Explained: HITRUST Gap Assessments Are Not Like The Others

HITRUST gap assessments

Depending on who you talk to, the definition of a HITRUST “Gap Assessment” may sound very different. That’s because the HITRUST CSF nomenclature departs slightly from common security parlance. That’s a good thing, in my opinion, because the HITRUST CSF is exacting with pre- and post-certification process requirements.

In this article, we’ll dig into what a HITRUST Gap Assessment can be, how it fits into the HITRUST certification process, and how important conducting gap analysis can be. Whether you’re in the healthcare industry or not, you’ll want to pay attention because this applies equally well to other certifiable security frameworks like ISO 27001.

(NOTE: If you’re considering a HITRUST gap assessment, our free tool below matches you with a top-rated consultant who can meet your needs and budget.)

Find the Right HITRUST Consultancy Fast

Get matched for free with top HITRUST consultants that fit your budget.

Sidechannel Logo Optiv Logo

By submitting this form I acknowledge that I have read and understand the Privacy Policy and agree to the Terms of Use.

What is a HITRUST Gap Assessment?

The Health Information Trust Alliance, or HITRUST, employs two conceptual gap assessments, both of which are critical for obtaining and maintaining HITRUST Common Security Framework (HITRUST CSF) Certification. While they accomplish different goals, they’re mainly performed identically.

The first assessment process is the HITRUST CSF-validated assessment or the HITRUST readiness assessment. Both HITRUST assessments are necessary to achieve HITRUST certification, depending on whether you’re trying to accomplish HITRUST i1 or HITRUST r2 certification. The former can be a self-assessment, while the latter is always performed by a certified third-party.

Those two assessments function as a gap analysis because they measure whatever is in scope for your organization’s environment against the HITRUST CSF framework. When you perform a readiness assessment, you’re evaluating that infrastructure against the HITRUST controls to identify control gaps.

In other words, that’s effectively a full assessment of your organization against the HITRUST standards. If the gaps are minimal enough, you may be able to outright achieve HITRUST compliance at the i1 level.

In that case, you may want to jump to the HITRUST validated assessment or the r2 assessment. A certified assessor will evaluate your environment to determine HITRUST readiness, identify gaps in HITRUST compliance, and issue a HITRUST report, a final report outlining your compliance with HITRUST standards.

If you sufficiently comply with HITRUST requirements, then you can achieve HITRUST CSF certification at the r2 level after undergoing a Quality Assurance Review. You will likely also be provided with a HITRUST gap analysis, or a report highlighting your control gaps and suggesting corrective action. No organization is 100% compliant and that’s ok. Understanding the corrective action you need to take against identified gaps is key to continued improvement.

If, however, you aren’t able to conform to HITRUST at the i1 level, then you may want to postpone your assessment process for HITRUST certification at the r2 level and take time to reevaluate your security posture. Consider your self-assessment to be an interim assessment along your HITRUST journey. You now know your security framework gaps and you may even have an idea how to address them.

A second assessment process is the Interim Assessment that needs to be performed to maintain HITRUST r2 certification. That interim assessment is required for assurance purposes and effectively serves as HITRUST validation between r2 assessments.

The Interim Assessment process evaluates a sampling of your security controls to ensure that your data security efforts haven’t diminished between HITRUST r2 certification assessments. Like the r2 assessment, HITRUST requires that it must be performed by an external assessor who is also a certified HITRUST CSF assessor. The assessment will demonstrate compliance with the HITRUST CSF.

If you fail that HITRUST assessment, you jeopardize your HITRUST CSF certification.

Internal vs External Gap Assessments

Depending on the kind of HITRUST assessment you want to conduct and the kind of HITRUST certification you seek, you may need an external assessor to conduct a HITRUST certification assessment.

The good news is that if you only want to obtain HITRUST i1 certification, then you can perform the HITRUST readiness assessment yourself. There’s no requirement that you leverage an external assessor. Even if you stop there, it’s a great risk management tool that will inform compliance requirements and help you manage risk for potential data breaches.

Conversely, if you want to go further, you’ll need a HITRUST CSF-certified external assessor. The key benefits of successful certification at the r2 level are not only meeting globally recognized standards. You’ll also be independently validated as achieving certification with a highly regarded certifiable information security framework.

When you achieve certification at the r2 level, the HITRUST Alliance vouches for your compliance process and security controls. For your business partners and especially Business Associates, that means that you’re a leading provider who wants to minimize security gaps and can ensure protected data flows for sensitive data. In today’s digital age, that’s invaluable.

HITRUST r2 assessments also have a scheduled completion date. So, while the i1 assessment can flounder if other organizational priorities usurp it, the r2 assessment has strict timelines, the violations of which result in not attaining HITRUST certification.

Remember, external assessors must be HITRUST CSF assessors certified by the HITRUST Alliance. While any external assessor can likely perform a HITRUST assessment, only certified assessors can bestow a report to support HITRUST certification at the r2 level.

What’s The Benefit?

It’s impossible to obtain and maintain HITRUST r2 certification without a gap analysis, specifically a HITRUST CSF-validated assessment. For that form of HITRUST validation, you must employ a certified HITRUST CSF assessor.

