Preparing for HITRUST is no easy task. There are hundreds of man-hours required, evidence to collect and submit, and external assessors to vet.
HITRUST is daunting, but it’s doable. With the right team and support, the HITRUST process can be a smooth-sailing, successful experience for all involved.
Below are five tips that will help you prepare for HITRUST certification.
1. Educate and communicate.
When seeking a HITRUST certification, everyone should be made aware–and we mean everyone. Employees, stakeholders, assessors and HITRUST. You’ll definitely need buy-in from executives, but everyone should understand their role in the process.
Even employees that don’t have a direct impact or relationship with a HITRUST audit should understand that the company is undergoing the process of revamping and improving its security programs. It will likely impact them at some point as the organization improves its policies and procedures, thus directly impacting how people perform their jobs.
2. Budget time and resources among your team.
In the previous section we reviewed the indirect HITRUST costs. Be sure to allocate time to your team, especially your IT team. They will be taking on the majority of the HITRUST workload. Your security, operations and IT departments will be the ones doing the heavy lifting, so don’t neglect to include them from the onset and budget the necessary time and resources to them. Many auditors recommend working with experienced HITRUST consultants as well as hiring at least one full time person to support the HITRUST assessment.
3. Have your security evidence and documentation ready.
HITRUST requires records for each audited period. You will be asked when you’ve updated your systems, policies and procedures, and you’ll need the evidence to back up those claims. Be ready with any documentation to support changes to your operations. If you already have an integrated risk management platform with built-in documentation, you’re already a step ahead.
It may take your team weeks to months to collect and prepare evidence, so having a system in place to easily retrieve the latest documents and notes for your HITRUST certification (now and in the future) will make your life easier.
4. Proper scoping is essential.
For your HITRUST process to be successful, your organization will need to understand its scope and security maturity level. While HITRUST CSF is a flexible framework and can be tailored to nearly any organization, it’s important to purchase a MyCSF subscription early in the process to gain access to, and begin to understand your specific risk factors to ensure you are applying the framework appropriately. Working with an outside HITRUST vendor can help you understand your company’s risk factors and set them appropriately.
5. Don’t go it alone.
HITRUST takes a lot of time and effort, and it’s an ongoing process requiring recertification every two years, with an annual review. While the process gets easier, the first HITRUST attempt is rigorous.
If you need the extra hand, don’t overlook the benefit of hiring a HITRUST preparer. If you are going to work with a HITRUST vendor, it’s valuable to seek one out early on in the process. A HITRUST preparer can help you with your readiness assessment and get you in shape for the real deal.