“We want to demonstrate to customers and to the market that we are a trusted partner; HITRUST CSF Certification provides the best means to prove that and provides a true Certification in support of handling ePHI.” — Travis Good, MD, Co-founder & CEO, Datica
CASE IN FACT
HITRUST Common Security Framework (CSF) Certification is highly regarded and sought after in the industry but it is no small feat.
Even before starting their first HIPAA audit and security assessment in 2013, co-founders Travis Good, MD and Mohan Balachandran of Madison-based, healthcare IT firm Datica knew they wanted to achieve HITRUST CSF Certification. One of the company’s market differentiators is being known more as a part-ner than a vendor. Datica needed that validation of trust to grow quickly, but how?
Instead of simply doing self-assessments or obtaining the HITRUST CSF Validation, Datica executives decided to go straight for the gold — HITRUST CSF Certification, which offers the highest level of assur-ance in its own internal security as well as for its customers. “We want to demonstrate to customers and the market that we are a trusted partner; HITRUST CSF Certification provides the best means to prove that, and provides a true certification in support of handling ePHI,” says Datica CEO and Co-founder Travis Good, MD.
After completing the company’s second HIPAA audit, Datica felt confident that its technology and pro-cesses were ready for full certification and the assessors agreed. With a slight advantage of having a strong relationship with the Coalfire HITRUST CSF Assessor in Denver, the certification process went smoother and became more efficient — yet still a process that tested the company and its co-founders beyond anything they ever imagined.
Abe Dress, Managing Senior Consultant at Coalfire, states “The HITRUST certification process can be an arduous course of action, even for those organizations that have a robust security program. The process requires detailed review of, and subsequent updates to, most security policies and procedures in order to meet the exacting requirements of the HITRUST CSF.” In addition, Dress says, “the need to assess all controls using a maturity model is often a new challenge for organizations that have become used to a ‘check in the box’ type of security and compliance program.”
THE HITRUST CSF CERTIFICATION CHALLENGE: Hurry Up and Wait
Coordinating Datica schedules with that of its assessor and the HITRUST Alliance became the biggest obstacle. Part of the process, Good explained, is iterative with lots of questions and clarifications that must be acknowledged and catered to. “There’s a whole lot of hurry up and wait.”
Dress concurs on that characterization of the time frame. “During the initial review process for a HI-TRUST assessment there can be a substantial amount of back and forth between the assessor and the organization representatives as the details of Organization Scope, the associated controls based on that scope, and then the details of each control are refined,” he explains. “This was especially common during the early implementation of the new HITRUST MyCSF tools. Since then, both HITRUST and the supporting HITRUST Assessors have refined methodology to support a more clear scoping process, which better facilitates planning and communication throughout the process.
Datica found HITRUST CSF Certification involved five giant steps toward acquisition with no shortcuts evident in the process. A company considering HITRUST Certification must traverse the same steps:
- Investigate the process: in an effort to move from HIPAA to HITRUST CSF Certification, Datica executives and employees spent considerable time researching the domains of HITRUST
- Scope the project with the chosen HITRUST CSF Assessor: this step is fairly straightforward involving the estimation of time and cost
- Complete the CSF: a sizeable amount of documentation is involved, including policies, risk assess-ments, technical documentation, and configurations. (approximate time: 3-4 weeks for Datica due to some dedicated staff members. For most other companies, expect 6-8 weeks)
- Validate the CSF with assessor: providing evidence for entries in the CSF (approximate time: 4-5 weeks)
- Certify the CSF with HITRUST Alliance: involving back and forth on specific line items and re-quests from HITRUST (approximate time: 3-4 weeks)
Another challenging aspect of Datica’s HITRUST certification involved its very own technology, having to explain some of the technical details of its platform. “Educating our assessors about cloud and modern technologies, as well as how we secure everything, took time,” says Datica President and Co-founder Mohan Balachandran.
While an overall understanding of the environment is critical to any security assessment process, there were some additional challenges with early HITRUST assessments clarifying the exact applicability of some HITRUST controls to the environment in question. “Coalfire has adapted to this nuance by devel-oping HITRUST Assessors with familiarity in many different types of environments, such that a HITRUST assessment for a merchant might be done by an assessor with a QSA background, while a HITRUST assessment for a cloud provider might be done by an assessor with a FedRAMP background,” explains Dress.
TAMING TIME & COST EXPECTATIONS
Based on feedback from assessors, Datica executives expected about four to six weeks to complete the final steps of HITRUST Certification, but in reality the process took an additional three to four months. Part of this delay resulted from demands placed on the HITRUST Alliance at the time. From completion of the CSF to the assessors’ validation, the entire process, not including the research and scoping, took a total of five to six months for Datica. While other companies may experience a slightly shorter timeframe, others may find the process much longer.
Datica had a clear understanding of the direct costs of HITRUST Certification, which ran $30,000 to $45,000, but underestimated indirect costs around certification. “Going into the process, we miscalcu-lated our time by about half,” said Good. “If we had to do the initial process over again, we’d first divide FTE hours per employee and more efficiently delegate all the tasks.”
Good also has several recommendations for companies considering HITRUST certification. To curb ex-pectations and to better project more accurate costs, Good suggests:
- Budget more time, money, and resources than expected to complete the process
- Lock in schedules with assessors as early as possible
- Add in the “fudge factor” — a lot can happen while you wait and wonder
HITRUST CERTIFICATION BENEFITS & OUTCOMES
Datica is now fully HITRUST CSF Certified and holds that certification for two years, with an annual review after one year. Since its certification, the company has found that the process has anchored its information security management program, while making it more robust. Additionally, the company’s or-ganizational policies and technical configurations are now mapped to HITRUST, so changes to either are done with the consideration of HITRUST.
“Security is not a single point in time. It’s an ongoing process and we leverage HITRUST as the anchor to that process,” said Balachandran. “HITRUST CSF Certification instantly gives us credibility in the market and has vastly accelerated our security reviews – reducing both the time to implementation, as well as the cost of the resources we have to dedicate to security reviews.” Datica states that this is true for both its direct relationships with covered entities, like the Veterans Administration and Optum, as well as its indirect relationships with digital vendor customers.
Coalfire is the global technology leader in cyber risk management and compliance services for private enterprises and government organizations. Coalfire’s professionals are renowned for their technical expertise and unbiased assessments and recommendations. Coalfire’s approach builds on successful, long-term relationships with clients to achieve multiple cyber risk management and compliance objec-tives, tied to a long-term strategy to prevent security breaches and data theft. Coalfire is currently listed as #74 in the “Cybersecurity 500 Hottest Security Companies,” and was recently named one of the Top 20 Most Promising Risk Management Solution Providers. For more information, visit coalfire.com.
Datica (formerly Catalyze) makes digital health in the cloud a reality by removing the risks that prevent its adoption. We turn HIPAA compliance on public infrastructure providers into a solved problem, and enable secure clinical data exchange between mission-critical digital health applications and EHR sys-tems. Datica serves healthcare’s complete spectrum, from digital health startups and industry leaders to health systems across the nation. Hundreds of customers and partners trust Datica to ensure their clouds are HITRUST certified and data securely interoperable. For more information, visit datica.com.