You can, however, perform a successful HITRUST gap assessment by being your own HITRUST assessor. That HITRUST readiness assessment process is exactly what you need to obtain HITRUST i1 certification.

In both cases, you can demonstrate that you have the data security program in place to protect sensitive data with high-quality security controls. Depending on the industry you’re in, those assessments can also be used to address regulatory risk factors and comply with industry regulations.

Since HITRUST also cross-references existing security frameworks, your internal assessment via HITRUST gap analysis can serve as a gap analysis for those other frameworks. If your business partners require you to highlight your certification with numerous different frameworks, this could be a good way to capture all in one go.

The HITRUST Gap Assessment Process

HITRUST gap assessment process

You can see the context of the assessment phases in the overall HITRUST r2 certification process:

  • Readiness Assessment,
  • Remediation phase,
  • Validated Assessment,
  • Quality Assurance Review,
  • Certification, and
  • Interim Assessment.

This process set out by the HITRUST Alliance balances preparation for formal certification against organizational operational needs and lets organizations perform them how they see fit.

I described the Readiness, Validated, Quality Assurance, and Interim Assessments in previous sections. In short, those are a self-assessment that builds towards external certified assessment, which is reviewed by the HITRUST Alliance and validated annually.

The remediation phase happens between the self-assessment and the external assessment. That’s the time when your organization works to bring itself into conformance with the HITRUST CSF standards so that a potentially expensive external assessment isn’t wasted.

Certification occurs when an organization passes Quality Assurance of the external assessor’s HITRUST assessment report. That means that an organization is officially HITRUST r2 certified. Since those assessments happen every two years, the Interim Assessment is required as an intermediary review to ensure no diminishment of security controls.

How Long Does a Gap Assessment Take?

An i1 gap assessment usually takes one to two months. If you have well-organized documentation and other control evidence, or if you are a small company, then it may be shorter.

The gap assessment portion of the r2 certification can take anywhere between 2 and 6 months, depending on the information required to support HITRUST compliance in the assessor’s opinion. While HITRUST assessments cover the same subject matter, they may require different levels of supporting evidence. Your assessor may also want to come onsite.

How Often is a HITRUST Gap Assessment Performed?

HITRUST i1 assessments are performed annually. HITRUST r2 assessments are performed biannually but require interim assessments between r2 assessments.

How Much Does a HITRUST Gap Assessment Cost?

An r2 assessment will cost tens to hundreds of thousands of dollars depending on the systems in scope for certification, the quality of the documentation, and the size of the organization. Larger organizations trying to broadly cover their underlying infrastructure should expect to spend in the hundreds of thousands of dollars.

I’ve only seen HITRUST r2 certification assessments priced as fixed-cost engagements, which include either a blended rate for all assessment personnel or a breakdown of hourly rates for different personnel. That’s not to say there aren’t full hourly models, but the engagement becomes significantly more complex with billable hours. You won’t save money by not completing the certification; it instead becomes the supporting documentation for an i1 certification.

The i1 assessment can be free if performed internally, only expending staff time to complete the assessment. Bringing in an assessor for that may not make sense because it’s the same scope as an r2 assessment. So you may spend hundreds of thousands of dollars on an assessment only to find out you don’t have much to remediate. Then again, it’s best to learn that during the i1 process instead of the r2 process.

Is a HITRUST Gap Assessment Worth It?

I think a HITRUST gap assessment is worth it. You’ll want to know how you stack up to the standards in order to achieve the HITRUST r2 certification, which is the logical conclusion of starting on the HITRUST journey. In that case, the gap assessment is the lion’s share of the work and is designed to propel you to the finish line with tight compliance timelines.

Many times, the HITRUST i1 assessment is that gap assessment. Think about it: for the gap assessment, you’ll collect information and measure yourself against the HITRUST standards. The HITRUST i1 assessment is collecting information and measuring yourself against the HITRUST standards. In both cases, if you fall short, you’ll need to remediate identified gaps before proceeding to the next stage of assessment.

Circling back to my opening: HITRUST has a different nomenclature around gap assessments because they’ve turned their gap assessment into a stepping stone towards full certification–and give you a certification just for doing it.

In my opinion, there’s no better way to show the sufficiency and regulatory compliance of a security program for protected data than a HITRUST assessment. It can be a readiness assessment around a recognized and highly respected security framework, but it generally progresses into independent verification and validation of the sufficiency of your security program. Few other security frameworks offer that.

Undergoing a HITRUST assessment highlights your commitment to safeguarding protected data at a very high level. Since certification at the i1 or r2 level requires a high level of conformance with the HITRUST framework, business partners and clients alike will understand that you have a well-positioned security program designed to minimize risk.

Published by Aaron Weismann
Aaron Weismann is a healthcare industry CISO with over a decade of strategic management, technology, and information security experience. He deepest experience is in managing and securing sophisticated and highly regulated environments. His expert...
Network Assured on Facebook     Network Assured on Twitter
Copyright © 2022 Network Assured