From understanding the three different levels of HITRUST to mastering the "storytelling" required for evidence, our experts break down how to move past the frustration and build a solid security foundation.
Is your organization facing a HITRUST audit? Often called the "gold standard" for security and compliance in the healthcare space, HITRUST can be a "beefy" and daunting standard to navigate.
In this episode, host Jen Stone sits down with Peter Briel (Privaxi) and Lee Pierce (SecurityMetrics) to demystify the HITRUST Certification process. From understanding the three different levels of HITRUST to mastering the "storytelling" required for evidence, our experts break down how to move past the frustration and build a solid security foundation.
"Go ahead and start the readiness with us so that instead of building something and then tearing it back down later... talk to us early on." — Lee Pierce
"Don’t rush... make sure that you build a foundation, a solid foundation... by the time HITRUST is done, you know you've done it correctly." — Peter Reel
00:00 - Introduction to HITRUST Certification
01:08 - Understanding HITRUST Levels
01:59 - The Importance of Team Support
02:43 - First Steps in the Assessment Process
03:17 - Scoping and Asset Management Challenges
05:15 - Logging and Monitoring Challenges
05:49 - Telling a Story with your Evidence
07:25 - How to handle processes you’ve never had to invoke
08:20 - Maintaining Compliance after HITRUST Certification
08:49 - Final Advice for your Journey
10:49 - How to get in touch
Compare it to, you know, having a home and you have a call the company to install the alarms on on your house, but you don't know how many windows you have with doors. Right? So how can you protect a house if you don't know how many windows or or doors to protect?
Hello, and welcome back to practical cybersecurity. I'm here today with Peter Briele from privacy and Lee Pierce from SecurityMetrics. Our topic is HITRUST. We're going to tell you how we help organizations with this arguably difficult certification. There are a lot of people who have to respond to a HITRUST audit and more and more all the time, especially people who are in the healthcare space.
And it can be really difficult to even know where to get started.
HIPAA doesn't really have a certification per se. And oftentimes people don't learn their degree of HIPAA compliance unless there's been a breach of some sort. Hence, HITRUST came into the picture bringing NIST, ISO. It is a very beefy standard. It answers a lot of questions. There's three levels of HITRUST and if you do the highest level, they call it the gold standard and pretty much answers all inquiries about a company's levels of security and compliance in the health care space in particular.
A lot of people know that at SecurityMetrics, we do high trust audits and security metrics. And as such, we don't do the preparation work because you have to have that whole, you know, separation of duties thing.
When we were doing HITRUST assessments in the beginning without Peter's readiness team on board with the customer, the client would bring us evidence and we'd say, you know, that's not exactly what we're looking for.
They would write policies and procedures and we'd say, I don't think that's going to pass muster with high trust scrutiny in the validation QA period. Lots of times, the clients we work with, literally, the guy will be on the camera in our first call with him and he'll say, you're looking at the entire IT team right here. This is it. I don't have time to write policies.
It's very gratifying to see the customer who feels like they're going at it alone feel like, I got a team here. I've I've got answers, you know. And and not only that, I'm not staring at nineteen control domain of controls and just wondering where do I begin, you know? We've got a team that says this is how we begin the process and this is the roadmap to the end instead of them trying to figure it out.
What is the very first steps when a customer says, okay, we need you to HITRUST, they sign on and say, help, what are we going to do?
Well, we do a factoring with them at first.
Just quick overview of the Hi Truss standard of three systems. There's the E1, no factoring required, forty four control static, the I1 which is a hundred eighty two, one hundred and eighty eight controls. When you get to the r2, which is the largest one, then it's all about scoping.
We learn about the nature of how they operate. We learn about the number of records they deal with, the number of connections that they have to their system, the number of users, the methods that they handle data. Do they ever send hard copies of things? Is it all electronic? Do they share data back and forth with other third parties? Sometimes we'll get down to this question here, number of interfaces to the system.
I don't know. You know? So the how many transactions do you run per day? What? What kind of a question is that?
A lot of organizations, they tend to overscope, right, out of fear rather than risk, increasing the cost of timelines. So, you know, good scoping can save, you know, a lot of months of effort.
So this this can all really be daunting for somebody.
Great. So you're you've done some scoping. You're starting to get into it. You're doing some that that readiness analysis. So what are what happens now that are common challenges that you see at this stage?
Common challenges, most of the time, I would say probably maybe asset management, right, and change control management.
Right? Those those are the two big ones no matter what you're doing.
Those are two big ones.
Start with what assets do you have in your environment? And this is a common thing no matter what people are doing, and and it is often a challenge.
