Navigating HITRUST Certification: The limitations of implementing custom controls without expert guidance

As organizations strive to enhance their cybersecurity measures and establish trust with their stakeholders, achieving HITRUST certification has become an increasingly sought-after milestone. In this post, we dive into the potential drawbacks of relying on custom controls for HITRUST certification without the guidance and knowledge of a HITRUST Approved Assessor, and emphasize the significance of partnering with HITRUST-recognized External Assessors, like Thoropass, for expert guidance throughout the certification process.

Experts offer sufficient scoping and representation 

Getting it done doesn’t mean you’re getting it done right. When it comes to your custom controls, the right thing includes proper scoping activities, understanding exactly what to include (and what not to include) in your evaluation components, and having the appropriate guidance and representation when implementing your controls.

Simply importing HITRUST controls into a platform and going it alone leaves your organization vulnerable to potential gaps in the scoping of your project which can lead to costly mistakes.

While automation or taking the ‘path of least resistance’ may seem convenient at first glance, it is crucial to consider the limitations and implications of such an approach. 

Limitations of importing controls without expert guidance 

Navigating your HITRUST custom controls without expert guidance would be like trying to explore a foreign area without the assistance of Google Maps.

Importing controls without sufficient scoping and evaluation assumes that you’ve already undergone HITRUST certification and possess the necessary controls. Or worse, using a templated or ‘standard’ set of controls assumes a one size fits all approach is sufficient. However, both of these approaches present a significant challenge for organizations new to the HITRUST framework, as you likely lack the knowledge and understanding of the controls required for your specific context.

Scoping activities play a vital role in determining the boundaries and requirements of HITRUST certification,  including things like:

• What products are in scope?
• What locations?
• How many records are collected/processed/etc.
• How many devices?

Incorrect scoping can have detrimental effects on an organization, potentially including unnecessary information or excluding critical evaluation components. As a result, organizations are highly recommended to seek guidance from trusted HITRUST External Assessors, who have the expertise to ensure accurate scoping and help you avoid expensive setbacks.

Expert guidance and external assessment

Implementing and managing controls in alignment with the HITRUST framework requires the right kind of assistance and guidance. While exploring HITRUST solutions, it is essential to ask targeted questions to ensure your provider has the necessary expertise. The value of working with Authorized Assessors lies in their comprehensive understanding of the HITRUST framework, which enables them to provide accurate guidance, implement controls effectively, and prepare organizations for external assessment and audit processes.

You can find a list of HITRUST approved External Assessors here. 

Take the quiz

Find out which HITRUST assessment is right for you

Take the quiz

PSA: Thoropass is very proud to be the only compliance automation software to appear on the list.

The role of a HITRUST approved External Assessor in your HITRUST journey

To protect both HITRUST as a governing body and the customers pursuing HITRUST certification, you must work with a HITRUST approved External Assessor. Partnering with such organizations ensures compliance meets licensing requirements and provides organizations with access to trusted experts who possess the necessary qualifications and experience to navigate the complex HITRUST certification journey. 

With Thoropass, for example, here is what you can expect once you’re approved to receive our service for HITRUST:

• Predefined policy and procedure templates drafted to meet HITRUST requirements.
• Step-by-step guidance to ensure your organization properly implements the prescriptive HITRUST CSF control requirements
• Instructions necessary to ensure your evidence meets the thresholds set by HITRUST.
• Concierge services with automated off-line assessment functionality to ease the work involved in packaging the assessment and preparing it for HITRUST submission through the HITRUST MyCSF portal along with all required QA.

At Thoropass, we exist to make doing the right thing as easy and accessible as possible. Thoropass performs the readiness review, assists our customers in preparing for validation, and conducts the validation assessment and the interim review for a HITRUST Assessment.

If you’d like to learn more, feel free to get in touch with one of our team members.

Final thoughts

While pursuing HITRUST certification, your organization should proceed with caution—but proceed nonetheless! HITRUST is becoming an increasingly important framework, especially in the healthcare tech industry. Especially when it comes to the documentation and use of custom controls, be diligent and prioritize tested and proven software solutions that maximize the likelihood of receiving recommendations from external auditors. 

Furthermore, seeking expert guidance from HITRUST Authorized Assessors and partnering with recognized and approved organizations, like Thoropass, will contribute significantly to the achievement of HITRUST certification and the establishment of robust cybersecurity practices.

HITRUST Guide

Get the HITRUST Guide for Health Tech companies

The future of health tech is HITRUST! Get ahead of the curve and understand the how and why of HITRUST in this in-depth guide.

Get the Guide