1 Minute Guide to the Updated HITRUST Scoring & Metrics for 2020

At the start of the year, HITRUST released an updated methodology for scoring requirements. This will ensure that organizations focus on maintaining a robust program with implemented controls for enhancing security posture and adherence to HITRUST.

Hence, if you’re on the path to HITRUST or new to it, the following will be applicable to you:

  1. HITRUST will now place a greater influence on implementation of controls
  2. It can potentially increase the number of Corrective Action Plans (CAPs) due to gaps in implementation.
  3. The increase in CAP’s in implementation would correspond with a decrease in the number of CAPs attributed to gaps in policies and procedures as well as an increase in the scores for managed & measured if implemented well.
  4. A greater emphasis will be placed on procedure in comparison to policy.
  5. HITRUST wants to ensure that SOPs are well documented, but more importantly, followed with workflows and ownership.
  6. Assessors and enterprises will now be able to objectively score each control using the Control Maturity Rubric.
  7. Managed now holds greater importance in comparison to measured.

The key takeaways are as follows:

1) Change in weightage

Maturity LevelsOldNew
Policy25%15%
Procedure25%20%
Implemented25%40%
Measured15%10%
Managed10%15%

2) Updated HITRUST Control Maturity Rubric

An objectively defined control maturity rubric is in place. It will aid in quantifying current state of controls during self-assessments for HITRUST prospective enterprises & for validated assessments. There are 5 tiers for assessing the strength of the control (policy, procedure, implementation, measurement and management) and 5 tiers for assessing coverage and adherence.

3) Applicability

The new scoring rubric is applicable for all myCSF material created and all assessments (self and validated) submitted to HITRUST in the year 2020.

4) Will the new scoring metrics impact already certified organizations?

Not yet, but it will play a role in re-certification. The metrics associated with the original assessment will be applicable for the interim assessment. 

Due to the updated assessment guidelines, companies up for re-certification will be required to implement their CAPs associated with implementation. In turn, this will aid in increasing your implementation score, and, consequently, increase your scores for measured and managed.

Need Help?

I’m Here To Assist You

Something isn’t Clear? We would love to chat and discuss your security & technology challenges.

This website uses cookies to ensure you get the best experience on our website.