Learning Center Home > HIPAA > HITRUST 101

HITRUST 101
HIPAA

HITRUST Assessment Basics



HITRUST aims to save organizations time and money when it comes to compliance assessments, since many of the HITRUST CSF controls overlap a number of regulatory requirements. The idea is to consolidate efforts and reduce the need for multiple reports, i.e., “assess once, report many.”

Watch this webinar as Trevor Hansen, Principal Security Analyst (QSA, CISSP, CISA, CCSFP) discusses:

  • The basics of HITRUST compliance
  • Why you should get HITRUST certified
  • How to get HITRUST certified


This webinar was hosted on November 6th, 2019.

Get Started with HITRUST

Learn More

Webinar Transcript

Introduction

0:00 Welcome to our webinar today. This is HITRUST 101. My name is Andrew and I work in marketing and our presenter. Today is Trevor Hansen and he holds the credentials of QSA, CISSP, CISA, and CCSFP. 

0:18 We're looking forward to hearing from him today. He is a Principal Security Analyst here at SecurityMetrics, and he has many years of experience working with organizations helping them to meet different compliance regulations, and now as assertive as a Certified common security framework practitioner, he is able to help organizations become HITRUST Certified as well. 

So with that let's go ahead and dive in here. 

1:11 Before I pass it off to Trevor, let's go through our agenda here. First, we'll be touching on an introduction to HITRUST will also talk about why you should get HITRUST Certified and finally, we'll talk about how to get HITRUST Certified. 


HITRUST Basics

1:26 So first what is HITRUST, I'll just do a brief intro here. HITRUST was founded in 2007 to support Healthcare organizations and all sectors reach information risk management and compliance objectives. In fact, according to HITRUST, 81% of hospitals and health systems and 83% of Health plans utilize the HITRUST CSF. Since its founding HITRUST has branched out and now are expanding to be industry agnostic. 


The Goal of HITRUST

2:03 Let's talk about HITRUST’s goal for a minute. So the ultimate goal of HITRUST Certification is for businesses to effectively manage data information risk and compliance.  HITRUST was created to provide an option for the healthcare sector to address information risk management using a matrix of third-party assessments. The idea is to consolidate efforts and reduce the need for multiple reports. For example, the phrase that we hear quite often regarding HITRUST is “Assess Once, Report Many.” 

2:41 The HITRUST approach along with HITRUST Certification gives vendors and covered entities a way to demonstrate compliance to HIPAA requirements and other authoritative sources based on a standardized framework. 

2:56 What does HITRUST cover? Well, you can see many of these security mandates HIPAA, PCI DSS, NIST, ISO 2700-1, and many other standards as well. HITRUST does touch on a lot of these common compliance mandates. 

3:17 So with that I'm going to go ahead and pass the mic off to Trevor and Trevor's going to talk about the differences between HITRUST and some of these mandates such as HIPAA and PCI. 

Have a HIPAA Deadline?

Request a Quote

HITRUST vs. HIPAA

So what's the difference between HITRUST and HIPAA? 

3:37 While HIPAA is a law created by lawyers and lawmakers, it’s to mandate the protection and privacy of health information. HITRUST is a framework (that was created by security industry experts, not just the lawyers) that includes aspects of HIPAA and other security standards and frameworks that are put together in one place. 

3:58 The HITRUST CSF gives organizations a way to show evidence of compliance with HIPAA mandated security controls providing organizations with Security and Privacy controls. HITRUST takes the requirements of HIPAA and builds on them incorporating them into a framework based on security and risk. 

4:19 According to the HHS, "The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form . . . This means that covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information." You’re going to hear some of those words pop up again in a minute. 

4:59 So continuing with HITRUST versus HIPAA. HITRUST can help provide measurable criteria objectives for applying those appropriate administrative, technical and physical safeguards. So where the HIPAA rule is really broad and says, you've got to administrate  appropriate administrative, technical, and physical safeguards. HITRUST is going to help spell that out and give you more of a prescriptive response and what's appropriate and what can be used in those things. It's a better implementation of best practices. Where HIPAA is just an overall rule that says follow best practices. 

