Engaging with an external assessor is a critical part of the process to get ready for your HITRUST assessment. In fact, the earlier you start to engage with the assessor firm, the better. Since you’ll be working with them closely for a long time, you want to ensure that they have the right qualifications and experience to help you be successful.
What is a HITRUST Assessor?
A HITRUST assessor is a professional who is trained and qualified to perform HITRUST assessments on behalf of organizations seeking HITRUST certification. HITRUST assessors are third-party firms that have been approved by HITRUST to perform assessments against the HITRUST Common Security Framework, the CSF, and provide guidance to organizations.
How to Choose a HITRUST Assessor?
Choosing the right HITRUST assessor will allow you to simplify the process as much as possible, overcome roadblocks, and even save money. You should choose a partner that knows your industry and has a proven track record of success.
When choosing a HITRUST assessor, look for these seven things.
Does their healthcare practice make up a significant portion of their business?
How well versed are they in cybersecurity? Depending on how big they are, a high-quality assessor firm should have at least one high-ranking official who has managed security within a larger organization at an executive level.
Do they specialize in auditing? Your assessor firm should include at least one individual with extensive hands-on experience auditing risk management and regulatory compliance in a medium-sized to large enterprise.
2. Confirm how involved they are with HITRUST
Do any of their executives sit on HITRUST councils or working groups? While many firms offer HITRUST services, some don’t submit Validated Assessments to HITRUST very often, and may be unaware of important changes to the framework and certification process.
3. Track Record
When evaluating candidates, ask about the firm’s success rate. Does everyone who engages with this firm complete the process? Or do some fall off? Don’t be afraid to set the bar high. Ask how many HITRUST assessments they’ve successfully completed.
4. Software Solutions
Your assessor should use automated software solutions – not excel spreadsheets – to manage the audit process and give a clear line of sight of what is needed and why. Ideally, the software would set you up for easier completion of additional compliance audits in the future.
5. Per Control Pricing
Do they have a flat rate or do they price based on the number of controls in your assessment? In many cases, you can save money by working with an assessor that charges per control. Especially if your assessment only has a few hundred controls.
6. Customer service
Ask how they engage with customers. Do they have a 24-hour response service level agreement? What happens if they go on vacation, what’s the contingency for that? What do their customers say? Ask for references. An assessor firm with happy customers will be pleased to arrange a conversation.
7. Cloud Provider Partners
Choose an assessor that works closely with Cloud Provider Partners that offer HITRUST inheritance.
The major cloud service providers, such as Amazon, Microsoft and Google, as well as several of their partners, have been certified by the HITRUST Alliance to provide HITRUST Inheritance programs that significantly accelerate the process. Find a list of certified partners here.
Organizations that work with Cloudticity accelerate the HITRUST process by 40-60%. Reducing the time, money and overall resource investment required. You can learn more here.
Choosing a HITRUST assessor is an important step toward getting your certification. The right assessor firm will help you navigate the process and minimize disruption, while the wrong one will make the process feel long, confusing, and difficult.
At Cloudticity, we recommend assessor firm BEYOND LLC because they meet all these requirements and have deep understanding of cloud environments.
If you want to learn more about how you can work with Cloudticity and A-LIGN to make your HITRUST journey faster, easier, and cheaper, download the solution brief or schedule a free consultation today.