Product watch
HITRUST security risk assessment
by Chris Apgar, CISSP
There are no federally recognized HIPAA certification standards for covered entities (CE) and business associates (BA) and it’s unlikely one will be. However, that doesn’t stop larger CEs from requiring some form of certification to demonstrate compliance with HIPAA and proof that BAs have implemented sound information security programs. The Health Information Trust Alliance (HITRUST) (http://hitrustalliance.net) published its first common security framework (CSF) in March 2009 with the goal of focusing on information security as a core pillar of the broad adoption of health information systems and exchanges. Larger CEs, primarily large health plans, now require their BAs to become HITRUST certified.
HITRUST offers three levels of security risk assessments ranging from one that is self-administered to certification. The assessments are based on HITRUST’s CSF, an information security framework that addresses existing standards and regulations, including federal, third party, and government. HITRUST’s risk assessment tool was intended to deliver a comprehensive tool that can guide CEs and BAs in their information security and compliance planning activities. Unfortunately, in the opinion of the author and other healthcare practitioners, the HITRUST framework is overly burdensome and in some cases just plain wrong when it comes to assessing downstream vendor compliance.
The assessments are complex, burdensome, and, if certification is the goal, expensive. There is a cost to use the MyCSF tool and a certified HITRUST assessor must certify compliance with theMyCSF requirements.
After categorizing the entity to be assessed, scoping explores areas of security that are often addressed in a traditional risk assessment, a compliance audit, and other audits. This includes information system identification, system grouping. It also includes an evaluation or assessment of data elements, and determining system boundaries.
Facilitated or self-administered HITRUST assessments begin with scoping. Beyond determining where a CE’s or BA’s assets lie and what policies are in place, scoping takes into account the type of entity, the regulatory environment, the number of operational units, and so forth. Scoping determines the number of questions that need to be asked. For example, some questions about the security of those devices would not be pertinent to an entity such as a software-as-a-service vendor.
The rigor applied varies based on the level of the assessment. The self-assessment is just that: the CE or BA pays for the assessment and conducts scoping and the assessment itself. This option has the lowest level of rigor and potential accuracy, but is still a tall task to ask of a CE or BA given the amount of time necessary to accumulate the needed documentation and load it in the MyCSF tool.
The self-assessment has the lowest price tag. Conducting a self-assessment requires more than a little knowledge of information security and the internal workings of the IT shop. The report produced will be only as accurate and useful as the data. In other words: Garbage in, garbage out.
The next two levels require an external third party to conduct the HITRUST assessment. The cost of the assessment will vary depending on the size and complexity of the entity but, even with smaller entities, the cost is hefty. The validated assessment is conducted by a third party and validated by HITRUST. The last level of assessment leads to HITRUST certification that is good for two years with a mini-assessment conducted in the off year.
Version 7 of the MyCSF tool is clunky and time-consuming to use. If you begin loading documents, it takes more than a few seconds to load each document, and if you don’t save your uploads frequently enough you will lose your work. HITRUST states on its MyCSF webpage that the tool is user friendly. It is far from that.
Certification may not be immediately granted following the assessment. HITRUST does not ensure entities assessed will remain compliant between assessments. Compliance, along with information security, are not one-time events. There is no guarantee entities will not be audited or will pass an OCR audit. HITRUST assesses compliance on the information security side, but does not assess compliance with the HIPAA Privacy Rule or state privacy and breach laws.
All third-party vendors that perform validated assessments and certification assessments must be re-certified periodically by HITRUST. HITRUST also manages the CSF and the MyCSF tool. This is supposed to support consistency of approach, structure, standardization, and currency. It doesn’t always hit the mark, though, because it includes requirements that are simply overkill and, in some cases, are actually wrong.
The direct costs for HITRUST certification include both fees to HITRUST and to the HITRUST approved assessor. The direct cost is about $ 40,000?$ 60,000 but costs can be much higher for larger organizations, per Catalyze, a HITRUST certified cloud infrastructure vendor (http://content.catalyze.io/what-is-the-cost-of-hitrust-csf-certification).
Indirect costs are harder to quantify. Catalyze estimated the total time spent for all employees to compile and load the documentation into MyCSF at 200 hours. The time spent between each audit to address issues and solidify compliance and information security programs must also be considered.
Per Catalyze, conservatively estimating the cost of an hour of work to be $ 100/hour, a rough calculation can be tallied. With the cost of salaries, benefits, and lost opportunities from work not performed, a partial loss must be considered. Based on those numbers, the total cost of the HITRUST assessment is roughly $ 60,000?$ 80,000.
If the assessment is conducted correctly, HITRUST tools can be used to improve information security and adherence to compliance requirements. However, it is not a simple exercise and is fraught with high costs, headaches associated with using the MyCSF tool, and may wastes time and resources. There are other options for third-party assessments to demonstrate HIPAA compliance and a sound information security program, often at significantly less cost.
Any claims that OCR will recognize the HITRUST tool in and of itself as demonstrating compliance with HIPAA are false. The Office of the National Coordinator for Health Information Technology and OCR, among others, have published their own guidance about what should be included in a HIPAA risk analysis or risk assessment.
Editor’s note: Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. Opinions expressed are that of the author and do not represent HCPro or ACDIS. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Email your HIPAA questions to Associate Editor Nicole Votta at [email protected].