HITRUST does not replace it but a compliance and it doesn't prove that an entity is HIPAA compliant, but it's widely accepted as a good approach for evaluating risk and helping organizations understand how compliant they are. 

5:54 If you're HITRUST Certified does it mean that you're HIPAA compliant? No, but HITRUST is widely accepted as a good approach for evaluating risk. As noted above, it doesn't replace HIPAA compliance, and it doesn't prove that the entity is HIPAA compliant, but it can help provide assurance. It can help provide risk management for people. 


HITRUST vs. PCI DSS

6:18 HITRUST versus PCI DSS. Many of you attending this webinar are familiar with SecurityMetrics PCI DSS related services: we do Assessments; we do vulnerability scans, and other things like that. 

While HITRUST also incorporates the standards from the PCI DSS, it doesn't mean that being HITRUST Certified will mean that you are PCI compliant and it doesn't mean you can fly on with PCI DSS, but you'll be well on your way down the path. The work that you do through a HITRUST Certification process, if you're including PCI in it, it'll help you prepare for a PCI Assessment. And if you use a PCI assessor to do your HITRUST Assessment, there's a lot of things that they won't have to look at twice. They'll be able to look at it in that first Assessment. 

Have an Upcoming PCI Audit Deadline?

Request a Quote Here

HITRUST vs. ISO

7:12 HITRUST versus ISO. HITRUST was originally structured on ISO/IEC 27001:2005 and 27002: 2005, as well as NIST SP 800-53 R2 controls. Again, gaining HITRUST CSF Certification doesn't necessarily mean the organization satisfies all aspects of these other security frameworks, but it does put you in a good place to get the combined risk management of these various strategies and helps to better evaluate your organization’s capabilities HITRUST focuses on risk and security, not just compliance. 

So you're not just there to check a box, you're not there to make sure that you're getting things done according to the rules, you're protecting your data. And that's the focus of certifying with HITRUST. It provides a clear message to your audience and to your customers (and whomever you're sharing that Certification with) that you're serious about security. 


HITRUST Certification Basics

What is HITRUST CSF Certification?

8:10 Organizations that create, access, store, or exchange sensitive information can use the HITRUST CSF Assessment as a roadmap to data security and compliance. So again, this emphasizes securing sensitive information (not just healthcare information). HITRUST can be used for other things as well. 

8:37 You'll see that a lot of wording and HITRUST is definitely healthcare-centric, but it can be applied to sensitive data, the CSF is a certifiable (by security assessors) standard and was designed as a risk-based approach to organizational security–as opposed to a compliance based approach. The HITRUST CSF Assurance program combines aspects from common security frameworks like ISO, NIST, PCI DSS, and HIPAA, along with other frameworks.

Amongst the CSF’s 19 reporting domains are 149 control specifications, which can each be assessed to one of three implementation levels in HITRUST. 

9:22 You're not just getting assessed. You're not just being evaluated on whether or not you're meeting a requirement or receiving a green on each of those requirements. So they evaluate you based on these three implementation levels, and there's a lot of factors that go into which implementation levels you're targeting. That's not going to be part of this discussion, but just understand that when you get a HITRUST Assessment you're looking for a passing grade. It's not that everything needs to be passed or failed, you're looking for a certain score. 

Get Started with HITRUST

Learn More

Why Get HITRUST Certified?

9:57 So why would anybody care about getting HITRUST Certified if it doesn't provide you with HIPAA compliance certification, as well as not offering you a PCI Certification. Why does anybody care about it? It helps show your commitment to seriously follow security compliance standards. It shows your commitment to follow HIPAA compliance. 

When HIPAA asks you to implement appropriate safeguards, HITRUST is going to help demonstrate that you're doing. Many Healthcare organizations that are handling healthcare and privacy information require that all their business associates (all those service providers that they use) in PCI terms) to show that they are HIPAA compliant; they’re going to want some level of assurance that you're being HIPAA compliant. 

