HITRUST scoring can be complicated. The details of scoring are less important than understanding the high level approach and maturity model. The reason most people fret about the details of scoring is to assess the likelihood they will score high enough to obtain a HITRUST Certification.
The short version of the HITRUST scoring process is below.
We'll get into the details of scoring below, but first it's important to understand the maturity model that HITRUST uses in evaluating Requirement Statements and controls.
The maturity model used by HITRUST is adapted from NIST and Carnegie Melon models. The purpose in this approach is to be able to rate each HITRUST control in the CSF not simply as met or unmet, but to be able to rate each HITRUST control against different degrees of maturity. With this granular approach to rating each control, HITRUST is able to offer detailed and explicit guidance to companies and HITRUST assessors, increasing the level of consistency of HITRUST assurance.
The levels of maturity are outlined below.
The above maturity levels are assessed for every HITRUST control in the CSF. This can seem daunting at first, and it is when you first get started with HITRUST, but there is a lot of value in using this structured approach to assess your security program.
Now that we have the overall structure of the maturity model, the next step is to rate each maturity model level. Each of the following ratings is given to each of the maturity levels listed above.
Each of the above ratings has specific criteria for each maturity level. This provides specific criteria for rating each maturity level. The amount, or rough proportion, of criteria met determines the rating.
Scoring is the method of tying all of the above together. Each control is given a maturity rating for each maturity level. These maturity ratings are then multiplied by a weighting factor to get an overall weighted score for each control. The average of all of the weighted scores within each domain is then calculated. In order to be HITRUST Certified, every domain needs an average weighted score of 62.5.
Even with this average across all domains, any specific control within a domain with a weighted score of less than 62.5% needs a corrective action plan (CAP). You can still be HITRUST Certified with CAPs.
HITRUST does an additional conversion on the weighted averages to get a PRISMA score between -1 to 5+. To me, it is simpler just to focus on the weighted average.
HITRUST score weighting is a way to assign different weighting, or priority, to different maturity levels.
At the end of 2019, HITRUST adjusted it's weighting factors to put more priority on Implementation vs Policy and Procedure. This makes sense as HITRUST wants to encourage higher scores for doing the things you say (Implementation), not just saying you do them (Policy) and saying how you do them (Procedure).
Below are the current weighting factors and weighting factors before 2020.
Before this change in weighting, it was possible to be HITRUST Certified if you scored Fully Compliant (FC - 100%) on Policy and Procedure, Partially Compliant (PC - 50%) on Implementation, and Non-Compliant (NC - 0%) on Measured and Managed. Only implementing 50% of what you say you do is not a high bar. The new weighting requires you score at least Mostly Compliant (MC - 75%) on Implementation.
Measured and Managed are very hard to achieve and many smaller companies are HITRUST Certified while being non-compliant for these maturity levels.
At this point, it's easiest to use an illustrative example to tie it all together. We are going to use a real HITRUST control as an example to show all of the elements of the scoring process.
Mobile computing devices are protected at all times by access controls, usage restrictions, connection requirements, encryption, virus protections, host-based firewalls or equivalent functionality, secure configurations, and physical protections.
There's a lot in the above control statement. And a lot that needs to be done to meet it. For now, we're just going to score it and use those scores to calculate an overall weighted score for the control. Below are the ratings for each maturity level.
HITRUST Scoring Example
The overall weighting for the above control example is 65, which is above the 62.5 threshold for HITRUST Certification. But, this is just one control, and the average of all controls for this domain needs to be above 62.5 to be HITRUST Certified. And this threshold needs to be met by all 19 HITRUST domains.
HITRUST scoring can be complicated and the details are best left to assessors and the CSF. The main takeaway is to appreciate that Procedure, and especially Implementation, are most heavily weighted and will have the most impact on your overall HITRUST performance.