The HITRUST AI Risk Management Assessment: An Introductory FAQ
In the healthcare industry, artificial intelligence (AI) is being used to save lives—using data sets, these systems are being trained to examine imaging and successfully detect potential health risks, like cancer. However, as with every technological development and shift in its use, new risks have also emerged related to the use of AI, as have measures to help mitigate them—one of which is the HITRUST AI Risk Management Assessment.
Though you have other frameworks to choose from—including the NIST AI Risk Management Framework and ISO 42001—for healthcare organizations, HITRUST’s assessment option may be the best way forward. As cybersecurity experts and highly experienced HITRUST assessors ourselves, we’ll assist you in clarifying if that’s true.
In this blog post, we’ll answer five basic but important questions you’re likely pondering about the HITRUST AI Risk Management (RM) Assessment to help you determine if you should proceed with learning more—or even undergoing the assessment—or if you should instead look in another direction to secure your AI systems.
5 Answers to Your Questions About the HITRUST AI RM Assessment
1. Why is it Important to Secure Your Healthcare AI Systems Now?
Despite the new risks and vulnerabilities we mentioned earlier, prospects are looking up for AI in healthcare, as systems will continue to gain more data to learn from and therefore become more accurate or capable in other ways. For example, when we collect more data demonstrating that patients with certain symptoms are more likely to have a certain disease, we’ll be able to train AI to pick up on these minute details that humans may not connect. As helpful as that development will be, there will be challenges too—some that are already emerging.
Yes, AI is very good at picking up on minute details in data, but that could become problematic considering the sensitive data necessary in the healthcare sector. You may be thinking that it’s common practice to de-identify data when using PHI so that shouldn’t become a real problem, but using multiple sources of data will also increase the risk of AI being able to “connect the dots” on patient identifiers and ultimately recreate the PHI that was not wanted in the AI system.
That means that steps must be taken now to ensure that the same AI systems that are—and will continue—saving lives are not also creating risks for patient health data. In this, HITRUST’s AI RM Assessment can help, because it can assist in identifying risks in your AI management systems and processes so proper controls can be put in place to reduce risk and improve user experience.
2. What is the HITRUST AI Risk Management (AI RM) Assessment?
HITRUST’s AI RM Assessment is an evaluation of your compliance with 51 relevant and practical risk control requirements that can validate your AI risk management stance.
After completing your assessment, you’ll receive an insightful, applicative deliverable known as the “AI Risk Management Insights Report.” With details regarding how your AI processes, policies, and systems rank against the requirements—as well as where improvements can be made to reduce risk—this report can be used to assess AI performance, prioritize response activity, and share pertinent information with stakeholders.
3. Is the HITRUST AI RM an Assessment or a Certification?
As HITRUST assessments, in general, can sometimes be incorrectly conflated with HITRUST certification, it’s important to note that HITRUST’s AI RM Assessment is just that—your organization will not become HITRUST certified after conducting it.
That being said, HITRUST has indicated that they will release the AI Security Certification Program in Q4 2024, which will test an organization’s AI security controls within the HITRUST CSF and result in HITRUST certification for the AI system(s) tested if all requirements are sufficiently met.
For now, though, the HITRUST AI RM Assessment can serve as an important starting point to help evaluate risks within your AI processes, policies, and systems, whether your organization is just beginning the process of implementing AI systems or if you’ve been developing AI systems for some time—it could also be a good way to visualize where you stand before pursuing the yet-to-be-released certification.
4. Why Should Your Organization Consider the HITRUST AI RM Assessment?
Every organization that utilizes, deploys, or incorporates AI technology into their business or products should implement an AI risk management program. With this in mind, here are five reasons your organization should consider undergoing a HITRUST AI RM Assessment:
- To demonstrate that your organization is developing or using trustworthy and ethical AI systems that have proper safeguards in place.
- To prove that responsible AI development and use is at the forefront of your priorities.
- To convey to stakeholders that AI risks are being identified and addressed.
- To show potential customers and end users the overall strength of the AI systems you have in place.
- To ease leadership anxiety regarding the potential risk of implementing AI systems.
5. How Does the HITRUST AI RM Assessment Compare to Other AI Standards and Guidance?
Despite these advantages to be gained, you’ll likely also be weighing other AI frameworks to identify the right solution to help secure your systems—so how does the HITRUST AI RM Assessment measure up?
To explain, it helps to know how HITRUST’s assessment was developed. The AI RM Assessment stemmed from the possibility that—given the different standards that exist to address the security of artificial intelligence—it could become complicated to implement a security program.
HITRUST wanted to help organizations avoid those potential complications and simplify their AI security by harmonizing existing standards such as ISO/IEC 23894:2023 and NIST AI RMF—which both focus on AI risk management—with HITRUST’s advanced library of control requirements to deliver a comprehensive, specific, and actionable framework. (ISO/IEC 23894:2023 is referenced within ISO 42001, though that framework overall is much broader in scope given it’s a management system standard for AI systems.)
The result is the AI RM Assessment—not only will it provide a clear view of your AI performance and potential problem areas/gaps, but it will also allow you to demonstrate coverage across several standards in one report.
Next Steps for Securing Your Healthcare AI Systems
It may very well be that eventually aligning with the NIST AI RMF or pursuing ISO 42001 certification may be right for your organization, but—even still—the AI RM Assessment should be considered a potential key starting point. Not only can it provide an idea of where you stand with AI risks while demonstrating to leadership and other stakeholders that your organization’s AI controls are compliant across several standards, but it can also help you identify and remediate gaps prior to pursuing certifications.
Should you choose to move forward with HITRUST’s AI RM Assessment, you can either self-assess or leverage an external assessor. If you opt for the latter, you should know that Schellman is well-versed in both HITRUST and AI governance so we do have the knowledge to be a great asset in your journey.
Even should you prefer to self-assess, we could still be a valuable resource, as members of our HITRUST team also have experience working within HITRUST MyCSF—the management platform where your assessment would take place—and therefore would help further streamline that process.
If you’re interested in learning more about what a potential partnership between us for a HITRUST AI RMF assessment would look like, contact us today. And in the meantime, don’t forget to read our other content on other aspects of HITRUST that can help break down other details and options:
About Jerrad Bartczak
Jerrad Bartczak is a Senior Associate with Schellman based in New York. In his work ensuring that clients maintain an effective system of controls within their organization, he has experience conducting HITRUST, SOC 1, SOC 2, and HIPAA audits and maintains CISA, CCSFP, CCSK certifications.