10:58 So being HITRUST Certified is a good way to help demonstrate that you’re doing this  because certifying with HITRUST provides a clear message that you're serious about security about protecting sensitive data. 

11:12 As we previously mentioned, HITRUST also helps you to better save time and money when it comes to audits. If you have a qualified assessor from the different regulations, you can get there in one meeting and one assessment. The idea is to consolidate efforts to reduce the need for multiple assessments and multiple reports. Again that term “Assess Once and Report Many.” 

HITRUST provides you with a good place to get the combined risk management of these various strategies and help to better evaluate. Your organization's capabilities helps you put it all together in one place for those organizations that have a dedicated security team are dedicated compliance team. This could be a really good thing for you because it helps consolidate your efforts and helps helps put it together in one place. 

12:04 You don't have to say “well we need a new server for HIPAA compliance, but we need this for PCI compliance; we need this for something else.” If you're validating against HITRUST you can see you can just put it all behind HITRUST and say that you know, this budget is there to help you become HITRUST Certified. 


Who Should Get HITRUST Certified

12:23 HITRUST has become more widely used and adapted as a regulatory standard since it incorporates and helps consolidate many different security and compliance regulations. It's becoming used across multiple Industries. It's intended to be used to protect sensitive data. It’s not just PHI, but really covers the security of any sensitive data and how you measure up to various standards in place. 

12:51 In the context of protecting your sensitive data, HITRUST Certification provides an immense value. 


How to Get HITRUST Certification

13:04 The HITRUST approach provides organizations and comprehensive information risk management and compliance program. This blend is security and compliance mandates provides an integrated approach that ensures all programs are aligned, maintained, and comprehensively support an organization’s information risk management and compliance objectives so that you’ll be able to get the actual HITRUST Certification. 

13:33 Do you need an independent Assessment or a third-party assessor to get HITRUST Certified? The only ones that can do this are HITRUST CSF Assessors. So you'll see a Certification next to someone's name like a CCSFP at an organization that is authorized to HITRUST Assessments. They have had to go through HITRUST training and HITRUST Certification process to be allowed to do these assessments, and they have to have a HITRUST Certified QA program in place in order to be able to meet all those requirements. 

14:03 So you can't just have any security company come in and do a HITRUST Assessment. The length of the assessment depends on the size, complexity of your organization, the scope of your organization, and the amount of consulting that you require from the company to help prepare you for the HITRUST Assessment. The HITRUST Certification Process can take an additional six weeks after the Assessment is complete in order to receive the Certification itself. So be aware that it's going to take some time. 


1. Understand Your HITRUST Scope

14:33 We'll talk a little more about that when you're going to begin HITRUST Assessment. There are certain things that you should prioritize above others in. The first thing that you should do is you need to understand the scope you need to I mean, you're probably familiar with doing this with PCI and what stock assessments and other things, but you're going to need to identify your scope in order to understand what you're trying to protect and that will help you get an understanding of how you're protecting it.

15:30 Part of the scoping activity that you do–just like you did for PCI–is going to involve creating documenting and reviewing how data or sensitive data enters your network. You're going to be concerned about the systems that data touches as it flows through your network in any point at which it might leave your network. For example, you're going to want to create network and data flow diagrams so you can map out that entire process. These are immensely helpful for you and for your assessor when it comes time for an assessment. 

15:45 So after you understand everywhere the data goes and after you understand all the systems it touches, and how it how it interacts with each other, determine which type of HITRUST Assessment that you're going to prepare for. You can either do a HITRUST Self-Assessment, which really means your self validating, and you're just going to be testing that you're following HITRUST or you can get a validated assessment. 

16:11 So this third party assessment would be your goal if you wanted to get a HITRUST Certification. 

The self-Assessment allows organizations to self-assess using the standard methodology requirements and tools provided under the CSF Assurance program. HITRUST will then perform a limited validation on the results of the assessment. So HITRUST will grade your work, but it's a limited validation of those results, and they'll provide a limited level of assurance to the requested entity. 

