New 90 Day Rules for HITRUST

Our friends over at Coalfire recently published a blog post about new restrictions placed on HITRUST certification in the healthcare sector that have been causing some hiccups in recent efforts. They are logical, but leave little room for improvisation - they are the 90 day requirements and they come in two flavors.

First, all tested components are subject to a 90 day maturation period. Each element must be approved and/or implemented for 90 days prior to being tested. This means that if you are engaged with a firm like Coalfire and they identify an area of need and you must add capabilities, you just pushed back your certification 90 days plus the time to implement. This is obviously an issue if you're already hustling to get the checkmark so you can deploy.

To add salt to the wound, the second requirement is that all testing must be completed within a 90 day period. So if you begin testing and a component fails, you may need to restart the 90 day window and repeat testing as needed if it takes too long to fix and it ages out. (I have personally heard horror stories of the CPA exams, in a similar format, in which the first exam was passed, but delays to licensing render the exam result invalid because it exceeded the timeframe and must be re-taken.) You can imagine the frustration if successfully tested components must be re-tested for no reason other than to comply with a narrow window for review.

So why bring this up? Seems like a problem for someone else to figure out... except for one thing.
FIPS 140-2 validated encryption is one of the required elements in HITRUST.

Like so many other U.S.-centric compliance initiatives, the HITRUST Common Security Framework (CSF) relies upon much of the National Institute of Standards and Technology (NIST) research and benchmarking to establish industry best practices. With the many references to NIST's ubiquitous Special Publication 800-53, it's no surprise that FIPS 140-2 comes into play.

HITRUST successfully made 90 days seem both extremely long (when you're waiting for the maturity) and extremely short (when you're hustling to get all the testing complete inside the window). Funny how that changes, based on your point of view.

Here's where SafeLogic brings significant value to the effort:

- CryptoComply is very quick to be installed. Drop in the appropriate version of the crypto module and get that clock ticking on the 90 days of maturity.
- RapidCert is very quick to get to FIPS 140-2 validation. Even if you began your traditional CAVP/CMVP testing effort on Day 1 of the maturity window with a consultant, you would need a miracle to receive your FIPS 140-2 validation certificate number by Day 90 of the testing window. Instead, RapidCert guarantees that it will be done within your timeframe and that it will not be kicked back by the testing lab for alterations, which would set you back to the beginning of the maturity waiting period.

In short, if you need FIPS 140-2 validated encryption fast, you're in the right place. Ping me with any questions or click on 'Request a Quote' on the nav bar and the SafeLogic team will get you squared away. Quickly, of course.