Resources

Successful Sampling for HITRUST Certification

Written by: Patrick Estano

When going through the HITRUST certification process, sampling arises frequently. So, what is sampling, why does it matter, and how can you ensure you’re setting yourself up for success? We’ll answer those questions and more below in detail.

What is Sampling?

Sampling is an investigative method used by HITRUST assessors in which less than 100% of the total items within a population are selected to be audited. This method is employed to increase testing efficiency by cutting out unnecessary administrative work for both the client and the assessor, while also accurately testing the population with a sufficient sample size.

A good example of a control that’s usually sampled is security awareness training. Let’s say an organization has 100 employees and they need to ensure training is being completed. Instead of taking the time to review evidence that every single person has completed the training, an organization would take a sample of 10% of the population. This way, the organization can spend less time testing evidence while remaining confident that the training process is working effectively.

The Importance of Sampling

Sampling is an important aspect of HITRUST Validated Assessments and will almost always be a major requirement for controls within the scope of the engagement. The appropriateness and need for sampling are dictated by HITRUST within the illustrated procedures. When it is requested to be selected and tested, a proper sample should cover all specified elements of the in-scope environment. As a result, a proper sample should test all applications/systems defined to the assessment.

Sampling Requirements

Sampling is also expected to be performed on any requirement statement where the illustrative procedures indicate one should be taken. This is included in the “implemented” section of the illustrative procedures and explicitly includes the phrase “select a sample.” Furthermore, sampling must cover all in-scope applications and implemented systems. If there are multiple applications in-scope, evidence must be provided for each to satisfy the requirement statement.

To gather the correct evidence, population ranges must be selected to ensure sampling evidence is pulled during the fieldwork period. Similar to System and Organization Controls (SOC) and Sarbanes-Oxley (SOX) sampling, populations should abide by completeness and accuracy guidelines. Unless it’s not possible to pull such a population, those that haven’t been influenced or filtered by the client are ideal. Screenshots showing how the population is pulled should be included with the evidence. For the initial validated assessment, the sampling period must be at least three months from the start of fieldwork. Subsequent validated assessments typically have a sampling period of one year to ensure sufficient audit coverage.

Sampling Methodology

HITRUST recommends leveraging several industry-standard sampling methodologies, such as:

  • Random Sampling

Random sampling is recommended because it removes bias from the entity selecting the sample.

  • Systematic Sampling

Systematic sampling entails choosing every “n’th” row (i.e., every first, second, or third) or an item in a population. This provides similar assurance to random sampling, but it can be easier to use a random number generator to conduct this sampling.

  • Haphazard Sampling

Haphazard sampling involves a random selection that’s performed by the HITRUST Assessor. Ideally, haphazard sampling should only be used after attempting random or systematic sampling, since it often incurs a level of unconscious bias.

Finally, there are certain controls that can’t be reasonably sampled since they’re operating in real-time rather than at a defined frequency. These are referred to as automated controls. For example, event logging and monitoring systems may generate thousands of alerts at undefined frequencies. Therefore, the HITRUST Assessor will request the scope of logging, configuration of alert logs, and a sample of one recent email alert from management.

HITRUST Sample-based Testing Requirements

Sampling Scenario Minimum Number of Items to Test*
Testing a manual control operating at a defined frequency
  • Daily controls: 25 days
  • Weekly controls: 5 weeks
  • Monthly controls: 2 months
  • Quarterly controls: 2 quarters
  • Semi-annual controls: 2 halves
  • Annual controls: 1 year (most recent control occurrence)
Testing a manual control operating at an undefined frequency (i.e., “as needed”) Sample size varies based on population size:

  • Pop. size >=250: 25 items
  • Pop. size 50-249: 10% of the population, rounding up as needed
  • Pop. size <5O: Sample size can range from a minimum of three items up to the entire population. Use professional judgment.

Population period:

  • Minimum of 90 days prior to the date of testing with a maximum of one year prior to the date of testing
Testing an automated control

(NOTE: If configured on or embedded within multiple systems/tools, each system/tool must be tested)

Can perform a test of one if the following are performed/met (otherwise, a full sample must be tested using the manual control sampling guidance provided above):

  • If configurable, the associated configuration(s) must be tested
  • To show that system behaves as configured, the outcome/result of the configuration must be tested
Sampling from point-in-time populations (e.g., endpoints, servers, and current employee list)
  • Observe the sampling guidance provided for the “testing a manual control with an undefined frequency” scenario provided above
*Testing lead sheets must be used to document the sampling approach, the items selected for testing, and the results of testing for each sampled item. Evidence must be retained to support the conclusions for each sampled item.

Figure 1: HITRUST CSF

HITRUST Sampling Calculator

Historically, online sample sizing calculators and random sampling tools have been available to help HITRUST Assessors perform sample testing at a more efficient rate. However, none have been freely available that incorporate HITRUST’s specific sampling guidance from the HITURST Scoring Rubric within the HITRUST Assurance Program Requirements.

Recently, HITRUST has created its own sampling calculator that can be used in vast sampling scenarios encountered in HITRUST r2 and i1 Validated Assessments, including:

  • Sampling from a point-in-time population.
  • Sampling control occurrences of controls operating at a defined frequency such as daily, weekly, monthly, or quarterly.
  • Sampling control occurrences of controls operating at an undefined frequency (like as-needed controls).
  • Testing automated controls.

The HITRUST Sampling Calculator not only calculates the minimum sample size needed, but also allows you to randomly select samples based on either the population size or testing date. These selections can be easily copied to a clipboard and pasted into Excel. The entire calculator can also be exported and included in HITRUST Assessment documentation. If you’ve been relying on random.org or custom spreadsheets for determining sample size and selecting random samples in your HITRUST Assessments, try using the Sampling Calculator.

Conclusion

The HITRUST Validated Assessment can be an intense process, but it’s essential to provide reasonable assurance that your environment is operating effectively and in alignment with HITRUST CSF. It’s imperative to get sampling correct to achieve the highest marks possible in the implementation scoring category. Your score may be negatively affected if you don’t provide properly documented sampling lead sheets and supporting evidence.

Engaging a HITRUST Assessor with vast experience in planning, testing, and documenting the operational effectiveness of HITRUST controls will ensure you receive the highest scores possible in the implementation category.