16:45 The other side of that is if you do a validated Assessment is conducted by a HITRUST CSS external assessor. The CSF Assurance methodology is used in the controls that are scored accordingly to the Assessments, meeting or exceeding the current CSF Assurance scoring requirements for Certification will be indicated as CSF Certified on the reports. And that's the end goal. That's what you should be striving to if you want to be able to show to other people that a third-party validated your HITRUST compliance. 

Get Started with HITRUST

Learn More

2. MyCSF Portal Subscription

17:24 So to begin a HITRUST Assessment you are going to want to contact HITRUST. As part of scoping your environment after you identified where your data goes and when you're ready to actually scope your HITRUST risk compliance itself, you're going to want to purchase access to the MyCSF Portal from HITRUST. It can be done by contacting HITRUST. 

There's a scoping exercise that you'll need to complete through their portal. It's going to ask you questions about your organization size, the number of applications that you’re using for the sensitive data, the number of transactions that occur with this sensitive data, etc. Answering these questions is extremely important because It's going to directly affect which required statements in HITRUST that will apply to you, so you can be doing a whole lot of work. But if you answer this correctly, it might get you out of some of the things you need to follow. 

18:23 But if you answer incorrectly saying that you don't do certain things and you later realize that you do, you're going to have to go back and revisit this scoping exercise, and it might expand your assessment out and make it longer because anytime you change your answers, it actually affects how many of those required statements and how many of those things you're required to follow. 


3. Gap Assessment

18:49 We highly recommend doing a Gap Assessment. You've probably done this, such as the first time you ever did a third-party PCI Assessment. You probably went through part of a Gap Assessment. You've probably seen some other things for HITRUST. You're definitely going to want to do a Gap Assessment because HITRUST Assessments, unlike some of the other mandates, they don't allow for remediation, at least not in the way that you are used to. Once an Assessor assigns a score to one of your requirements, that scores going to stick with it into the report.

They allow for certain things to be fixed. But your reports are going to show that those things were failing, and you have a corrective action plan assigned to them. I mean the scoring is kind of complicated. So the reality is: just don't count on being able to remediate everything that you don't currently have in place. Your goal is to get everything in place that you can ,and you want to get a certain passing score. So you should correct everything you can. 

19:48 Part of the Assessment in order to help you get that passing score. So before your Assessment begins with the third-party assessor, you can engage with them and do some consulting and things. But before they actually come on site and do the Assessment, you're going to want to remediate any gaps that you discover: risks through your Gap Assessment or with help from a third party. Remember that requires time and resources to address these issues. 


4. Remediation

20:15 So for example some issues that might take some more time to properly implement data encryption. If you realize that you haven't been encrypting your sensitive data, that's an issue. That's not going to go away on its own. It's going to take some time to resolve and it's going to be a high risk. 

Some other issues can be solved pretty quickly. Like if you realize that a couple of your machines didn't have anti-virus, or your anti-virus wasn't working properly. It's pretty easy install anti-virus, or file Integrity monitoring a small shop can immediately reduce risk by doing things like fortifying firewall rules. 

So some items take a lot longer to remediate than others and keep that in mind. 

Also keep in mind that all implemented policies and procedures everything that you're doing for HITRUST, you're trying to assess. This is extremely important since everything that you do has to be in place 90 days prior to the Assessment. 

21:16 Before the assessor tests those things, that's one of the HITRUST requirements: policies and procedures need to be in place for 90 days in order to be considered in place. So you can't just fix something and send it to the assessor right away and they look at it and can say it’s fine. You have to demonstrate that you've been doing it for 90 days. 

21:35 And that's one of the ways third party consultants help ensure that the requirements implemented as intended and it's permeated throughout the entire organization. 

21:46 So plan sometime into the remediation process prior to the Assessment. 


5. Validated HITRUST CSF Assessment

21:54 A validated HITRUST Assessment process using a CSF assessor usually takes anywhere from four to ten weeks. 

