HITRUST scoring 101: How scoring works and how to self-score
If you’re overwhelmed by the HITRUST® scoring system, you’re not alone. It takes practice and repetition to master. But because you have the responsibility of scoring yourself, it’s crucial to understand how scoring works, how to prepare ahead of time and why your External Assessor may disagree with how you’ve scored yourself in a certain area.
As an External Assessor, Wipfli has assisted many clients with the HITRUST CSF® Certification process. We’re going to dive into HITRUST scoring to highlight what you need to know, including what changes have been made to scoring over the past year. This will be helpful to those going for recertification who now have to adjust their thought process from how they used to score themselves, as well as those who are going after certification for the first time and want to understand how scoring works.
Meeting HITRUST requirement statements
When it comes to HITRUST CSF Certification, what you are scoring yourself on is how well you’ve met the requirement statements. All requirement statements — which are broken up into 19 domains — are predefined by HITRUST and include illustrated procedures to help explain what is required and what that requirement looks like in practice. This makes it easier for you to determine whether you’ve met the requirement or to what level you’ve done so, and thus score yourself.
For example, if you have a policy around security awareness training for employees, that policy must: 1) formally communicate how management expects the control to operate by using statements such as “will” and “must”, 2) be approved by the appropriate management (such as the security officer or director of IT) with a signature and date of approval and then 3) communicated to employees.
You must be able to evidence all of this, including proving that you communicated the security awareness training requirement to employees (e.g., via email, your intranet, etc.), in order to get 100% “fully complaint” in this area.
HITRUST scoring methodology: The rubrics
For those used to the old HITRUST scoring system, note that two big changes have been made to update HITRUST’s scoring rubrics. The first change breaks out each maturity level and adds definitions and guidance for each. The second change makes you score yourself based on control strength and scope coverage.
Let’s look at the policy scoring rubric as an example. As you can see in Figure 1 below, policy strength is the y axis, and scope coverage is the x axis. Policy strength can be defined as: the policy gained approval from management, was communicated to stakeholders and demonstrates management’s expectations of the control.
Figure 1: Policy scoring rubric as of 2020. © 2019 HITRUST
If you find that a particular policy’s strength is at tier 3, but you have only covered 50% of CSF policy elements, you would therefore score in the yellow zone, aka partially compliant (PC). But if your policy strength is at tier 3 and you’ve covered 90% of CSF policy elements, you’d score in the light green zone, mostly compliant (MC). Fully compliant (FC) is reserved for the highest level of policy strength and percentage of covered CSF policy elements.
The importance of implementation
Implementation is a critical component of meeting requirement statements. In fact, one of the other major changes HITRUST has made is to the five maturity level weights. In the past, policy, process and implementation each accounted for 25% of the final score. Measured accounted for 15%, and managed accounted for 10%. As of 2020, policy accounts for 15%, process accounts for 20%, implementation accounts for 40%, measured accounts for 10% and managed accounts for 15%.
As you can see, much more emphasis has been placed on implementation. And that does make sense. For your controls to truly be effective and trustworthy, they have to actually have been implemented. This weighting change helps ensure those who achieve HITRUST CSF Certification have functioning, high-quality controls in place.
Figure 2: Implemented scoring rubric as of 2020. © 2019 HITRUST
Figure 2 above shows the new implementation scoring rubric. You can see that scope is especially important when it comes to implementation.
Let’s look at encryption at rest as an example. If you have your database server, your SFTP servers and workstations all within scope, then you must test to make sure all three have been covered. If you have encryption fully implemented for your database server and SFTP server but not the workstations, you have only covered 66% of the scope.
Many implementation requirement statements are either implemented or not (e.g., configuration settings), but if you find you have varied or incomplete results for a particular requirement statement, then you should use a weighted average. So in the encryption example, you can see from Figure 3 that this would put you in “mostly compliant” territory.
Figure 3: Scoring legend. © 2019 HITRUST
Measured and managed
Many clients choose to forgo the measured and managed maturity categories, but it’s still important to take note of what they are and whether you should include them in the process.
Measured is when an independent audit of the control is being conducted on a periodic basis. These audits should be documented in reports or some other form of a recorded log.
Managed is the next step. Management would be informed of the audit’s results, conduct a formal risk analysis and treatment plan, and then modify the security program accordingly.
Common pitfalls to avoid
Once you score yourself for each requirement statement, your External Assessor will go into the MyCSF portal, review the evidence you’ve collected and either confirm or suggest any adjustments to your score. From our experience as an External Assessor, we’ve seen quite a few pitfalls to avoid in order to help ensure a much smoother assessment experience. Most of these pitfalls have to do with not collecting and storing evidence of your controls.
So with that in mind, here are four best practices to consider to help maximize your scores before beginning the HITRUST CSF Certification process:
1. Ensure your policies and procedures are detailed enough to meet HITRUST’s illustrative procedures
Many of our clients feel that they have strong policies and procedures, but when we compare them to the illustrative procedures and the criteria in the scoring rubric, we find they fall short. It’s best to determine this prior to beginning your validated assessment so that you have the opportunity to add the additional needed content.
If you find it’s too challenging to muddle through your existing policies and procedures to determine if they are up to snuff and then rewriting them to be more in line with HITRUST requirements, we have policy templates and consultants to help with that. You wouldn’t be the first organization to need to start from scratch in order to come out stronger.
2. Communicate to stakeholders (e.g., employees, contractors) when updated policy/procedures are available for their review and future reference, and collect evidence of this communication
We have had to stop in the middle of assessments in the past because a client said they told stakeholders about a policy change, but they didn’t track how they told them about it and couldn’t provide evidence they did so. Ensuring your management team is updating, reviewing and approving policies and procedures on annual basis and keeping evidence of it is absolutely critical.
3. Collect evidence when you are performing key processes
It may seem like if you implemented a control, you should be able to easily prove it, but that’s not always the case. Many clients thought they had evidence of a control’s implementation only to search high and low for it and come up short. Make sure that whenever you perform a control (e.g., approving a change to be released to your production environment or identifying, evaluating and prioritizing your risks), you collect and store that evidence.
4. Map your policies and procedures to HITRUST controls ahead of time
This best practice will make your life so much easier when it comes time for the validated assessment testing. Essentially, you must prove you have the required policies and procedures in place, and this evidence comes from being able to pinpoint the exact document(s) and page number(s) where the relevant policy and procedure references are located.
How easily could you do this? Some clients have many pages of documentation to sift through to try and find where these references are located. Mapping your policies and procedures to requirement statements ahead of time will help your assessment go much faster and smoother. Plus, creating this crosswalk from the requirement statements to your policies and procedures outside of the pressure of your validated assessment will allow you to thoughtfully identify all relevant sources. This activity will allow you to maximize your scores to get full credit for meeting the required level of documentation detailed in the illustrative procedures.
Wipfli can help you get started with HITRUST
If you need assistance breaking down the HITRUST scoring methodology or help getting started with your HITRUST CSF Certification process, contact us. We provide a full range of HITRUST services, from helping with your readiness and remediation activities to acting as your External Assessor during your validated assessment.
Related content:
Article: What is HITRUST, and why does it matter?White paper: The service organization’s path to HITRUST CSF Certification
Article: Common misconceptions from a HITRUST Authorized External Assessor
Article: HITRUST vs SOC 2: Leveraging the Best Path to Assurance