NDB is a leading provider of HITRUST CSF compliance and certification services for Houston area businesses. The Houston metropolitan area is booming in terms of the healthcare industry. Sure, there’s the well-known Texas medical center, but there are literally thousands of other businesses that play a key role in Houston’s growing medical industry.
With massive security and compliance mandates taking effect for the healthcare industry throughout the country – especially when it comes to HITRUST compliance and certification – Houston area businesses are looking for a proven, trusted expert to guide them through the entire HITRUST process, and that’s NDB.
Contact us today at at 713-331-5492, or email us at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more about NDB’s HITRUST services, and to receive a fixed-fee quote.
6 Phases of HITRUST Compliance & Certification for Houston Healthcare Entities
Phase I – Find an Authorized HITRUST External Assessor
Phase II – Perform a HITRUST CSF Readiness Assessment
Phase III – Perform Documentation Remediation (Policies and Procedures)
Phase IV – Perform Operational Remediation
Phase V – Completion of CSF Validated Assessment
Phase VI – Monitoring of Controls for Continued HITRUST CSF Compliance
Phase I – Find an Authorized HITRUST External Assessor
Choose a HITRUST external assessor that has not only industry expertise, but true expertise in your specific healthcare field. The healthcare industry is huge – and only getting bigger – so it’s a good idea that the HITRUST external assessor you choose has a solid understanding of your specific sector. NDB has years of experience in almost every facet of the healthcare industry. Our personnel have over two decades of work history throughout dozens of healthcare areas.
Phase II – Perform a HITRUST CSF Readiness Assessment
HITRUST compliance is by no means an overnight process. It takes thoughtful planning, organization, and execution for achieving what’s now become the gold standard for healthcare compliance. With that said, it’s fundamentally important to kick-off the HITRUST journey with a comprehensive CSF Readiness Assessment, and here’s why:
- To gain a stronger understanding – and appreciation – of the HITRUST CSF. Remember, this is a large and complex compliance requirement, which means you’ll need an authorized HITRUST external assessor to walk you through the entire program from beginning to end.
- To properly scope the engagement. The actual HITRUST CSF framework has been designed to be customized and adapted to your organization. Every business is different, and because of this, a CSF readiness assessment helps identify the exact number of HITRUST controls to be compliant with.
- To put in place project deliverables & milestones. Setting expectations, assigning roles and responsibilities – and much more – is crucial for becoming HITRUST CSF certified, and a CSF Readiness Assessment helps with these measures.
When properly performed, a HITRUST CSF Readiness assessment brings immense value to the overall process of becoming HITRUST CSF certified. HITRUST highly recommends an upfront CSF Readiness Assessment for determining scope, gaps, remediation activities, etc. NDB offers our readiness services as part of our fixed-fee pricing for HITRUST. Contact us today to learn more.
Phase III – Undertake Documentation Remediation (Policies and Procedures)
Want to know what one of the most time-consuming, taxing, and demanding measures is for becoming HITRUST compliant? Developing security policies and procedures. That’s right. Developing documentation is a big requirement for HITRUST, something that many healthcare organizations fail to recognize when they embark on the long, winding road to compliance.
A fair amount of the HITRUST framework is built upon the ISO/IEC 27001:2005 and 27002:2005– along with HITRUST’s very own proprietary controls, and other frameworks, so if organizations have ISO policies and procedures in place, that’s a great start. But many don’t, and because of this, they’ll need to develop information security and operational policies and procedures from scratch, and that can take time – quite a bit of time.
With NDB, we offer comprehensive policy development for Houston healthcare organizations seeking to become HITRUST CSF certified. Specifically, we offer the following:
- Development of all HITRUST compliance policies and procedures as required.
- Assistance in choosing an acceptable policy framework for documentation (i.e., ISO 27001/27002., NIST SP 800, etc.)
- Development of additional operational policy documentation, such as risk assessment programs, incident response measures, security awareness training materials, and more.
Once all the required documentation has been fully developed, HITRUST compliance & certification becomes much more attainable, in the initial year, and in subsequent periods. Again, the importance of policies and procedures – and other supporting documentation – cannot be overstated for HITRUST.
Again, don’t overlook the importance of information security policies and procedures for HITRUST compliance. Nobody really likes authoring documents, but if you can start the process off with a great set of templates, you’ll save a tremendous amount of time and money.
Phase IV– Operational Remediation
Developing missing policies and procedures is just one part of remediation. The second part is what we call “operational” changes. This is more of the “heavy lifting” in terms of remediation, and can include any number of measures, such as the following:
- Performing a risk assessment.
- Undertaking security awareness training for all employees.
- Re-configuring IT systems to align with required HITRUST security/technical requirements.
Phase V – Achievement of HITRUST CSF Certification
Both the HITRUST external assessor and the organization undergoing HITRUST compliance will be spending quite a bit of time in the MyCSF portal. This is where documentation is uploaded, reviewed, and ultimately assessed for validation for meeting the stated controls requirements. Expect to upload policies and procedures, answer questions, communicate with assessors – and more. The portal serves as the main communication platform when it comes to providing evidence and illustrating continued progress towards HITRUST compliance.
Both the HITRUST external assessor and organization seeking to achieve HITRUST CSF certification must utilize the MyCSF portal throughout the entire process. And remember, HITRUST compliance can take time? How long? Here are some general timeframes:
The overall process from A to Z can take considerable time – months to complete – it really just depends on how mature one’s controls are, the scope of the engagement itself, and an organization’s seriousness to become certified. Second, when referencing the specific assessment performed by a HITRUST external assessor and then the timeframe for HITRUST to technically certify an organization, that process can be anywhere from two to eight weeks (for the assessment) and, all the way up to four months for HITRUST to certify your entity. Again, HITRUST is NOT an overnight process, so keep that in mind.
Phase VI – Monitoring of Controls for Continued HITRUST Compliance
HITRUST compliance is an annual requirement – that’s right – so welcome to the world of healthcare compliance. With that said, it’s incredibly important to put in place a monitoring program for evaluating your HITRUST controls on a regular basis for ensuring continued compliance. Hey, the HITRUST external assessors only show up once a year, which means it’s your responsibility to stay compliant throughout the year.
How do you do this? By assigning an internal employee(s) the goal of regularly reviewing internal controls and reporting back to management any irregularities, etc.
Houston’s (and Texas') Leading Provider of HITRUST Services
Healthcare organizations that store, process, and/or transmit sensitive consumer data – PII, PHI, and more – will no doubt continue to be asked for annual HITRUST compliance. The Houston Medical Center alone is filled with a dizzying array of businesses that need to become HITRUST compliant. To learn more about the entire HITRUST compliance and certification process for healthcare companies in Houston, contact NDB today.
NDB offers a proven, lockstep process for becoming HITRUST compliant, one that starts with a Phase I CSF Readiness Assessment and concludes with continuous monitoring exercises for ensuring continued HITRUST compliance. NDB also offers HITRUST compliance and certification services for healthcare organizations in Austin, San Antonio and Dallas.
Contact us today at 512-522-4943 (Austin), 214-272-0967 (Dallas), or at 713-331-5492 (Houston), or email us at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more about NDB’s HITRUST services, and to receive a fixed-fee quote.