As the impact of COVID-19 continues to be felt by businesses of all sizes and industries, figuring out how to adapt to continue operations, while keeping employees safe and healthy, is the top priority for business leaders right now. Fortunately, technology has allowed a large number of employees to continue working, at least partially, from home during these unprecedented times. While the ultimate goal is to “flatten the curve” and continue to ensure employee health and safety, the shift to this new working environment will naturally create nuances to Organizations in the throes of a current HITRUST CSF Assessment.
This paper identifies changes that HITRUST has made and offers suggestions should you be one of the Organizations pursuing or undergoing a HITRUST CSF Assessment.
Since the pandemic outbreak, HITRUST has issued three CSF Assurance Program Bulletins: HAA 2020-001: Waiver of On-Site Requirement for Validated Assessments, HAA 2020-002: Impact of COVID-19 On Assessment Timelines, and HAA 2020-004: HITRUST CSF Bridge Assessments. These three changes have begun to re-shape the traditional HITRUST CSF® Validated Assessment with a new approach that overcomes the challenges created by social distancing, travel restrictions and reduced workforces.
- HAA 2020-001: Waiver of On-Site Requirement – Effective March 5, 2020, HITRUST temporarily waived the requirement for in-person/on-site validation procedures to be performed at the assessed entity’s facilities. Since on-site requirements (such as physical security) are still in scope, HITRUST has issued guidance for alternative testing procedures.
- HAA 2020-002: Impact of COVID-19 On Assessment Timelines – Effective March 16, 2020, HITRUST has re-communicated the timing requirements associated with a ‘rely-able’ Validated Assessments.
- HAA 2020-004: HITRUST CSF Bridge Assessments – Effective April 15, 2020, HITRUST offers CSF® Bridge Assessment and Certificate to organizations whose current certification is affected due to COVID-19 disruption.
Advice from an experienced authorized HITRUST External Assessor
As an experienced HITRUST Assessor Firm and a member of the HITRUST Assessor and Quality Councils, Frazier & Deeter extends beyond HITRUST’s guidance by suggesting the following:
- Assessors and their customers must maintain open communication with respect to how key dates may be affected during this time. Any deviations that would jeopardize the ‘rely-ability’ or integrity of an assessment must be addressed sooner than later.
- In the event deviations are necessary, communication between the customer, their Assessor, and HITRUST must take place. While there are no guarantees that alternative approaches will be accepted, HITRUST has shown flexibility and concern given our current challenges.
- In the event testing procedures or assessment timelines are impacted, it’s the HITRUST External Assessor’s responsibility to understand the situation, suggest alternatives, coordinate with HITRUST, and ensure quality is not marginalized.
- Given our new norm, it’s important to identify controls that have operationally changed. Teleworking is one example. In these situations, flexibility will be necessary to evaluate alternative, and even ad-hoc, controls. Again, err on the side of transparency and communication so assessment interruptions will be minimized.
Most importantly, the pandemic situation cannot become an excuse for lower quality or integrity, both of which remain major ingredients to the HITRUST CSF Assurance Program. Whether you find yourself in the middle of an assessment, or are considering HITRUST for the first time, feel free to reach out to Frazier & Deeter with any questions.
About the Authors
Andrew Hicks CISA, CRISC, CCSFP, HCISPP, MBA is the Vice President of Risk Assurance and National Practice Leader for HITRUST for Frazier & Deeter. He has managed hundreds of HITRUST assessments.
Buddy Orol is a member of Frazier & Deeter’s Process, Risk & Governance practice.