cyBARR Chats HITRUST Edition Episode 8: HITRUST Assessment Portfolio Expansion and RDS

By December 20, 2021HITRUST, Security, Videos
Swathi West, HITRUST Manager, discusses how the expansion to the HITRUST Assessment Portfolio and the new Results Distribution System (RDS) creates added value for clients.


[00:00:00] Claire McKenna: Hello everyone. And welcome to episode eight of cyBARR Chats HITRUST Edition. Today we’ll be discussing HITRUST assessment portfolio expansion and the HITRUST results distribution system. With HITRUST manager, Swathi West. Let’s get started. Swathi. What does the HITRUST assessment portfolio consists of today? And why is there a need for broader assurance?

[00:00:23] Swathi West: Great question, Claire. Today, the HITRUST assessment portfolio consists of HITRUST CSF rapid assessment, which is a self-assessed security only questionnaire that is facilitated through HITRUST assessment exchange. And this assessment provides a low level of assurance.

And also we have, the second would be the HITRUST CSF readiness assessment. This is an assessment performed in preparation or the validated assessment. And again, this only provides a low level of assurance. And the third one we have today is HITRUST CSF validated assessment. And this assessment will lead to HITRUST CSF certification.

And also this assessment can be tailored to each organization. To include one or more authoritative sources like HIPAA, you name it? And this assessment also provides a higher level of assurance compared to the rapid or the readiness assessments today. And as I mentioned earlier, the HITRUST CSF only offered one certification option, which is the HITRUST CSFs validated assessment report with certification, which again provides a higher level of assurance. And that can mean the path to get HITRUST certified. There’ll be a heavy lift and we only, you know what, given everyone knows that HITRUST validation can be very robust.

So in summary to meet the market needs for varying levels of assurance with higher reliable, HITRUST is adding to two new assessment offerings and like the HITRUST CSF validated assessment. These new offering will aid in understanding control effectiveness as well as, as you know, cyber preparedness and resolve a resiliency.

[00:02:11] Claire McKenna: Okay. Got it. And you touched on this a little bit, but could you talk a little bit more about what the HITRUST assessment portfolio will include with these two new additions?

[00:02:20] Swathi West: With the two new, new additions, the HITRUST assessment portfolio will include the basic current state BC assessment, which is a good hygiene assessment and offers higher reliability than the self-assessment and questionnaire.

By utilizing the HITRUST assurance intelligence engine, AI engine to identify any errors, emissions and deceit. And we have a second addition to the portfolio is the implemented one year validated assessment. That is , which is a best practice assessment and recommended for situations. Present moderate risk or where a baseline risk assessment is needed.

And the one that I won is designed to provide higher level of transparency, integrity, and reliability over anything that’s existing, moderate assurance reports, and also with comparable levels of time, effort and costs. And HITRUST authorized external assessors like BARR they’ll have to validate the

And also, you know what, the two on top of these two new additions, we also have today’s HITRUST as a validated assessment will be named as the risk-based two year, which is our two validated assessment. And you know, the reason for doing this change from the CSF validated assessment to the risk-based two-year validated assessment is okay.

The industry standard HITRUST has a validated assessment. Today is a risk-based and tailorable assessment, which continues to provide the highest level of assurance and for situations with greater risk exposure due to like data volumes can be regulatory compliance or other risk factors. So I think this is, this is accurate.

The name, the change, the name change to validate it to the risk-based to your validated assessment makes more.

[00:04:15] Claire McKenna: Got it. That definitely is a lot of great information. Switching gears a little bit. Um, we also wanted to talk about the HITRUST results distribution system today. So how does the new, um, results distribution system improve results, sharing and benefit organizations in comparison to what we have.

[00:04:34] Swathi West: Great question again, Claire, because today the sharing of third-party assurance report is largely manual and less than ideal because it involves requesting PDF reports from business partners, for example, customers, and it usually involves exchanging PDFs back and forth. And, you know, PDFs can vary greatly depending on the top of the report.

That’s showing 40. The length and sometimes BDMs do in our industry also know w you know, it’s copy protected and, or, you know, password protected, making them tough to access and also use, and the PDF are static. It’s not really interactive making it, you know, necesarrily to like copy data into more feature rich tools to make it more meaningful.

And this, the whole process is done. So to make the third-party assurance reports more meaningful and more useful, we need a better process to share the results. And I think I personally think RDS is a great solution because the HITRUST results distributions has done much is the audio. We’ll enable SS, you know, assessed entities to deliver their HITRUST assessment results through a secure, centralized reporting hub to any relying parties.

So that would eliminate the need to exchange these PDFs, the manual review, and you know, any subsequent errors that occurs. So recipients will be able to customize the dashboards to view the results and, you know, That’s more interesting or, you know, that’s more accurate or they just wanted to see the scope or just specific control scores.

So this would be easier because you can customize the dashboard depending on what you need. And in addition to that, in addition to the customization, this can be integrated well with DRC or any VR platforms that are available through API. So in summary, hydros is launching RDS to allow for a more efficient assessment report sharing from.

[00:06:36] Claire McKenna: Very exciting changes coming. It sounds like. So when will the two new assessments and the results distribution system be available and what can we expect from it in the

[00:06:45] Swathi West: future? The basic and the, I want assessments. And also the results distribution system we talked about will be available by the end of this calendar year.

And with RDS, just starting out. They’re focused to share results from the Hydrus family of assessments, including the basic occurrence, the implemented the risk-based we talked about, and there are some future enhancements that are planned for RDS in both the assessments in 2022 that expected to work and.

Um, started working in end of Q1 2022. So we have a lot of great things that we’ll be seeing in future and hydrous is all about continuous improvement. So I’m, I’m super excited for the assessment portfolio and the RDS.

[00:07:31] Claire McKenna: That’s great. One last question for you today. Can you talk a little bit about the cost to implement RDS and which HITRUST assessments can be shared via.

[00:07:41] Swathi West: Very important question. And this is typically what we get from our clients too. So glad you asked the Russell’s distribution system, the RDS is included with all levels of hydrosis of subscription, including the report-only option. So. That means that assessed entities can send their HITRUST assessment results to relying parties at no additional cost.

And, you know, even relying parties can access these results at no additional costs. So it’s sending an email without any additional costs, but no way better secure manner, because you can customize the dashboards and it’s way secure and meaningful. And also keep in mind. Even though that has no additional cost today, but if there was any future functionality, which, you know, included, um, any enhanced analytics and API integration that will require a fee to utilize and to answer your other question of which hydrous assessments can be shared via the RDS.

RDS will support the sharing of any HITRUST validated assessments results, which obviously, you know, have to be in a good standing and also accessible in my CSF. And another important thing to consider is the use of RDS is required today and it. You know, if you want to use it, you just opt in and the assessed entity will opt in.

And those who don’t opt in will still be able to download PDF of HITRUST support and certification letters. So, you know, you have to opt in to use the RDS, but if you don’t have to, and you can still have the availability to download PDF and use it to send it to your, um, relying parties. And I hope that helps.

[00:09:20] Claire McKenna: That definitely helps. And that’s great information for all of our clients. That’s all for today. Swathi thank you so much for all of this insightful information on this exciting portfolio, expansion and RDS, and we look forward to seeing everyone next time on cyBARR Chats, HITRUST edition. Thank you.