We assess entity. So you would upload your evidence to the portal; you assign a score to it based on your own evaluation of your compliance; and then you submit to the assessor for review; the assessors going to review your evidence; then they’re either going to accept or reject the score you assigned to yourself. 

22:23 So you have to say if you have something managed or documented, or if you have a policy on it. 

22:32 You have it implemented and it's managed, the assessor might review your evidence and say that that's not actually accurate, and they’re going to review the evidence. They’re either going to accept or reject it, and then due to the sheer number of required statements that apply to most entities so that the number of validation points you're going to be submitting. You've got to expect it to take some time to work through the Assessment for you to submit those things to the assessor, then for them to review them, for them to accept or reject.

HITRUST will also perform QA on the submission. 

23:11 After the external assessor reviews your things and when they finally have their score on those items, they’re going to be able to submit it to HITRUST, then HITRUST is going to perform QA. 

23:26 On that note, in MyCSF portal you’ll find the scores to meet the minimum amount necessary to meet HITRUST requirements. 

Then the organization will become CSF Certified. Otherwise, they'll just call it a validated Assessment, and you're not Certified. 


6. Interim Assessment

23:44 Another thing to be aware of is when you get a HITRUST Certification, it's valid for two years. That doesn't mean you're just done, and you don't have to maintain compliance. You do need to maintain your compliance through those two years, and they do have you do an interim Assessment at the one-year mark. 

24:03 The Interim Assessment is going to be a kind of mini Assessment. If I remember right, HITRUST actually selects specific requirements that are going to want to assess and follow up on and so they're going to tell them which requirements to assess you against and they'll evaluate those things and usually it has a lot to do with which items weren't having a fully passing score on the previous Assessments. 

24:31 There's going to be a lot of focus on verifying that you followed through with your corrective action plans and things like that. An interim Assessment occurs at the one-year mark and the full Certification Assessment because happens every two years, and both of those require a third-party assessor if you want to be Certified.

Get Started with HITRUST

Learn More

HITRUST Takeaways

Alright, so the takeaways from our HITRUST 101 discussion. 

25:00 So the intention of HITRUST is to consolidate multiple Frameworks, and throw them all in one place that helps you be able to assess once and report to many people, many customers. One of the most important things that you can do before you get an Assessment is as soon as you decide that you need to be HITRUST Certified or that you want to be, you need to determine your scope. You need to evaluate what things you're trying to assess. You need to evaluate how data flows through them, so you can understand what other collateral systems are involved in that scope. It’s highly recommended that you conduct a Gap Assessment. If you don't do a Gap Assessment, you might not be Certified in the first time. If you're really familiar with HITRUST and you've spent a lot of time in it and other security standards, you can conduct a Gap Assessment by yourself. 

25:56 But if you use a HITRUST External Assessor ,you're going to be more effective with your Gap Assessment, and they should be able to help you understand what it takes to get to a passing State before the Assessment. 

26:08 As you do all these things, make sure to plan time for remediation, especially if you're just hoping that you accidentally became HITRUST compliant and Certified. Plan a lot of time for remediation because you're not going to be accidentally compliant to HITRUST or HIPAA or PCI. It takes a lot of effort to do these things. So plan time for mediation. 

26:35 And that's it for the presentation.


Question and Answer

Question #1 (Does a HITRUST Assessment certify HIPAA compliance?)

26:56 We've had some really good questions come in. So we'll get to as many of these as we can the first question that came in: If I get a HITRUST audit, then I don't need to do a HIPAA audit? Also, you mentioned that HITRUST does not imply that we are HIPAA compliant. What does it take to certify our HIPAA compliance? 

27:26 Okay, great. So if I get a HITRUST audit, do I need the HIPAA audit and if HITRUST can certify for HIPAA? The HHS has been pretty forward about this, at least with assessing companies. They say that third-party organizations don't certify HIPAA compliance. 

27:51 We're specifically not allowed to use the word that you're Certified for HIPAA compliance. The only people that can do that is the government. It's the HHS. So if you're getting a HIPAA audit according to their terms and being Certified for compliance, it's because you're in trouble. For example, you've had a breach or a complaint, and they're looking at you to evaluate whether or not you’re compliant, so they can determine what fines to assess. 

