Inside Cybersecurity

August 11, 2022

Daily News

Cyber certification firm HITRUST waives on-site reviews amid COVID-19 pandemic

By Rick Weber / March 19, 2020

HITRUST, a leading national organization for certifying cybersecurity practices, has suspended a requirement for on-site assessments of the security and privacy risks at facilities, among other adjustments in the wake of the COVID-19 pandemic that offer guidance for all third-party assessors, according to the company.

These HITRUST adjustments are being made as all industry groups are striving for business continuity during the coronavirus lockdown, with HITRUST allowing “alternative” methods for ensuring cybersecurity compliance during an unprecedented national emergency and amid heightened attacks by cyber adversaries looking to take advantage of the crisis.

HITRUST senior officials detailed the company's latest moves in response to the coronavirus crisis in an exclusive written interview with Inside Cybersecurity, following an announcement this week to waive on-site requirements for “validation” of the HITRUST CSF, which includes the National Institute of Standards and Technology's cybersecurity framework for managing risks.

Carl Anderson

Carl Anderson, Chief Legal Officer, HITRUST

“Customers and partners can rest assured that while we all navigate together through this uncharted territory, HITRUST has implemented plans to enable business functions to operate as usual, including sales, support, assurance, compliance, and Academy,” the company said in a release Monday. “We are also updating impacted policies and programs to accommodate circumstances created as a result of COVID-19,” according to the release.

These measures include “an Assurance Advisory temporarily waiving the requirement that in-person/on-site validation procedures be performed at the assessed entity’s facilities” and “hold[ing] all training sessions virtually through June 2020” by HITRUST Academy for use of the HITRUST CSF. The company said it “is prepared to alter our procedures and planning” as “circumstances continue to change,” according to the release.

The following is the full written questions-and-answers with HITRUST Chief Legal Officer Carl Anderson; Chief Compliance Officer Jeremy Huval; and Vice President, Assurance Services, Bimal Sheth.

Q 1: As a national leader in cybersecurity certifications, how could the recent adjustments by HITRUST serve as a model for other organizations in wake of the coronavirus pandemic?

We are continuously challenged by changes in the threat landscape, the needs of assessed entities, and the desire for greater efficiencies during assessments -- as such, we are always evaluating our requirements and methodologies. In doing so, we also must ensure that the “rely-ability” of HITRUST CSF Assessments is maintained and that any changes do not impact the level of assurance provided or integrity of the program. Our recent adjustments have allowed us to provide alternative methods to accomplish the same tasks without compromising the intent of control requirements or the level of assurance provided. This approach should be incorporated into any third-party assurance program to ensure that your organization will be able to react to challenges, such as those being created by COVID-19.

Jeremy Huval

Jeremy Huval, Chief Compliance Officer, HITRUST

Q 2: Also, what is HITRUST's view on the longer-term impact of business disruptions from the coronavirus on the cyber certification community? Will the certification process take longer even when business returns to the new normal, possibly because of a backlog?

As noted in a communication we published earlier this week, we intend to maintain our normal operations throughout the pandemic and intend to continue processing assurance reports in accordance with our standard requirements as we do today. We have also recently announced a number of initiatives to streamline and automate the assurance process, including automated quality checks to minimize assessments being rejected for common oversights, shortening the review process. We also expect to see more organizations leveraging the Internal Assessor role as a way to utilize and engage internal resources to streamline and support the process. All of these initiatives together are adding to the capacity and efficiency of the system, hopefully minimizing backlogs.

Q 3: Explain how HITRUST's decision to waive in-person/on-site validations will work. Will on-site validations take place at currently waived facilities once the pandemic scare passes?

HITRUST’s validated assessment methodology contains a requirement that External Assessors perform a portion of assessment procedures on-site at the assessed entity’s facilities. Regardless of the amount of time the Assessor spends physically on-site at the assessed entity’s facilities, the control maturity of all in-scope HITRUST CSF requirements must be fully evaluated by the External Assessor across the entirety of the assessment’s scope. HITRUST’s temporary waiver of the in-person/on-site requirement does not change this requirement. This waiver allows Assessors and assessed entities greater flexibility in planning for and executing assessment procedures. For example, where the External Assessor might have typically performed an in-person observation of an organization’s physical security protections, the Assessor now has the option to perform this same observation using video chat or similar means.

Bimal Sheth

Bimal Sheth, Vice President, Assurance Services, HITRUST

Q 4: Also, explain the decision to not waive assurance program timing requirements. What impact will that have on the certified community? Will reporting slow down or be missed?

While HITRUST has waived the External Assessor’s on-site requirement, HITRUST is not at this time issuing a blanket waiver for any timing requirements. We feel that doing so would work against the overall integrity of the HITRUST CSF Assurance Program as well as the “rely-ability” and accuracy of assessment reports. The age of evidence and documentation submitted is relevant in evaluating control effectiveness, especially at the implementation level of maturity.

Instead, we invite those organizations whose assessment timeline and/or certification status may be adversely impacted to contact us so that we can determine if a limited, one-time modification or exception to certain timing requirements, tailored to the organization’s specific circumstances, are feasible.

Additionally, HITRUST encourages those organizations to engage with their internal stakeholders and external partners to discuss their situation and ask for certification due-date extensions as necessary.

While some organizations will be delayed in obtaining or maintaining their HITRUST CSF Certification, we believe it is more important that those relying on HITRUST CSF Assessments Reports have confidence that all requirements were fully met. -- Rick Weber (