The challenge, especially if you’re just getting started with developing a compliance program, is that there is work that needs to be done before you get to level one of the maturity model. We call this pre-maturity model work level zero.
What is your compliance DNA?
Choosing your compliance DNA might be easy. It could be as simple as saying we work in this one industry, say finance or healthcare or education, and we only plan to operate in the United States, Europe, or Canada. Increasingly, though, the connected world, powered by the cloud and mobile, is breaking down barriers between geographies. It’s also common to operate a business across multiple industries.
If this is the case with your business, there is a good chance you will have to comply with multiple compliance regimes. It’s important to build your compliance DNA on a framework built to crosswalk to relevant regimes to avoid doing a lot of redundant work and data entry for your audits and customer security reviews. Recent data from CHIME shows that NIST is the compliance framework of choice for enterprises, with HITRUST showing up as an emerging favorite.
Our path to a compliance DNA at Datica
Our focus at Datica has always been in healthcare. As a business, we chose an industry vertical and decided to go deep in that vertical, removing blockers in getting healthcare data onto the cloud. What’s interesting is that we have expanded beyond healthcare compliance regimes as some of our healthcare customers have brought us with them to new geographic areas where compliance with things like GDPR is now required.
Looking back to 2013, when Datica (formerly Catalyze) was founded, the world of privacy and compliance was very different. HITRUST was starting to pick up steam but was still very early and not yet required by any covered entities. GDPR was not yet a thing, either in definition or implementation. The HIPAA Omnibus rule, which created the category of entities called subcontractors, was written but not yet implemented. And the concerns around privacy of personal data, highlighted in all of the recent news and debate about social media and, in particular, Facebook were not on the radar of politicians or the general public; Apple did not promote privacy as a differentiator at that time.
Compliance was a company-wide and product focus for us from day one. Being in healthcare, we initially chose HIPAA as our anchoring compliance framework. We did this because we focused on 1) healthcare and 2) the US market. Our first audit was a HIPAA audit.
Even at the time our company was founded, we knew we wanted to go beyond HIPAA so we planned to do a HITRUST assessment and seek a HITRUST Certification. We completed that assessment within the first year of the company and have been actively involved with HITRUST ever since. HITRUST has been very good for us and has clear ROI, both internally as well as externally.
HITRUST is our compliance DNA at Datica. Having that DNA has enabled us to develop a cadence for our audits and a clear guiding set of requirements at all times for all of our employees.
Because of the nature of HITRUST, and it’s pre-built crosswalks to multiple compliance regimes such as SOC or GDPR and frameworks such as NIST or PCI, we have been able to leverage our HITRUST work, both entries into the HITRUST CSF and our assessor, to complete audits for GDPR and complete our SOC 2 Type 1 and Type 2.
Doing it again
The truth is we did not develop our compliance program at Datica with the maturity model as our stepwise approach. In 2013, we developed our compliance program for healthcare and for HITRUST. We have since matured in our thinking about compliance and, despite being successful with HITRUST and with our compliance program over the last 5+ years, we would be more intentional if we were doing it again from scratch.
If we were starting over, one clear intention would be to build our program explicitly along the levels outlined in the maturity model. And we would start with level zero — an evaluation of the types of customers and, by extension, data and geographies, in which we plan to operate. From there, we would know the compliance regimes to which we would need to comply and choose an anchoring regime, or a compliance DNA, that we would ultimately have to crosswalk to all the relevant regimes.
Take the first step
The nice thing about a level zero approach is you can get started yourself, without any outside help and with minimal web searching skills. You should have an understanding of your target customers/users and the types of data you and your products will access. From there, you should be able to get a sense of the compliance regulations to which you will need to comply, and it’s a short step from that point to developing a short list of compliance frameworks that could work as your compliance DNA. If you want to learn more about compliance frameworks, regulations, controls, rules, and regimes, start here.
At some point, you will need to find more experienced resources to help put policies and procedures into place and to start to work your way up the levels of the maturity mode; but that is not a day zero problem to solve.