So through assessment you can get assurance, which is an industry term that we at SecurityMetrics like to use for HIPAA, but we can help assure other entities that you’re HIPAA compliant so we can evaluate things and we can put out our statements based on our evidence. We can put our opinion on your compliance, and we can represent it to other people. You can do that through a HIPAA Assessment from SecurityMetrics or another company. What it is that they're providing is assurance. They're helping other organizations understand if you're compliant or not. 

If you want an official Certification, that only comes from the government and it only comes after you've been trouble for something and if they can prove that you're not at fault, so that's why HITRUST doesn't mean HIPAA-compliant. It doesn't mean HIPAA Certification, but it does do a pretty good job of including most of the HIPAA requirements and throwing them all together. So it really depends on the audience that you have. 

29:19 If you're to the point where you're asking if you should get a HITRUST audit or if you need to get a HIPAA audit, it all depends on who's asking you for this information. 

If you're a business associate for other entities and they want to know where you stand with HIPAA compliance, often you ask them what they'll accept or ask if HITRUST is good for them. Or if HITRUST if provide them what they need. Or do they want you to get somebody to look at just HIPAA. 

Most of the time they're going to be happy to hear that you're willing to get a HITRUST Assessment because that'll help meet their needs because you're really just trying to assure them that you're going to protect your data while you have it. I hope that answers the questions for you guys. 

Have a HIPAA Deadline?

Request a Quote

Question #2 (Can HITRUST apply to a specific department or process or does it need to be applied organization-wide?)

30:04 Okay, the next question: so my business develops software for healthcare where we handle PHI and also other Industries where we do not handle PHI. Can HITRUST apply to a specific department or process within an organization or doesn't need to be organization-wide? 

30:26 All right. That's a very tough question actually because HITRUST does allow you to identify which kinds of flows that you're going to evaluate so you can report to somebody else and say that we are looking at this specific application, how it handles data, and you can talk about whether that application is HITRUST Certified or not. 

30:49 The problem is that where a lot of people will have confusion is if those systems interact with other systems, if there's any chance of them being in the same environment with the systems being assessed, then you can't just carve it out and do an assessment against it because there's too many things that impact each other. 

31:08 For example, if you have multiple Amazon virtual private clouds and you have this application under one cloud and you have everything else under other networks. Then you could say that we're going to just assess this application. But if there's any chance (even if it's in the same network and their segmented from each other, if they're in the same environment, the same physical location), you're going to have a really hard time carving it out and doing just a HITRUST Assessment against those things. It really needs to be air gapped and completely organizationally independent 


Question #3 (How far does the scope for HITRUST Certification Cover?)

31: 40 Okay, next question: Does the scope of the Certification cover a specific time frame like the scope of a SOC type 2 looks at the past six or 12 months? So for HITRUST, does it cover specific timeframe? 

I mean you are looking at the last 12 months of things. But the most important time frame involved in that is those last 90 days. There are certain things that you're going to be doing throughout the year. And so you are going to validate against those things. But like I said, it needs to be able to show that everything was in place for the last 90 days at least. 


Question #4 (Is there a roadmap for HITRUST?)

32:34 Alright and then another good question here: Is there a road map you recommend to HITRUST, such as getting any preliminary standards in place prior to going for HITRUST?

That's a great question. I would say, you know, when you're filling out the scoping requirements or when you're filling out the scoping exercise on the MyCSF portal. It's going to ask you some questions about which regulatory compliances and other factors you want to include in your Assessment. 

So let's say you do business in California. There are certain laws that affect privacy and healthcare in California specifically or Rhode Island or New York. There are check boxes that you can check on those things to say which ones you want included in your Assessment. So if you're preparing for an Assessment that has those California laws and HIPAA and PCI, then the best thing you can do is make yourself very familiar with those laws in those compliance regulations. 

