cyBARR Chats: HITRUST Edition FAQ Part 3

By March 29, 2021Videos
cyBARR Chats: HITRUST Edition is a video series that covers updates, trends, and everything you need to know related to HITRUST. In Part 3 of this FAQ, we discuss the most important discussion to have with your HITRUST Authorized External Assessor organization, and what it takes to get HITRUST + SOC certification.


Michelle: [00:00:00] Hi everyone. And welcome to our third episode of cyBARR Chats HITRUST edition. Today we’re covering two very important topics with HITRUST manager Swathi West. So let’s jump right in with the first. Swathi, what is the most important discussion to have with your HITRUST authorized external assessor organization before starting the HITRUST CSF readiness or validated assessment?

Swathi: [00:00:27] Great question Michelle, to take a step back before we start thinking about HITRUST readiness or validated assessment, it is essential to understand that HITRUST will only certify implemented systems. It does not certify facilities, people services or products like mobile applications.

Just to make it a little bit easier, think about a hospital building. HITRUST won’t certify the building itself, but, for example, it will certify the system that’s collecting EPHI or even their customer service or support systems like that. So to be HITRUST certified, they should be fully installed and configured.

This is why, when thinking about certification, it is very crucial to know the scope of the system that you would like to get HITRUST certified. I personally would say that is the most important discussion to have with your external assessor. Keep in mind when you’re thinking about scope, it is very crucial.

So, to think about different business units, different facilities and departments, different applications, now we’re going to restructure, and even third parties, because these are all the questions your assessors will ask you. These are all the questions that are part of the scoping as well. Like I said, scope is the most important discussion to have with your assessor and the scope can be tailored.

To different clients, not one client will have the same scope, right? So it can be tailored to different clients. And we here at BARR, we can facilitate those discussions and can help you navigate through all that where to get the tailored scope that would fit your needs to get HITRUST CSF certified.

Michelle: [00:02:12] So Swathi, can an organization get SOC plus HITRUST certification, and what are some of the benefits and drawbacks to going that route and who should go that route? 

Swathi: [00:02:22] There are a couple options, Michelle. We could either do a SOC plus HITRUST CSF reporting or SOC plus HITRUST CSF certification, SOC plus CSF reporting.

You know, BARR will express an opinion on whether the client controls are suitably designed and operating effectively to meet the HITRUST CSF. Security certification criteria or HITRUST CSF, comprehensive security criteria. The main difference is security criteria would be all the security controls that are applicable or HITRUST.

But when you’re talking about HITRUST CSF, comprehensive security controls would just include the controls that are only required for certification. So we could select that depending on the client needs again. And, we’ll  express an opinion on that and in addition to that, we also will be able to test whether the controls, you know, are applicable for trust services criteria by AIC.

So, now just to keep it again, a little bit simple, we’re testing SOC and also HITRUST controls to make sure they are designed and operating effectively. Benefits of this would be, you know, in most cases, we could facilitate both HITRUST and SOC audits simultaneously, if that way we were able to save a lot of time, right.

And also we improve efficiencies for both our clients and also us. And some of the drawbacks with this route would be an increase of scope when we’re talking with clients, it was just only SOC, but you’re also adding HITRUST to it. So it’s always important to [00:04:00] understand that we might have to add additional criteria.

So with the SOC we’re only doing availability, but then, now we’re adding HITRUST or whether it’s a security or comprehensive criteria, then we’re adding more additional criteria we might have to willing confidentiality or, process integrity and other things like that.

So there’s definitely increase of scope that we also have to think about. And another important thing to keep in mind is any findings that we have from HITRUST would also reflect in the report because you were with the SOC audits we’re only getting the findings from the SOC reports, but then we’re including HITRUST.

So it’s, it’s very important to understand that we would be having that additional findings. If we do have any from HITRUST also will reflect in the report, like the results in the SOC, which that also might increase just because we’re adding HITRUST that might increase the number of exceptions that might be there in the report and either the process improvements or exceptions.

Um, so that’s another important thing to keep in mind. Another option, like I [00:05:00] said, would be SOC plus HITRUST CSF certification. We just talked about reporting where we’ll do an opinion, but now this is certification. So this is similar just because we were doing SOC plus HITRUST on top of that.

This is similar to the about option where we’re doing more, would express an opinion, whether the client who tools are suitably designed and operating effectively, whether to meet the HITRUST CSF certification criteria or HITRUST CSF, comprehensive security criteria, in addition to AICPAs applicable trust, service criteria as well.

So like I said, we’re doing both SOC and HITRUST testing, but for this option we include HITRUST CEUs of certification for the previous one, we don’t have certification. It was just a reporting, but now we’re also including certification, which will be provided by HITRUST CSF itself. Then this, we could add, and we could take that report from provided, but HITRUST just [00:06:00] added in the unaudited section of the SOC report, combining both SOC and HITRUST.

Some of the benefits for this would be again, we could consolidate the evidences because we’re already testing for SOC or we’re already testing for HITRUST and we can use it vice versa. So it’s definitely efficient because we can consolidate the evidence that we requested the client and we being excellent assessors.

We test our clients’ controls. And then because we’re adding an actual third party, HITRUST, they will also review our client controls. And that would be an excellent quality control throughout the assessment it’s going through two QA is at this point it would also provide greater value to our clients.

If you think about just having one SOC, but now also we’re doing SOC plus HITRUST and we’re actually including HITRUST report and the SOC plus HITRUST so that would, everything would be in one report. So if the client’s customers are requesting the reports, that [00:07:00] would just be in one report and that would ultimately show our client’s security posture.

So I would say this is a great benefit. When you think about SOC plus HITRUST of certification, the potential drawbacks would be, this option might get a little expensive, because we would want our client, clients should be buying the my CSF subscription. And also there are other fees that are included with this option.

So definitely, the potential drawback would be a little bit expensive rather than reporting. And also there might be some delay because like I said, we’re including HITRUST in the process. And with that they’re doing testing and it would take a little bit more time. We have to test it. We submit to HITRUST and then HITRUST would need to complete its QA.

So I would say there’s a little bit delay that would definitely be in this option for your other part of the question, Michelle, who should opt for SOC plus HITRUST. I would say it greatly depends on our client’s customers. I mean, our clients contracts with their [00:08:00] customers, uh, you know, this is the first question we usually ask our clients to, what does your contract say?

We’re going through the basics with this, but still, it depends on the contracts right. At the end of the day. So does it say HITRUST certification or does it say SOC plus HITRUST reporting? So reviewing the contracts is the most important step. And, I would say scope of the assessment again, because our current clients were already doing their SOC 2 report. So adding HITRUST to the same scope of SOC wouldn’t be that difficult. So definitely having that initial conversation- what’s your scope. what do you want to do? Do you want to add HITRUST on top of the same scope or, do we want to expand the scope?

So definitely that discussions around scope is very important. And also like we discussed earlier, if our clients are thinking about saving money or their time, or just need a better evaluation of their security posture. All of these different aspects would just have to be considered when we’re thinking about SOC plus HITRUST certifications or reports.

[00:09:00] Michelle: [00:09:00] Thank you, Swati. This is all such great information. We are looking forward to learning more about interim assessments and internal and external inheritance in our next HITRUST edition of cyBARR chats. See everyone next time. Thank you. 

Swathi: [00:09:14] Thank you.