HITRUST Scoring (Part 3 of 6)

Travis Good
November 12, 2021

HITRUST scoring can be complicated. The details of scoring are less important than understanding the high level approach and maturity model. The reason most people fret about the details of scoring is to assess the likelihood they will score high enough to obtain a HITRUST Certification.

The short version of the HITRUST scoring process is below.

  1. Each CSF control is rated based on maturity.
  2. The maturity ratings are weighted (HITRUST defines the weighting).
  3. The aggregate score for each domain (domains are collections of controls), based on the weighted ratings, is calculated.
  4. If all the domains are above the defined required threshold, the company qualifies for HITRUST Certification.

We'll get into the details of scoring below, but first it's important to understand the maturity model that HITRUST uses in evaluating Requirement Statements and controls.

Maturity Model

The maturity model used by HITRUST is adapted from NIST and Carnegie Melon models. The purpose in this approach is to be able to rate each HITRUST control in the CSF not simply as met or unmet, but to be able to rate each HITRUST control against different degrees of maturity. With this granular approach to rating each control, HITRUST is able to offer detailed and explicit guidance to companies and HITRUST assessors, increasing the level of consistency of HITRUST assurance.

The levels of maturity are outlined below.

  1. Policy. Has you documented what you need to do? Considers the existence of current, documented information security policies or standards in the organization’s information security program and whether they fully address the control’s implementation specifications.
  2. Procedure. Do you know how you will do what you need to do? Considers the existence of documented procedures or processes developed from the policies or standards and whether they reasonably apply to the organizational units and systems within scope of the assessment.
  3. Implementation. Have you done what you need to do? Considers the actual implementation of the policies and whether the control’s implementation specifications are applied to all the organizational units and systems within scope of the assessment.
  4. Measured. Do you test to ensure what you are doing is working properly? Considers the testing or measurement (metrics) of the specification’s implementation and whether they continue to remain effective.
  5. Managed. Do you integrate the first 4 levels so they work together? Reviews the organization’s management of its control implementations based on these metrics.

The above maturity levels are assessed for every HITRUST control in the CSF. This can seem daunting at first, and it is when you first get started with HITRUST, but there is a lot of value in using this structured approach to assess your security program.

Maturity Ratings

Now that we have the overall structure of the maturity model, the next step is to rate each maturity model level. Each of the following ratings is given to each of the maturity levels listed above.

  1. Non-compliant (NC) - score of 0%.
  2. Somewhat compliant (SC) - score of 25%.
  3. Partially compliance (PC) - score of 50%.
  4. Mostly compliant (MC) - score of 75%.
  5. Fully compliant (FC) - score of 100%.

Each of the above ratings has specific criteria for each maturity level. This provides specific criteria for rating each maturity level. The amount, or rough proportion, of criteria met determines the rating.

Scoring

Scoring is the method of tying all of the above together.  Each control is given a maturity rating for each maturity level. These maturity ratings are then multiplied by a weighting factor to get an overall weighted score for each control. The average of all of the weighted scores within each domain is then calculated. In order to be HITRUST Certified, every domain needs an average weighted score of 62.5.

Even with this average across all domains, any specific control within a domain with a weighted score of less than 62.5% needs a corrective action plan (CAP). You can still be HITRUST Certified with CAPs.

HITRUST does an additional conversion on the weighted averages to get a PRISMA score between -1 to 5+. To me, it is simpler just to focus on the weighted average.

Weighting

HITRUST score weighting is a way to assign different weighting, or priority, to different maturity levels.

At the end of 2019, HITRUST adjusted it's weighting factors to put more priority on Implementation vs Policy and Procedure. This makes sense as HITRUST wants to encourage higher scores for doing the things you say (Implementation), not just saying you do them (Policy) and saying how you do them (Procedure).

Below are the current weighting factors and weighting factors before 2020.

HITRUST Weighting

Before this change in weighting, it was possible to be HITRUST Certified if you scored Fully Compliant (FC - 100%) on Policy and Procedure, Partially Compliant (PC - 50%) on Implementation, and Non-Compliant (NC - 0%) on Measured and Managed. Only implementing 50% of what you say you do is not a high bar. The new weighting requires you score at least Mostly Compliant (MC - 75%) on Implementation.

Measured and Managed are very hard to achieve and many smaller companies are HITRUST Certified while being non-compliant for these maturity levels.

Example

At this point, it's easiest to use an illustrative example to tie it all together. We are going to use a real HITRUST control as an example to show all of the elements of the scoring process.

Mobile computing devices are protected at all times by access controls, usage restrictions, connection requirements, encryption, virus protections, host-based firewalls or equivalent functionality, secure configurations, and physical protections.

There's a lot in the above control statement. And a lot that needs to be done to meet it. For now, we're just going to score it and use those scores to calculate an overall weighted score for the control. Below are the ratings for each maturity level.

HITRUST Scoring Example

The overall weighting for the above control example is 65, which is above the 62.5 threshold for HITRUST Certification. But, this is just one control, and the average of all controls for this domain needs to be above 62.5 to be HITRUST Certified. And this threshold needs to be met by all 19 HITRUST domains.

----

HITRUST scoring can be complicated and the details are best left to assessors and the CSF. The main takeaway is to appreciate that Procedure, and especially Implementation, are most heavily weighted and will have the most impact on your overall HITRUST performance.