Our client's need

The North Carolina Department of Information Technology (NCDIT) sought to attain a HITRUST CSF certification for the Health Information Exchange Authority (HIEA) and Analytics Solutions Development environment. Prior to certification, NCDIT required an initial readiness assessment of the two environments to determine the amount of remediation needed to fully implement the HITRUST control requirements of the CSF framework. To add complexity to the mix, the NCDIT also appoints a third-party hosting vendor and managed services provider that has shared responsibilities within the two environments.

The NCDIT also identified the need to evaluate the security of its Government Data Analytics Center (GDAC) environment, in accordance with standards and guidance published in the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-53 Rev. 4 “Security and Privacy Controls for Federal Information Systems and Organizations.” Applicable to NIST, the GDAC environment includes additional environment groups not applicable to HITRUST.

Baker Tilly's solution

Baker Tilly's Risk Advisory consulting practice was contracted to perform a readiness assessment to evaluate the GDAC, HIEA, Analytic Solutions Development environment and other environment’s internal controls and scores against the HITRUST CSF version 9.1 and the NIST frameworks.

First, Baker Tilly mapped the HITRUST v9.1 control requirement set to the NIST Security and Privacy controls. Second, Baker Tilly conducted dual-based walkthroughs that covered the HITRUST specific and NIST specific environments which included control owners from NCDIT and the third-party vendor. The objective was to determine if the scores were above the threshold required for the standards, and whether the NCDIT was prepared to pursue the HITRUST CSF certification and to understand their readiness for NIST assessment.

Results achieved

The NCDIT came to understand its readiness for HITRUST CSF certification and compliance with the NIST 800-53 Rev. 4 framework. A plan was developed to address the gaps identified. The NCIDT also saved time, effort and cost by performing the readiness assessment for HITRUST CSF and NIST 800-53 Rev. 4 at that same time.