Back to Resources | Expert Interviews

cyBARR Chats, HITRUST Edition Episode 13: Common HITRUST Pitfalls

December 14, 2022 | HITRUST



[00:00:00] Claire McKenna: Hello everyone, and welcome to today’s episode of cyBARR Chat’s HITRUST Edition. Today we’re joined by Senior HITRUST consultant Steve Ryan, to discuss the most common pitfalls that organizations face during the HITRUST process and how you can avoid them. We hope this insight will help you have the smoothest HITRUST experience possible.

[00:00:21] Steve Ryan: So Steve, Let’s get started. You have a ton of experience helping organizations through their HITRUST journey. What would you list as the most common pitfalls or issues that organizations face? Thanks for having me back again, Claire. So, to answer your question, the most common pitfalls that organizations can run into are problems with scoping, knowing what’s involved in the process, resource planning, and struggling to set reasonable timelines and customer expectations.

Just being aware of these common issues when getting started with HITRUST is a great first step. . Awesome. So let’s talk about some of those in a little more detail. So why do organizations struggle with scoping and how should they solve that? Yeah, definitely. So scoping is a really important part of the HITRUST process.

I recommend that organizations sit down with their experience, external assessor, to walk through their entire environment and learn what each control means for their environ. The scope for an assessment is very unique to each organization, and it’s important to understand how the environment is configured, who owns each control, using that HITRUST shared responsibility matrix and how best that control can be implemented, giving each unique organizational configuration commonly organizations will either scope in far too much, which leads to extra and unnecessary work, or the organization won’t scope the environment enough, meaning they think control.

Don’t apply when they do or something isn’t relevant to them when it is. This leads to endless headaches and certain certainly delays as well when it comes time for validation. Got it. Thank you for that explanation. You also mentioned that sometimes organizations can struggle with understanding what’s involved in the HITRUST process, so why is this an issue?

Yeah, definitely. So HITRUST is what they like to call themselves as the gold standard in cybersecurity, which means it’s gonna take a significant lift in cultural shift for your organization. It needs to be more than just a check the box type of engagement to truly be successful. Got it. That is definitely really good to know.

And leads me to my next question on resource planning. So I imagine once organizations understand the lift involved with obtaining a HITRUST certification, it can be easier to plan resources. But how should organizations plan their resources as they get started on their HITRUST journey? Yeah, so as I mentioned before, HITRUST is that gold standard in cybersecurity and with obtaining any gold standard, a lot of work and resources are needed to not only achieve a certification, but maintain that certification year after year.

Organizations need to understand that it isn’t just a quick process, it could take anywhere from six to 24 months for initial certification. With that, once a readiness is complete, there needs to be almost an all hands on deck approach to remediate any deficiencies that were found. This is going to include individuals from multiple departments, third parties, and the potential for very large expenditures to be made to implement some these controls.

This should all be communicated to top management with appropriate expectations and timelines, both prior to readiness throughout the remediation phase and up until certification. Once top management has that buy-in, the people budget and time should follow hand in. Got it. Super helpful. So the last pitfall or issue that you mentioned was setting reasonable expectations and timelines.

Could you explain that one a little more? Yeah, definitely. And this is something that I see most commonly across all of my clients here. So sometimes clients will panic when they have a customer or a stakeholder who wants them to be hydro certified as soon as possible. Like I mentioned earlier, high just can be a really significant lift, and an R two assessment can take anywhere from 18 to 24 months by itself to achieve, by setting reasonable expectations and timelines for the process both internally and with your stakeholders.

Organizations won’t have to panic or rush through the process. Got it. Yeah, that’s definitely good to know. We don’t want anyone to panic. So Steve, that brings me to my last question. Um, just what other advice do you have for organizations who wanna have the smoothest HITRUST experience possible? Yeah, absolutely.

So there really are two main pieces to a smooth, HITRUST experience. I would say patience and communication. If an organization understands this is gonna be a long process to complete and there are going to be frustrations, the organization already has the right mindset to achieve the gold, gold standard in information security.

Additionally, constant communication is key between the organizational’s control owners, top management, and including the external assessor. Um, an organization needs to find a true partner in an external assessor in which they can rely on to help decipher some of these HITRUST controls and help ’em set themselves up for.

Got it. Well, that was my last question. So Steve, thank you so much for your time. Uh, to our audience, please reach out if you have any questions about the pitfalls we discussed today or if you are just interested in getting some more information on HITRUST. Thank you everyone for tuning in and we look forward to seeing you next time on CyBARR Chats.

Always a pleasure for Claire.