Back to Resources | Expert Interviews

cyBARR Chats, HITRUST Edition Episode 10: HITRUST MyCSF Enhancements, Part 1

September 19, 2022 | HITRUST



[00:00:00] Claire McKenna: Hello everyone. And welcome to today’s episode of cyBARR chat’s HITRUST edition. Today, we’ll be discussing a recent development that you may have heard of the HITRUST. I one assessment we’ll discuss what it is, why it’s so important right now, which organizations might need it. And how BARR can help.
We’re joined by Steve Ryan senior HITRUST consultant to provide some more insight into this assessment. So let’s get started. Steve, what is the HITRUST I one assessment.
[00:00:30] Steve Ryan: Absolutely. Thanks for having me, Claire. So the I one assessment is high. Trust is brand new one year assessment that is really designed to address the continuously relevant, uh, cyber security threat landscape.
The I one assessment was really designed for organizations that are looking to provide more of a moderate level of assurance on transparency, accuracy, consistency, and integrity.
[00:00:56] Claire McKenna: Got it. Can you tell me a little bit more about all the recent attention being given to the I? One assessment are organizations starting to require vendors to obtain the I one.
[00:01:07] Steve Ryan: Yeah, definitely. Claire. So first off, yes, organizations are starting to require their clients to become HITRUST certified. So recently the provider third party risk management council, which is really com comprised of prominent chief information security officers from some of the leading health systems and provide organizations.
Just recently published a press release that announced that any vendors that really wanna work with them that are considered at least a moderate risk risk vendor must at least obtain the HITRUST I one certification there. Um, and this council’s governing organizations include. Organizations like the Cleveland clinic, the Mayo clinic, Tufts, just to name a few.
So as you can imagine, a lot of their vendors are gonna be impacted by this new update here.
[00:01:55] Claire McKenna: Yeah. Wow. That does seem like a really big, big impact. Um, so let’s dive into the I one assessment itself. So HITRUSTs has said that this assessment is threat adaptive. Can you explain what that means?
[00:02:06] Steve Ryan: Absolutely. So threat adaptive simply means that as a threat landscape of cybersecurity is going to evolve, the I one is going to be continuously updated to address those future risks and potentially help to mitigate those future risks as they evolve. Um, this ensures that security controls are proactively adjusted on an at least quarterly basis to meet those latest and greatest cybersecurity threat activity such as ransomware or.
This is really a unique innovation concerning. Most of the common frameworks are go on change for years.
[00:02:42] Claire McKenna: Got it. Can you explain the difference between the I one and R two assessments? And in what situations should organizations choose an I one assessment over the R two assessment.
[00:02:54] Steve Ryan: Yeah. So the I, one assessment essentially allows smaller organizations with less of a support staff to still become HITRUST certified.
The reason for this is the I, one is only looking at the implementation aspect of each control, as opposed to the R two, which is looking at. Policy level procedural level. And of course the implementation level of each control as well. So the lift for the organization is much smaller and it’s really more comparable to that of a stock report there.
Um, organizations should choose the I one over an R two when they really need to become HITRUST certified, but don’t have that dedicated team to put in all that, all those man hours into a massive project, such as the R two. This serves as a perfect stepping stone for those organizations to get those foundational set of controls implemented, become HITRUST certified and look into the future of tackling that R two assessment tip.
[00:03:48] Claire McKenna: Thank you for that explanation. Um, how long is the HITRUST i1 assessment valid for.
[00:03:55] Steve Ryan: Of course. So the HRIS i1 assessment is really only valid for one year, and this goes back to how it is constantly updated. So over time, of course, as they address those new security concerns in the threat landscape, they need to update that.
And in order to maintain that ongoing compliance with those security controls there they’re updated on an annual basis. So it’s only good for one year.
[00:04:21] Claire McKenna: Okay got it. And what other standards does the HITRUST i1 provide coverage for?
[00:04:28] Steve Ryan: Of course. So the I one really provides coverage for a number of industry standards, similar to the r2 assessment.
So just to name a few it’s missed 801 71 GLBA HIPAA security rule and the health indu industry, cyber security practices there.
[00:04:45] Claire McKenna: Got it. Thank you. And could you walk us through just kind of an overview of what BARRs process for the HITRUST I wanna assessment is like how time intensive is.
[00:04:57] Steve Ryan: Of course. So as one of our core values here at BARR, we strive to think this as simple as possible, we know HITRUST is complex.
It’s scary, and a lot of firms are scared to help tackle it there. So we kind of boil it down to a three step process to achieve that HITRUST certification. Your first step is going to be a readiness phase where we’re gonna come in. We’re gonna test your environment against the i1 controls and really establish a baseline as to where you are.
Next step. We have the remediation phase where for any of those identified gaps, we’re gonna provide simple and actual steps for your organization to take on, to close all those gaps. And finally, we have that validation and certification phase. Once your organization is ready, we’re gonna come back in and test your environment against those HITRUST controls, and then submit the HITRUST assessment to HITRUST themselves for their certification and approval.
This entire process for that I, one can take anywhere from six months to a year, which compared to that r2 assessment is about half that time.
[00:05:59] Claire McKenna: Awesome. Thanks for that explanation of, of that process. That’s really helpful. One last question. Um, we talk a lot about privacy when it comes to healthcare compliance.
Can users add privacy into the I one assessment?
[00:06:13] Steve Ryan: Yeah, definitely. So there’s no currently an O there’s currently not an option to add privacy to an I one assessment, although it is an option for the R two. However HITRUST is actively developing a separate privacy certification offering. So stay tuned to when that becomes available and we’ll let you know.
[00:06:31] Claire McKenna: Awesome. Steve, thank you so much for all of your valuable insight into the HITRUST eye one assessments with so many new developments in the healthcare compliance world. It sounds like we’ll be hearing a lot more from you in the future. And thanks to our listeners. We look forward to seeing everyone next time on cyBARR Chats.
[00:06:47] Steve Ryan: Absolutely. Thanks Claire.