NDB offers consultation and assessment validation services associated with the HITRUST CSF and HITRUST CSF Assurance Program for healthcare organizations located in Austin, Dallas, Houston, and San Antonio, Texas.
We are one of Texas’ leading providers of HITRST CSF compliance, and we know the framework inside and out. Contact us today at 512-522-4943 (Austin), 214-272-0967 (Dallas), or at 713-331-5492 (Houston), or email us at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more about NDB’s HITRUST services, and to receive a fixed-fee quote.
We’re often asked what’s the process for becoming HITRUST CSF certified – specifically – what’s the roadmap to follow. NDB offers the following phases for helping Austin, TX healthcare businesses achieve HITRUST CSF compliance.
Six Phases of HITRUST CSF Compliance & Certification
Phase I – Select an Authorized HITRUST External Assessor
Phase II – Perform a HITRUST CSF Readiness Assessment
Phase III – Undertake Documentation Remediation
Phase IV – Undertake Operational Remediation
Phase V – Completion of CSF Validated Assessment
Phase VI – Monitoring of Controls for Continued HITRUST CSF Compliance
Phase I – Select an Authorized HITRUST External Assessor
Finding an Authorized HITRUST External Assessor is the first step in becoming HITRUST CSF compliant – and for some very obvious reasons. HITRUST certification can take time – it can be a winding, complex road to compliance – all the more reason for finding a proven, trusted partner. There are a large number of well-qualified HITRUST assessors, so just remember to consider the following three key areas when making your selection:
Does the external assessor have the resources to complete all phases for you, beginning with a Readiness Assessment to generating a CSF assessment to submit to HITRUST? You want to have the same team in place from beginning to end.
Does the assessor offer complimentary services for helping with HITRUST – such as policies and procedures writing, etc.?
Does the assessor have a proven track record of performing HITRUST CSF engagements?
Phase II – Perform a HITRUST CSF Readiness Assessment
One of the most fundamentally important measures Austin healthcare companies need to undertake for HITRUST CSF certification is to begin the overall process with a Phase I HITRUST CSF Readiness Assessment. This is critical as a scoping exercise & readiness assessment gives you much insight into your control environment and the related policies, procedures and processes.
Here’s what included in NDB’s Phase I HITRUST CSF Readiness Assessment:
- Assessment and determination of scope in regards to business processes, personnel involved, physical locations, and relevant third-parties.
- Assessment of HITRUST controls in relation to scoped environment, and what gaps exist that require immediate remediation.
- Assessment of documentation regarding operational and information security policies and procedures.
- Development of an actional, realistic roadmap for HITRUST CSF compliance, complete with milestone dates and deliverables.
It’s also important to remember that scope is a large driver in ultimately determining duration and complexity when it comes to HITRUST CSF compliance. That’s because no two businesses are the same, and because of this, the number of HITRUST controls and requirements an organization will have to comply with “can” greatly differ from one entity to the next. For example, HITRUST CSF compliance (in terms of number of control requirements to comply with) for an Austin based Software as a Service (SaaS) healthcare organization specializing in claims pricing would be significantly different from a small physician’s office with three doctors at just one location. It’s all about scope, folks!
A Phase I HITRUST CSF Readiness assessment performed by an Authorized HITRUST External Assessor is absolutely essential, and especially for healthcare organizations new to HITRUST CSF compliance.
Phase III – Undertake Documentation Remediation
Based on the information that comes out of Phase I, healthcare companies in Austin should fully expect to perform any number of remediation activities. The first – and often most time-consuming – is documentation remediation. More specifically, we’re talking about policies and procedures for HITRUST CSF compliance.
The vast majority of businesses that embark on their HITRUST journey are completely unaware – blindsided, if you will – regarding the depth of documentation needed for becoming compliant. It can take quite some time to write all the policies needed, and that’s why it’s important to work with an Authorized HITRUST External Assessor who can provide quality templates based on the ISO 27001/27002 framework. Remember that HITRUST’s core structure is based on ISO/IEC 27001:2005 and 27002:2005– along with HITRUST’s very own proprietary controls, and other frameworks.
However, if you’ve used another framework for developing documentation – such as the NIST SP 800 framework – then you’ll want to cross-reference and map your policies and procedures to the current HITRUST CSF requirements. Regardless of which framework you use – or what current documents you have in place – gaps will be there, trust us on this one.
Why? Because HITRUST requires supporting documentation, and it’s rare for healthcare organizations to have all documents in place – especially if they’ve never gone through HITRUST CSF compliance. If you’re a healthcare company in the greater Austin area and need to get HITRUST CSF Certified, then contact us today.
