house or outsourced) for any scoped system, system service, or system component?
- Does the organization use any part of the scoped systems, system components, or system services to sell goods and/or services?
- Does the organization allow the use of electronic signatures to provide legally binding consent within the scoped environment, e.g., simple or basic electronic signatures (SES), advanced electronic or digital signature (AES), or qualified advanced electronic or digital signatures (QES)?
- Is scoped information sent by the organization using courier services, internal mail services, or external mail services (e.g., USPS)?
Meditology Services is a certified HITRUST assessor with leadership that served as the lead architect for HITRUST CSF. Our expertise with HITRUST is second to none. Ranked #1 Best in KLAS for Cybersecurity Advisory Services in 2019 and 2020, Meditology is a top-ranked provider of information risk management, cybersecurity, privacy, and regulatory compliance consulting services, exclusively for healthcare organizations.