The Solar Winds cybersecurity attack and the recent zero-day exploit involving Microsoft Exchange servers have exposed vulnerabilities in the IT infrastructure of organizations at every level, from small private businesses to major universities and government agencies, compromising sensitive information and national security in the process. However, practicing good security hygiene for internal systems is only half the battle. To prevent cybersecurity attacks from derailing your business, you must carefully vet your security programs and those of your vendors as well.
Requiring your vendors to maintain industry-recognized certifications is one of the best ways to make sure there are no weak links in your supply chain. When using certifications as part of your vendor risk management, recognize that they vary widely in terms of their scope and the rigor of the assessment process. Long considered the gold standard for healthcare organizations, HITRUST certification employs one of the most comprehensive frameworks and assessment processes available. Moreover, while HITRUST certification was originally developed to address the challenges of the healthcare industry, HITRUST’s Common Security Framework (CSF) can now be leveraged by any organization that creates, processes, stores or transmits sensitive information.
The HITRUST CSF was developed to provide a prescriptive set of security requirements and to harmonize often conflicting mandates from myriad security and privacy regulations. Today, the scope of the CSF’s requirements is a big reason why HITRUST is recognized as an elite security certification. Whereas a SOC 2 report may assess an organization’s security program against 80 to 100 controls, the average number of control requirements for a HITRUST Validated Assessment is around 400.
Making the Investment
Staying on top of a constantly evolving regulatory landscape is no easy task. To stay current and address new legal requirements, the CSF framework is updated frequently. When the EU passed the General Data Protection Regulation (GDPR), the HITRUST Alliance incorporated those requirements into the CSF. Other recent additions address state laws, like Texas HB 300, and New York’s Cybersecurity Requirements for Financial Services Companies. The HITRUST CSF is also mapped to several leading security frameworks, including NIST, ISO 27001, COBIT and PCI DSS.
The mapping to multiple legal requirements and security frameworks lies at the heart of the HITRUST Alliance’s “assess once, report many” approach to certification. However, while HITRUST certification can streamline the amount of time and resources spent on complying with security requirements, the process of obtaining HITRUST certification requires a significant outlay of time, personnel and money. The cost of a HITRUST certification ranges anywhere from $30,000 to $175,000 and requires an average of 400 hours to complete the assessment process.
Although HITRUST certification requires a serious investment of resources, the comprehensiveness of the certification process is worth the effort. Certification typically starts with a self-assessment to evaluate readiness to pursue full certification. Once the readiness assessment and remediation of any gaps identified is completed, the organization works with an authorized external assessor to complete a HITRUST Validated Assessment. During this phase, the assessor will review policies, procedures and implementation evidence and conduct on-site fieldwork to verify compliance with the company’s scoped HITRUST CSF requirements.
Following completion of fieldwork, the assessor conducts a quality assurance assessment of the evidence submitted and provides a Validated Assessment Report to the HITRUST Alliance for certification. HITRUST’s review can take six weeks or more to complete. At the end of the process, the HITRUST Alliance issues a letter of certification, in addition to the finalized Validated Assessment Report. Organizations that pass the HITRUST Validated Assessment are certified for a two-year term and complete an interim assessment in intervening years. This review cycle ensures that HITRUST-certified organizations update their security programs on an annual basis to stay current with changing requirements.
In addition to the comprehensiveness of HITRUST CSF requirements, undergoing a review by an authorized third-party assessor provides independent validation that the organization adheres to security best practices. The other component that distinguishes HITRUST certification is the emphasis on documentation. To achieve certification, organizations must formalize the elements of their security program in written policies and procedures and walk their talk by documenting implementation.
Fast Becoming a Must-Have
Having written policies and procedures and implementing them on a consistent basis operationalizes security best practices throughout and reduces the potential for costly and damaging security incidents and data breaches. Beyond the internal benefits, HITRUST certification gives vendors a compelling way to validate their security program to their customers and other external stakeholders. In fact, HITRUST certification is so well regarded that many now require their business associates to be HITRUST certified.
As cybersecurity attacks grow increasingly sophisticated, companies must ensure their suppliers maintain robust security programs. Due to the scope of the HITRUST CSF and the comprehensiveness of the assessment process, you can be confident that vendors who maintain HITRUST certification meet or exceed security best practices and legal requirements. It’s little wonder HITRUST certification has become a widely adopted security and privacy framework across industries globally.