You may have heard terms like “HITRUST measured and managed” or “HITRUST policy and procedure.” HITRUST uses five maturity levels as scoring rubric for compliance. Each control will be assessed in five different areas:
Looking closer at the HITRUST Maturity Model and understanding the levels and areas for assessment is extremely useful. It can translate into best practices for your organization, giving you a roadmap to prepare for HITRUST compliance.
Refer to the following best practices for HITRUST compliance.
Upgrade and document your policies.
Make sure your policies are formal, up-to-date, documented, and readily available to employees. They should be documented and based on NIST or ISO to meet the HITRUST requirements. They should cover all facilities, operations, and systems and be approved by key parties. Clearly assign security responsibilities and identify penalties if policies are not followed.
Make sure formal, up-to-date, documented procedures are provided to implement the security controls identified by the defined policies. You’ll need to outline procedures in detail and identify the “who, what, how, and when.” Clearly define information security responsibilities and expected behaviors and communicate procedures to everyone who needs to follow them.
Create and test your incident response and business continuity plans.
Make sure you have an action plan in place so you know exactly what to do in the event of a security incident or breach. Your business continuity plan will ensure you can continue to function in the event of a disaster or business interruption. These are requirements for HITRUST certification.
Implement technical controls for measurement.
Validate the security of your system with technical controls like vulnerability testing and penetration testing. Tests should be routinely conducted to evaluate the adequacy and effectiveness of all implementations. These may include self-assessments, independent audits, and evaluations initiated by organizational management. Continually re-evaluate threats, and test individual controls frequently.
Verify consistent implementation.
Are your information security procedures and controls implemented in a consistent manner? Reinforce them through training, and discourage any ad hoc approaches. Conduct initial testing to make sure controls are operating as you intend.
Proactively manage and minimize risk.
Correct identified weaknesses and make continuous improvements to policies, procedures, implementations, and tests. Integrate information security in budget planning, and make decisions based on cost, risk, and mission impact. Understand and manage security vulnerabilities, adapting controls to emerging threats.
Get organizational buy-in.
The HITRUST certification process is a significant undertaking that will require a lot of heavy lifting—not only from the IT and security teams but also from others in the organization who might need to change their processes. Make sure you have executive support and the appropriate resources to be successful.
Adopt a culture of compliance.
Some security audits are all about “checking the box,” but HITRUST facilitates a robust security program and organization-wide compliance culture. Making security a part of your organization’s daily routine and operations will make HITRUST certification much easier. No one wants to be cramming for a HITRUST exam at the last minute!
Encourage business leaders to understand how adopting the framework benefits the business by addressing risk and providing guidance on important data protection elements. Strong information security isn’t just about the IT team; it extends across all departments with sensitive data to protect. This can include Risk Management, Procurement, Finance, Operations, Human Resources, Sales, Marketing, and many others.