By Bimal Sheth, Vice President — Assurance Services
The HITRUST brand has always been synonymous with quality and it is one of the main reasons I was excited to join the HITRUST leadership team. For those of you I have not yet had the pleasure of interacting with, I am the vice president of Assurance. I recently joined HITRUST after more than 15 years at Ernst & Young (EY) where I specialized in third party reporting.
My first sixty days have been spent evaluating the Assurance program and listening to feedback from customers, external assessors, and internal stakeholders. During that time I have learned a great deal and wanted to open a dialog with the HITRUST community to share updates and discuss changes that I believe will reduce the time between assessment submission and issuance of a CSF Assessment report.
I have and will be focusing on three key areas: Quality, Communication, and Efficiency.
The quality requirements that went into place on April 1, 2019 had a significant impact on customers, external assessors, and the Assurance Program; however, the importance of quality remains paramount to the unique value that HITRUST provides by ensuring integrity, consistency, transparency and ultimately rely-ability of the report issued. The Assurance team is a critical component of ensuring that all reports are of high quality and instilling confidence in those that rely on the HITRUST reports. HITRUST reports are widely accepted because of the market’s understanding of the depth and rigor of testing required as part of a HITRUST CSF Validated or HITRUST CSF Certification report.
Much of my first sixty days has been spent working with my counterpart on our Compliance team, Jeremy Huval, on defining metrics to measure quality in our reports and adjusting our internal processes where needed.
While much of that work has been behind the scenes, it is now complete and we are ready to be more public-facing and focus on some of the other changes that are needed.
As I have listened to feedback from the HITRUST community, many of you have expressed your frustration on the lack of communication from HITRUST around assessment status. I understand your frustration and commit that we will be more communicative and transparent going forward.
Going forward, this communication is the first of a series I will do on an every other month cadence as I work to implement changes. Also, please watch your inboxes for an invitation to a webinar on November 20, 2019 where Jeremy and I will walk through the upcoming changes in more detail and take your questions.
I understand much of the frustration has been around the lack of transparency with QA lead times. One of my first asks of the MyCSF development team has been around how we can be more communicative about the time required to perform QA and how we can communicate an estimated draft report issuance date. We are working to implement more automated communications to the external assessor and customers on report status along with the ability to check status in real time within MyCSF.
Part of our focus on communication will also be more transparency on when QA begins and who has the ball – HITRUST or the external assessor – and how long each party has had the ball. With the goal of bringing more accountability for the time spent during the QA process.
The exponential growth of HITRUST CSF Certifications in the marketplace has been exciting to watch. The HITRUST community is growing daily as more companies become engaged in ensuring the rely-ability of their information risk assessments. That growth has come with some challenges and one of those is the length of time it takes to get through QA.
The lead times have become excessive and I believe there are three levers to pull to change the trajectory:
- Technology changes – we are working to make MyCSF smarter and prevent certain QA issues. You have seen some of these changes as we rolled out the automated quality checks and build-out of much of the report; however, there are more technology enhancements in the pipeline for development and implementation.
- Process changes – for external assessors you have likely seen a process change where most QA questions are now asked upfront versus the multiple rounds that previously existed. We are also working to redesign templates and MyCSF to be clearer and avoid common QA questions.
- Increased staffing – I am actively working to hire additional highly-qualified QA analysts. You should begin to see some new faces join our team in the coming weeks.
All of these changes are designed to process assessments more efficiently and reduce the time it takes to issue a draft report.
We will also be implementing a public facing service level commitment for QA. This commitment will show current QA lead times and how those compare against our target of 60 days with HITRUST. The dashboard will be available in MyCSF so that customers and external assessors can meet their commitments.
I know many of you might be thinking there has not been a single mention of ‘when’ in this communication and that has been intentional – I have been saving the best for last. You will see changes rolled out every 45 days as our development team completes sprints with full rollout completed by the end of Q1 2020. For more details on the roadmap please tune into the November 20th webinar. Click here to register.
You may also be asking what you can do now to help expedite your assessment through QA. Prior to submission to HITRUST, I would ask that you have thoroughly reviewed your assessment including looking for common QA issues, such as inconsistent scoping in the Organization Overview and Scope document. After acceptance please make sure your external assessor is responding to QA questions in a timely manner so we can complete QA and move to issuing a draft as quickly as possible.
In the spirit of transparency I want to recognize that change can often be disruptive and I appreciate everyone’s patience as we work to implement these significant changes. I also welcome your feedback as your engagement is critical to the success of HITRUST. If you have feedback please reach out to your customer success manager, external assessor, or send a note to email@example.com.
I appreciate the opportunity to work with you and I hope to hear from you on the webinar!
You may be interested
Understanding and Improving the Role of Self-assessments in Third-Party Risk ManagementLacy Deatrich - Nov 11, 2019
By Dr. Bryan S. Cline, Chief Research Officer, HITRUST Information risk assessments are an integral component of the third-party risk…
“Using Work of Others” Initiative from HITRUST Streamlines IT Security Control Assessments to Promote a Culture of Risk Management CollaborationLacy Deatrich - Sep 11, 2019
By Jeremy Huval, Vice President, Compliance & Internal Audit Completing HITRUST CSF Assessments will now require less time and fewer…
HITRUST® Submits Application to be an Accountability Agent for APEC CertificationLacy Deatrich - Aug 14, 2019
By Anne Kimbol, Chief Privacy Officer, HITRUST HITRUST has submitted its application to be recognized as an Accountability Agent under…