Precisely. I usually like to to, you know, basically compare it to, you know, having a home when you have a call the company to install the alarms on on your house, but you don't know how many windows you have with doors. Right? So how can you protect a house if you don't know how many windows or or doors to protect?
Right? So asset management is key. And then that's when the scoping comes in place. Right?
You gotta make sure that we identify what's in scope. Right? Yeah. The fact that you may have a hundred endpoints doesn't mean that a hundred endpoints fall into into the scoping.
Another common one that I run into a lot is logging and monitoring. Like, you don't have logging and monitoring in place, especially for a small or medium business, that can be a real challenge to put into place.
Logging and monitoring requires a lot. Right? It requires a tool and in some cases require most cases requires a team. If you do have an external resource that you're leveraging, okay, then that next sort of resources, then you have to go through the third, you know, third party risk management to make sure that they are doing what they're supposed to be doing with your data. Right? Venture. It's it's a storytelling.
You gotta tell the story with evidence, consistency over time. It's not just screenshots. Right? You know? Like like I mentioned, there has to be a story, and that story needs to be clear to the assessor, repeatable and supported by an explanation.
Right?
Every every every quality matters. It's it's not just, you know, volume. You know, have having a a procedure that's ten, fifteen pages long that doesn't tell a story the proper way is useless. Right? So, again, how clear is this evidence to the assessor? Right? When you present it, how clear is the screenshots?
Yeah.
Sometimes you could take a screenshot, but does a screenshot have a date and time stamp?
I was just gonna say that. Thank you for the screenshot that could be from any time in the last three years. And it's not just because we, the assessors care about it.
The last thing that we want to have happen is we allow evidence to go through that the high trust QA will look at and go this is insufficient. On max, you don't necessarily get the full date, right? That doesn't necessarily by default you might not get the year, right? There's different interesting challenges that way. Just as a for example and I'm going to come back and say, I really want to the letter absolutely everything there. It's not like you're missing something, it's that the degree to which we want to see the evidence absolutely align with a certain gold standard may differ from assessor to assessor and that's the nature of assessment.
Another element that's interesting is sometimes working with small businesses in particular, while they need to have a process in place, they've actually never had to invoke the process. And so they may not have a lot of things to say or report on regarding something they've never really had to do.
That's one of the reasons why Peter's privacy readiness team is so good because they'll say, we understand that you haven't really ever fired anybody over the last two or three years Yeah. But but you still need to show me how that would work if you had to do that. Right. We need to know your process. Otherwise, you're gonna have a corrective action plan on something that you didn't even really fail at.
Can we do a tabletop exercise around firing someone? You know, that's really important because sometimes people will put NA for something that is absolutely applicable to them. They just didn't happen to have it happen this year.
So You know, security is a point in time certification and compliance as well. Right? It's it's how you manage it afterwards that counts as well. Right? Okay. You got to the finish line.
You know? How do you keep that program up to date?
Right? And, again, as I mentioned earlier, a lot of companies lack the resources of the time. So at the end of the day, it's important to get HITRA certified as we know, but what matters most is how do you protect that environment.
Absolutely.
Well, this has been a super conversation. I think it's given people a view of what does it look like to go through the process to become compliant in HITRUST. I would love to hear a little bit of final advice from each of you regarding customers' HITRUST journey.
Don't build it and then do readiness afterwards. If you're if you're in the process of creating something and and let's say you're you're getting a new contract with this big, big customer and they want HITRUST, but they also want you to build something to help satisfy the solution you're offering, go ahead and start the the readiness with us so that instead of building something and then tearing it back down later when you find out that the segmentation wasn't the way it needed to be or the encryption wasn't the way it needed to be or maybe that shouldn't be on prem in the first place, maybe it should be migrated to the cloud, talk to us early on.
Don't just don't think you need to button things down and then get an assessor.
That's really my advice.
Yeah.
Final advice, don't rush.
Right? We we're not a check the box automated tool company. We you know, again, we make sure that you build a foundation, a solid foundation.
Right? That by the time Hytrus is done, you know, you've done it correctly. Right? This way, you know, you stay stay secured. Right? And then you build a long trust, you know, certification.
Right? Because at the end of the day, it's again, it's not just a matter of just achieving high trust. It's it's a matter of of protecting the house.
Excellent.
Alright. Well, thank you so much for this conversation. I really appreciate your time. Lee, if people want to get in touch with us about an high trust assessment, what's the best way for them to do it?
Well, we can actually put in the notes our contact information here for this, but we also have pages on our website. You can get a they're really quick you can get a quick assessment of what the cost would be for HITRUST. Work with us. Work with us on that.
Help avoid the crying and swearing, really.
That's right.
Yeah.
Well, it was really great talking to both of you. Again, thanks. I appreciate your time, and I hope we talk again soon.
.svg)
