Improving the Throughput and Transparency of the HITRUST Assurance Program: February 2020 Update

February 21, 2020
362 Views

By Bimal Sheth, Vice President of Assurance Services

Welcome back for the February update in our series on Improving the Throughput and Transparency of the HITRUST Assurance Program. For those of you that missed the December update, it can be found here. This blog post is the third part in a series of communications meant to increase transparency as we continuously work to improve our processes.

In this post, I will preview an exciting new way to provide feedback to HITRUST on the MyCSF platform as well as provide updates on key Assurance changes, including the Automated Quality Checks, Quality Assurance (QA) Tasks, and Factors.

MyCSF Platform Feedback

For many in the HITRUST community, MyCSF is an invaluable tool that is used on a daily basis. With such an active user community, we often receive the question – How can I suggest a feature to help make MyCSF better? Later this month, we will roll out a feedback module within the MyCSF platform that will allow any user to make suggestions for future enhancements and also up-vote the suggestions of other users. As enhancement requests are up-voted, the MyCSF team will review the enhancements and consider them for inclusion on the product roadmap. As a suggested feature is up-voted and moved into the development roadmap, users will receive notifications about its status and eventual deployment.

Please watch for further communications from our MyCSF team on the deployment of this feature. I would encourage all users to submit their enhancement requests for consideration.

Updates on Key Assurance Changes

Automated Quality Checks

Many in the HITRUST community have been asking what happened to the Automated Quality Checks that were part of Assurance Advisory 2019-008 with an intended implementation date of December 31, 2019; during our user acceptance testing we found issues that, in our judgment, needed to be fixed prior to deployment to production.

We have been working closely with the MyCSF development team to resolve those issues and perform additional testing. Currently we have the feature set to be released at the end of March; once that date is finalized, we will publish an update to the Advisory to reflect the new release date.

QA Tasks

I am happy to report that the change request specification for a QA Task Management module was turned over to our MyCSF team earlier this month and that they are busy with development. Currently we are targeting completion of development by the end of April, after which we will run a closed beta with several assessments in order to collect feedback from HITRUST Authorized External Assessors (External Assessors) and assessed entities. We are planning to identify beta candidates based upon submissions in the QA queue at the time and will reach out to candidates directly. Based upon the feedback we receive during the beta, we will make any changes necessary and announce a release date for full production.

I also wanted to highlight some planned features that we believe will help streamline communication between HITRUST, External Assessors, and assessed entities while also providing more transparency into what needs to be done to complete QA.

  • QA Tasks Linked to Specific Items Within the Assessment – QA Tasks will now be linked to specific items within an assessment beyond requirement statements. For example, we will have the ability to link a QA Task to a Factor that needs to be changed. Currently, the ability to communicate QA items outside of a requirement statement, such as Factors, is limited to email.
  • HITRUST QA Proposed Change – When a QA Task is created, the QA Analyst will have the ability to propose a modification that can be accepted or rejected by the person assigned the QA Task. If the modification is accepted, MyCSF will automatically make the change. For example, if the QA Analyst believes that an Implementation score on a requirement statement should be lowered to 75%, that can be proposed in the QA Task, and if it is accepted MyCSF will automatically update the score and mark the QA Task as back with HITRUST.
  • Conversation Threading – Currently, the “HITRUST comments” field in MyCSF is a single text box where External Assessors can see comments from the HITRUST QA Analyst; however, it is difficult to see responses from the External Assessor. Responding within the task will allow a conversation view for both the HITRUST QA Analyst and External Assessor, as shown in the wireframe below.
    Bimal-03A-rev
  • Consolidated View of Open QA Items – Currently, External Assessors see QA items inside requirement statements within MyCSF, receive a Word document with comments on the Organization Overview and Scope, and an email alerting them to any concerns pertaining to Factors. Multiple avenues of communicating QA items often leads to confusion as to what is left to do, or an item accidentally being overlooked. Moving to a task-based system for QA items will allow External Assessors, assessed entities, and HITRUST to have a consolidated view of all open items as well as the owner and status of each item. Our development team provided the wireframe below to help illustrate one of the views of QA Tasks.

    BIMAL03B-rev

Factors

Defining the assessment’s risk factors are part of the pre-assessment work that must be completed by the assessed entity. These risk factors are used to tailor the HITRUST MyCSF Requirement Statements to fit the scoped environment based on the inherent risk incurred from various compliance obligations (e.g., from regulations or best practice frameworks), organizational attributes or activities (e.g., amount of sensitive data processed), or technologies employed (e.g., wireless networks). However, HITRUST has seen a trend in specific types of requirement statements that are consistently marked as not applicable by assessed organizations. To help address this problem, our Standards and Research & Analysis teams will review and, if needed, update our current risk factors to ensure inherent risks are addressed more comprehensively and thereby reduce the number of non-applicable statements in an assessment. When the analysis is complete, we will publish an Assurance Advisory detailing any changes along with the implementation window for those changes.

As a preview to that Advisory: We will soon apply a change to MyCSF requiring an explanation from the assessed entity for each “No” response to a Technical Factor. These explanations should be reviewed by the External Assessor prior to submission of the object to HITRUST. The explanations will be reviewed by the HITRUST QA team, and will appear in both the Letter of Certification and HITRUST CSF Validated Report.

Closing Thoughts

We appreciate all of the feedback we have received over the past several months and look forward to receiving more questions and thoughts. As a reminder, you can submit feedback through your Customer Success Managers or feedback@hitrustalliance.net.

You may be interested

It’s More of a Guideline Than a Rule…
CISO Corner
shares131 views
CISO Corner
shares131 views

It’s More of a Guideline Than a Rule…

Lacy Deatrich - Apr 02, 2020

Maintaining information protection and compliance rigor throughout the COVID-19 outbreak By Jason Taule, Chief Information Security Officer & Vice President…

Addressing the Impact of COVID-19 on CSF Assessment Procedures
Compliance & Risk Management
shares806 views
Compliance & Risk Management
shares806 views

Addressing the Impact of COVID-19 on CSF Assessment Procedures

Lacy Deatrich - Apr 01, 2020

By Jeremy Huval, Chief Compliance Officer As COVID-19 continues to spread across the globe and affect the way we live…

Solutions to Common QA Issues
Assurance
shares190 views
Assurance
shares190 views

Solutions to Common QA Issues

Lacy Deatrich - Mar 17, 2020

By Bimal Sheth, Vice President of Assurance Services During a recent team meeting, the Assurance team was discussing some commonly…