To give you an idea of the importance of InfoSec policies and procedures, here are a few examples discussing the requirement for documentation:
- Security roles and responsibilities of employees, contractors and third-party users shall be defined and documented in accordance with the organization's information security policy.
- The Information Security policy documents shall be supported by a strategic plan and a security program with well-defined roles and responsibilities for leadership and officer roles.
- The organization develops and disseminates a formal, documented, system and services acquisition policy that includes IRS documents.
Phase IV– Operational Remediation
Remediation of gaps in one’s operational environment is also critical for helping achieve HITRUST CSF Certification. Many of the control requirements within the HITRUST CSF framework are technical in nature, which means you’ll have to do much more than just author a policy or a SOP. Some examples of operational gaps and deficiencies include, but are not limited to, the following:
- Poorly configured IT systems. (i.e., network devices not properly provisioned, missing tools for detecting threats, etc.)
- Weak access controls on system settings for employees. (i.e., weak password rules, the use of shared accounts with shared login credentials, etc.)
- Missing change control procedures. (i.e. no formal processes for making changes to IT systems and/or software systems, etc.).
You’ll need to have competent IT personnel in place who can actually take the time to make these changes, then test them for ensuring they are in place and functioning properly.
Additional examples of areas that may very well require remediation activities would be the following;
- Performing and documenting an annual risk assessment.
- Implementing security awareness training for all employees.
- Assessing all relevant third-party providers and having a formalized vendor management program
As you can clearly see, many of the above examples require much more than writing a policy or a procedure, they require you to do a little bit of heavy lifting in terms of making operational changes. It’s therefore vital to work with an Authorized HITRUST External Assessor with years of experience working in the broader healthcare industry.
Phase V – Achievement of HITRUST CSF Certification
Remediated all the gaps and deficiencies identified in the scoping & readiness phase? Now it’s time to provide such evidence by uploading material to the MyCSF portal. Look at the MyCSF portal as the communication hub for interacting with your HITRUST external assessor – providing deliverables, obtaining feedback and comments, and more. Once all materials have been provided to the assessor – and they are deemed complete – the assessor will generate a HITRUST CSF Validated Report, which is ultimately sent to HITRUST for awarding HITRUST CSF Certification.
Keep in mind the following timetable: The time in which the HITRUST assessor can actually perform the assessment is generally anywhere from 2 to 8 weeks, longer if you have significant control deficiencies. Once the assessment is complete, expect as long as 4 months to obtain the official certification from HITRUST.
Phase VI – Monitoring of Controls for Continued HITRUST Compliance
Long after the HITRUST assessors are gone and you’ve received your official HTRUST CSF certification, keep in mind that compliance is an annual requirement. Therefore, it’s critically important to monitor your controls on a regular basis for ensuring continued compliance. But it’s not just for meeting annual HITRUST CSF compliance, it’s about having robust, comprehensive, and well-though out security controls in place for ensuring the confidentiality, integrity, and availability (CIA) of your information systems.
We can assist Austin healthcare organizations with both initial HITRUST CSF certification, along with implementing measures for continued compliance. Contact us today at 512-522-4943 (Austin), 214-272-0967 (Dallas), or at 713-331-5492 (Houston), or email us at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more about NDB’s HITRUST services, and to receive a fixed-fee quote.
NDB is Austin’s Leading Provider of HITRUST CSF Compliance & Certification
With the growing wave of regulatory compliance just getting bigger and bigger, healthcare organizations in Austin and throughout central Texas can now turn to NDB for HITRUST CSF compliance and certification services. As an Authorized HITRUST External Assessor, NDB has a deep working knowledge of the HITRUST CSF framework, along with years of expertise and knowledge. If you store, process, and transmit sensitive data, HITRUST CSF compliance will likely become a requirement in the near future.
Talk to the HITRUST experts in Austin today by NDB. Services range from an initial scoping & readiness assessment to continuous monitoring of controls for HITRUST, and more. From policy templates to expert assistance throughout the entire HITRUST CSF compliance and certification process, Austin healthcare companies are turning to NDB and so should you. Contact us today to learn more about our HITRUST services, along with other related compliance audits, such as PCI DSS, SOC 1, SOC 2, HIPAA, and much more.
Contact us today at 512-522-4943 (Austin), 214-272-0967 (Dallas), or at 713-331-5492 (Houston), or email us at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more about NDB’s HITRUST services, and to receive a fixed-fee quote.