[6 min read]
We sat down with Gila Pyke, Director of Professional Services, Client Success, and Implementation at Ostendio, one of our 4 CSF HITRUST Readiness experts for a behind-the-scenes look at what’s involved in preparing for and passing a complex audit like HITRUST.
Tell us about your background and your role at Ostendio.
I have been working in healthcare, security, and compliance for about 25 years. I am always happiest on projects when those three industries come together and that is HITRUST. The data in healthcare is so critical that it is important to protect it because it could save lives. HITRUST provides a framework and a prescriptive and measurable way for organizations to manage risk to their data. Overall, I’ve completed around 100 HITRUST assessments since I became a HITRUST assessor 3 years ago, and I have performed thousands of compliance tests across healthcare, security, and privacy frameworks since I got my first taste of how impactful compliance can be back in 2005.
In your role at Ostendio, how do you help clients prepare for a HITRUST audit?
For a client who is starting to prepare for a HITRUST assessment, the first thing we need to do is talk to them about the scope of the audit. This element is critical to avoid expensive last-minute re-work. Through Ostendio Auditor connect, we introduce them to an auditor we trust so they can confirm the scope and begin understanding how the auditor wants to support their readiness and testing. We would then dive deeper with the client about each of the requirements and controls that are included in their scope and we would complete a gap assessment to see how close they are to meeting each control and what is left to implement or refine. It is important to understand from the beginning how much work is required across the 19 domains in order to achieve a passing score.
Does the length of time spent on gap assessment depend on the scope selected?
Yes. HITRUST r2 assessments range from around 300 - 3,000 controls, although generally, the largest assessments we’ve seen are typically around 800 controls. For typical first-time assessments, we would suggest clients stay within 300-500 controls to make it more manageable.
What work is required to support each control during an assessment?
For every control requirement, clients need policy coverage, a procedure that explains how the organization has decided to proceed to meet the control, and evidence showing that the control has been implemented as per the procedure and working smoothly. So it can take 12-18 months to prepare for a HITRUST Assessment. By starting with a gap analysis, clients can prioritize where the most work is needed. Each control must operate effectively for a minimum of 90 days before it can be audited. The auditor will then have 90 days to ensure it is working as intended. Both 90-day periods together add an additional 6 months before certification can be achieved.
How prepared for HITRUST is a typical company?
Often, they are less prepared than they realize. There is usually a surprise to those starting out about how detailed this process is and how much work must be done to meet every control. Some organizations have thought about it, and know it is hard, but find it hard to get moving.
Ostendio has worked with 3 kinds of organizations: the ones that are brand new to HITRUST and have been handed an urgent mandate from one of their customers that is overwhelming, the organizations that have been working towards HITRUST for a while but are struggling to get their t’s crossed and i’s dotted enough to get across the finish line and just need some help organizing and closing all their gaps, and the ones that have done it many times before but want their priority resources to be able to focus on overcoming new challenges rather than using all of their effort to pass the same audit year after year. Ostendio helps clients get back on track, collecting evidence in a way that is baked into their day-to-day operations, making it easier to prepare for their first audit, and making it less resource heavy to continue to operate in a state of preparedness for subsequent audits. We also guarantee that our clients using our platform together with our Professional Services pass an audit the first time. This peace of mind is a considerable benefit to many clients when you consider the investment they are making in the audit process.
What is the biggest challenge most companies face when preparing for an audit?
I would say there are two main challenges that most companies face:
The first challenge is always time. Finding the time to do the work in between customer and day job obligations is a major challenge. That is why many of our clients choose to work with our Professional Services team to keep their audit preparation on track. Having an expert to support your internal team can help focus your team’s efforts on making the important decisions and deploying the controls while we guide you to the gaps and do the polishing and presentation.
The second challenge is getting senior stakeholder engagement and support. Clients need to make sure they have boardroom-level support to deploy and implement all the controls. Occasionally, compliance teams get pushback from internal teams who might feel that they are being slowed down by the need for documentation of everything they do. But an engaged leadership team who understands the benefits of completing an assessment can support the process required and drive HITRUST success.
