An external assessor plays a critical role in the HITRUST certification process. The assessor helps you evaluate your organization’s readiness, identifies and remediates gaps, and then conducts the actual validation assessment that you submit to HITRUST.
The earlier in the process that you find and engage an assessor firm, the better. You’ll be working together for a long time, and the assessor can provide essential guidance at each step of the assessment journey. The best assessors will help streamline the process, enabling you to complete the assessment rapidly while minimizing the use of your internal resources.
How do you find the right assessor for your organization? Evaluating assessors on a few key criteria will enable you to choose the one that can help your organization be the most successful.
What Is a HITRUST Assessor?
A HITRUST assessor firm is a third-party organization that has been approved by HITRUST to provide consulting, readiness, and assessment services on behalf of organizations seeking HITRUST certification. To be licensed by HITRUST as an Authorized External Assessor, a firm must complete a vetting process and demonstrate its capability of performing a HITRUST assessment.
These external firms assess organizations using the HITRUST Common Security Framework (CSF). The framework integrates multiple regulations and standards into a single reference that covers a range of areas, including risk management, access control, network security, and incident management. Implementing the privacy and security controls listed in the framework is a key part of achieving HITRUST certification.
What Is a HITRUST Certified CSF Practitioner?
A HITRUST Certified CSF Practitioner (CCSFP) is an individual who has completed the CCSFP training course and passed the exam, indicating they have the required background and experience required to use the HITRUST CSF. These practitioners can be employed by any type of organization. They might work for an Authorized External Assessor firm or be an internal assessor, working for an organization that is pursuing HITRUST certification.
How Do You Choose a HITRUST Assessor?
The right HITRUST assessor can help simplify and accelerate the assessment process, enable you to overcome potential obstacles, and even save you money. But finding the best fit for your organization requires a bit of due diligence.
When choosing a HITRUST assessor, look for these seven attributes:
1. Expertise
Not all authorized HITRUST assessors will have the expertise that your healthcare organization requires. As you evaluate firms, make sure their assessment teams have sufficient expertise in healthcare, cybersecurity, and auditing.
- Healthcare: Does the firm’s healthcare practice make up a significant portion of its business? Make sure each assessor firm you are considering frequently works with healthcare organizations and understands not only key healthcare regulations but also the processes and goals that are common among healthcare organizations.
- Cybersecurity: How well versed is each firm in cybersecurity? Are they on top of the latest threats and security trends? A high-quality assessor firm of a moderate size or larger should have at least one high-ranking official who has managed security within a larger organization at an executive level.
- Auditing: Does the firm specialize in auditing? The firm you select should include at least one individual with extensive hands-on experience auditing risk management and regulatory compliance in a medium-sized company or large enterprise.
2. Engagement with HITRUST
How closely does each firm work with HITRUST? Do any executives sit on HITRUST working groups or councils?
For example, HITRUST appoints several Authorized External Assessors to the HITRUST Authorized External Assessor Council. The council represents the assessor community assessors, providing feedback on the HITRUST program in an effort to further improve its integrity, efficiency, and effectiveness. Has the assessor firm you’re considering ever been a part of that council?
How frequently does each firm submit validated assessments to HITRUST? While many firms offer HITRUST services, some submit validated assessments only infrequently. Those firms might be unaware of recent changes to the framework and certification process.
3. Track record
When evaluating a candidate firm, ask about the firm’s certification experience and success rate. Do all organizations that engage with this firm complete the process? Or do some fall off? Don’t be afraid to set the bar high. Ask how many HITRUST assessments they’ve successfully completed.
Be sure that the assessment firm has experience with all three assessment types available in the HITRUST assessment portfolio:
- HITRUST Essentials 1-year (e1) Assessment: An entry-level validated assessment and certification.
- HITRUST Implemented 1-year (i1) Assessment: An assessment that provides a moderate level of assurance that organizations have adequately addressed cybersecurity threats.
- HITRUST Risk-based 2-year (r2) Assessment: The most rigorous assessment, with the most comprehensive set of control requirements. An interim assessment must be conducted every other year.
Has the firm you are considering conducted multiple risk-based, 2-year (r2) assessments? Has the firm completed many interim assessments?
4. Software solutions
Using the right software solutions can help streamline assessment, gap remediation, and validation. An assessor should use automated software solutions—not Excel spreadsheets. Those automated solutions should provide a clear line of sight of what changes are required and why. Ideally, the software will help your organization to better prepare for additional compliance audits in the future.
5. Pricing Based on Scope
HITRUST certification can be costly, but the right pricing model can help your organization save money. Ask each candidate firm whether they charge a flat rate or charge based on the scope (i.e. number of controls in your assessment). In many cases, you can save money by working with an assessor that charges based on scope. Your assessment might only have a few hundred controls—or you might inherit controls from a cloud provider or a managed security services provider. Paying by the control could significantly reduce costs.
6. Customer service
Ask how each assessor engages with customers. When you have an issue, will you be working with the actual assessment team? Does the assessor have a 24-hour response service level agreement (SLA)? What happens if someone goes on vacation—what is the contingency plan?
Ask for references. An assessor firm with happy customers will be pleased to arrange a conversation.
7. Cloud provider partners
Choose an assessor that works closely with cloud service providers offering HITRUST inheritance. Major cloud service providers—such as AWS, Azure, and Google Cloud—as well as several of their partners, have been certified by HITRUST to provide a HITRUST Inheritance program. With an inheritance program, the cloud provider offers several HITRUST-certified services. If your organization uses any of those services, you can inherit the controls in place for the services, and you can avoid implementing them yourself. Inheriting controls from a cloud provider or a cloud partner can substantially accelerate your certification process.
Organizations that work with Cloudticity accelerate the HITRUST process by 40–60%, reducing the time, money, and overall resource investment required. Learn more here.
Find a list of certified partners here.
Start Your Search
Choosing a HITRUST assessor is an important step toward getting your certification. The right assessor firm will help you navigate the process and minimize disruption, while the wrong one could make the process feel long, confusing, and difficult.
At Cloudticity, we recommend assessor firm BEYOND HC LLC because they meet key criteria and have deep understanding of cloud environments.
If you want to learn more about how you can work with Cloudticity and BEYOND HC LLC to make your HITRUST journey faster, easier, and cheaper, download this solution brief or schedule a free consultation today.
