If you are looking to embark on HITRUST Certification, you'll be spending a lot of time on your IT Policy. This is arguably the most important part of the HITRUST Certification (whether it should be the most important part is a topic for another day).
This might be a boring post, I find it tedious too, but if you're serious about HITRUST Certification, this will save you a ton of fits and starts and complete the objective at hand: certification.
Disclaimer: I am not a fan of policies in general. This stems from a college course when the professor brought in an attorney who said two things that changed the way I looked at policies.
- Policies are defined to assign blame not to set forth documenting SOPs.
- On that note, be careful what you put into a policy because if you're not adherent to it in totality, it can be used against you when defending yourself. Truthfully, it would almost be better to not have, than be caught not adhering to your policy
For those reasons, I delayed a full fledged IT Policy.
If you go for your HITRUST Certification, no amount of kicking and screaming will prevent policy documentation. Get on board, or don't do the certification. And if you're going to create a policy document, you better do it well and adhere to it or it will create more harm than good.
For us this meant moving from a 1 page, 13-bullet point document (that did a phenomenal job of protecting our data), to a 105-page document that created a slightly better job of protecting our data.
Those 105 pages were not easy to craft either. Recently, I had a conversation with an accomplished CIO in healthcare, and he was curious where we got our IT Policy document. My response, "I composed it. From scratch." This impressed him as he had tried to do HITRUST Certification twice in the past and never got it accomplished, even with the assistance of a purchased IT Policy template.
Make no mistake, it's not easy writing a HITRUST Compliant IT Policy.
That being said, let's talk about the structure which will considerably help in crafting this document.
Typically, your HITRUST Certification is based on a framework. For us, it was NIST. This framework will define the Domains your controls will derive from. Then with your MyCSF tool (part of what you pay for), it will determine the HITRUST Controls that are required for your certification. All of these controls are then put into a versioned module that lists all requirements. These requirement master list references are prefixed with HIT and sequentially numbered to the totality of your certification. We referred to these as HITs. And for us, there were 281 of them.
From there, these HIT references are required to have 1) a documented Policy statement and 2) a Process defined. Your assessor must agree these exist AND must agree the process fulfilled the policy.
Here is my best advice for structuring your IT Policy:
- Start with the high level Domains. These should be the "sections" of your IT Policy. Have them match exactly as they are in the HITRUST Module. Start with "01 Information Protection Program" then go on to "02 Endpoint Protection" etc...
- From there organize each sub-section by the HITRUST CSF Control. These sub-sections are named like "00.a Information Management Program" and "02.a Roles and Responsibilities"
- From there have two main bodies within the sub-section: Policy & Process
- Policy: here is where you write the policy statements. After each policy statement (which could be multiple statements) put the HIT number in parenthesis after it. This will help you and your assessor make sure all your HITs are covered.
- Process: for each process you then spell out exactly how you will achieve the necessary policy statement. You should have as many processes as that take. Each process should have a Responsible Party where it defines who will do this process. Use definitions (i.e. titles), not names. It should also have Applicable Tools and Description of Implementation.
Make sure you have a table of contents for all this, and be sure to use definitions. Both of these will save you a lot of time using and updating the document in the future.
If you want to see a sample of this, shoot us an email or fill our the contact form.
Now with that out of the way, the really hard part: adhering to it.
It goes a long way in getting HITRUST Certified by ensuring your system has gone through it before. If you'd like help with this process, don't hesitate to reach out to us.