What advice would you give a client who is considering a HITRUST certification?
First of all - it’s worth it! Secondly, my advice is to make sure you give yourself enough time to complete the process properly. You need to be extremely detail-oriented and go control by control. If you take the time to do the planning and writing as needed you will be well prepared for your HITRUST assessment.
How long will HITRUST take and how much will it cost my organization?
It takes a HITRUST expert 250-500 hours from start to finish just to do writing and evidence collection, not counting the implementation of firewalls, SIEM, MDM, AV, deploying tools and processes, etc. So, if you are doing it on your own, you really need to plan for at least one full-time leader for a year to be dedicated to the project. Your budget also needs to include the HITRUST MyCSF subscription. You should be wary of organizations that offer to “automate” your audit. While in theory, it is possible to automate some of the recurring tasks, a HITRUST audit is more complex and really needs the human element in order for you to prepare properly and pass the first time.
What happens if clients don’t pass a HITRUST assessment the first time?
Following the audit, you are provided with a detailed report about how each category was scored. It will show any gaps and corrective actions you have. If you pass the 19 domains you will get a HITRUST certification letter included in the report. If you do not pass the 19 domains you will still have the report, but in order to get HITRUST certified you will have to go back and fix the outstanding items. This involves not only fixing those issues but completing a full HITRUST audit for a second time. Obviously, Ostendio works closely with its clients to ensure they are fully prepared for their audit so they don’t have to repeat it.
If scores are low, how long before you can reassess?
Ninety days would be the minimum. If you are implementing new controls those have to run for at least ninety days before they can be audited. However, a full audit will be required, not just the elements that didn’t pass. The full costs of an audit, including a HITRUST fee and the auditor costs, would be charged again. From both a time and financial point of view, it makes sense to prepare thoroughly for a HITRUST audit so you pass the first time.
No one wants to fail an audit. Ostendio recently introduced an Audit Guarantee because we understand the investment that organizations are making when they prepare for HITRUST, or any other assessment. The Ostendio Audit Guarantee means if a client has worked with Ostendio and an independent, Auditor Connect partner, we guarantee clients will pass the first time.
How does HITRUST scoring work?
HITRUST scoring is something that I cover with new clients and it is more complicated than you might expect. It helps to talk to a CSF practitioner or auditor to understand how it works. The scoring is rigorous and complex but the benefit is that it provides a clear rubric for organizations, auditors, as well as HITRUST to have clear expectations and discussion of how controls are evaluated.
Why is the Ostendio platform beneficial for HITRUST audits?
Without a platform like Ostendio, you are doing all your work out of a document share and spreadsheet. In the past, I can’t count how many times we’ve lost hours and weeks of work on an assessment or readiness project because someone on the team deleted a lot of data while in a hurry right before a huge deadline. However now, by using a platform like Ostendio, there is an easy way to organize your work and see your progress as you move through the controls. The dashboards display your progress and make it easy to share with other key stakeholders while the other modules help you build out your administrative and change management routines.
Can the Ostendio platform save time with a HITRUST assessment?
Yes, that’s a major benefit of using the Ostendio platform. Having a platform that’s robust, with advanced features like Ostendio, saves a ton of time for the client and the auditor. For example, the platform streamlines some of the routine tasks like sending documents for approvals to multiple people and then tracking when they have been read and approved. The Ostendio platform also prompts users to do reviews that are required and acts as a repository for collecting evidence. The auditor will be able to view the work you have done inside the platform so there is no need to share spreadsheets or use a drop box to share documents. The auditor can also message you within the platform if there is an issue that requires attention. These features are a big time saver year after year.
What’s the next step if I’m interested in HITRUST?
There’s a lot to ask and understand when you are starting your HITRUST journey. Ostendio experts are available to answer your questions and help you understand what’s involved in preparing for a HITRUST assessment. Do you have more questions? Set up a time with an Ostendio expert who can offer guidance to help your organization reach HITRUST certification.