33:34 Read over the mandates understand what they mean because what HITRUST is going to do is it's going to take those and then put them together, and it's going to give you in most cases the more strict requirements. For example, if PCI asks for seven character password or greater and one of the other regulations that you're trying to follow asks for a 10 character long password, then HITRUST is going to ask you to have a 10 character password. 

34:00 So read over the mandates to be familiar with them and at that point, that's when I would start engaging somebody to help do a Gap Assessment because they're going to look at it and they're going to help interpret those things for you and then tell you which ones to work on and how to get it done. 


Question #5 (Cost of HITRUST Assessments)

Okay, and then this question that came in it's more of asking for a review on costs. 

So external costs comprise number one access to MyCSF. Number two paying SecurityMetrics for a Gap Assessment number three paying SecurityMetrics for Certification. Is that correct? Maybe you could just review the external costs. 

I think we're missing one. So you said it covers access to MyCSF? Yes, that's correct. You have to pay for that you're going to have to pay some of the money for the Assessment goes to HITRUST itself and I might be able to pull up some some estimates for that. And then you're yes, correct. You're going to be looking at paying a third party company for the Gap and for the Assessment itself as well giving just a moment. 

35:22 Somebody told me this morning that on average the Self Assessment reports from HITRUST. You're going to pay around $2,500 from Self Assessment report. Validated Assessments will typically range from 3,700 to $12,000. And then whatever you're paying the assessor company. Keep in mind, it's quite a bit of work for these Assessments. 

35:49 Or a larger organization these Assessments can run into you know, a hundred thousand dollars or more. So it's going to be probably more expensive than what you're used to for PCI because there's significantly more requirements you are going to be following. So yes, you're correct. Those are the costs. You need to be aware of, but keep in mind that there's also the cost you are paying HITRUST for the portion of the Assessment ,and you're paying the assessor company for a portion of the Assessment. 

Trevor, on that note, do you have an estimate for the cost for a gap Assessment for a business associate? 

36:28 It's that's entirely going to be dependent on your scope and how many systems you have the same things that help affect the scope of HITRUST Assessment itself. So if you have multiple applications, your scope is going to go up or your cost for a gap Assessments going to go quite a bit. If you have one thing that you do, let's say you provide billing for doctors. So you do that one thing and there's only one data flow that you follow, then the Gap Assessments can be relatively simple and small. But you could talk with our sales department about that and then give you just a rough estimate or a more accurate estimate of what that would cost. 


Question #6 (Do risk assessments provide a gap analysis?)

Okay, let's wrap up here with one final question: Should all risk assessments provide a gap report or a Gap Analysis?

That's a good question. I think what you're meaning is maybe should all risk assessments have a gap report, should you do a gap analysis before the risk assessment. Not in all cases. But basically a risk assessment is going to help determine what possibly could go wrong and what you're doing to address that. A gap analysis is to identify failures to meet certain requirements. So the Gap Analysis is going to help you're looking at where you should be and Gap analysis is telling you where you need to how far you need to go to get their 

A risk assessment is going to be identifying what could go wrong, what are the risks, and how it's going to impact you. According to the NIST risk assessment, you're going to be determining what kind of things you can do, whether you're going to defer the risk or if you're going to mitigate the risk somehow, or if you're going to just accept the risk as it is. I see those as two different things. 

But if I was if I were going to do a risk assessment, I would probably have a gap analysis done if I felt like we're missing a lot of things because the Gap Analysis will help you get some time to do remediation first. 


Conclusion

38:50 Thank you so much Trevor for joining us today. And thank you to all of you for joining us on the webinar. We've had a lot of great questions come in. If you have additional questions that come up feel free to shoot us an email events@securitymetrics.com. You can reach us there, and we'll be happy to answer any additional questions you may have just a reminder will be sending out a copy of the recording of this presentation. So stay tuned for that in the next couple of days. 

39:19 Thanks everyone for joining us today, and we look forward to seeing you at another webinar again in the future. Thanks. 


Get Started with HITRUST

Learn More


We are excited to work with you.

*Required

Thank you!

Your request has been submitted.