Certification Symposium: HITRUST & SOC 2 Leading Practices

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:11] Welcome to The CyberPHIx your audio resource for cybersecurity, privacy, risk and compliance specifically for the healthcare industry. I'm your host, Brian Selfridge. And each episode we bring you pertinent information from thought leaders in healthcare, cybersecurity, privacy. And in this episode, we have a very, very special session for you wherein this is actually our 100th episode of The CyberPHIx over the last three or four years. I think now I'm so very, very thankful for all of our loyal listeners. And if you're new, thank you for checking this out. Be sure to go back and check out the back catalog. Stuff is all still very, very relevant and some great leaders you can hear from over the years. And the other reason that this is a special episode is that we are actually going to get to hear from quite a few different cybersecurity risk and compliance leaders on a specific topic, and that is around HITRUST and SOC 2 and other security certification initiatives. So we're calling this session the Certification Symposium, HITRUST and SOC 2 leading practices because we've just had so much great guidance in so many different voices that have been able to provide their perspective on getting certifications. The whole journey from just even considering it for your organization or for your vendors and partners, if that's your lens that you put on it all the way through to engaging with assessors, getting certified, renewing those certifications. So there's, there's quite a bit that goes into it. 

Brian Selfridge: [00:01:31] And for better or for worse, there are a lot of pitfalls that could be could befall the well-intentioned security compliance leader as well as leading practices that can make it a lot faster, cheaper and more effective for you to go through the process. So security certifications are complicated. They're super important. To do them right requires getting it right the first time, if you can. So we thought, rather than hear me tell you about that or just one particular individual, we took a combination of interviews that we've done both in this podcast, as well as webinars and some other special sessions we've had with CISOs in the industry, chief information security officers with members of leadership from organizations like HITRUST, for example, others that are practitioners in AICPA, accredited firms like Meditology Services that do SOC 2 engagement. So we're going to kind of distill all that into a single session for you and hopefully allow you to walk away with that. Not having to live through this the hard way and learn the lessons through the collective intelligence of decades of experience from these individuals. So I'll give you a quick rundown of the folks that we have that we're going to be interviewing, and then I'll refer to them by a first name once we get going into it. But we've got Ed Dame, who is the CSO of Dasher Inc as a vendor who's HITRUST certified. We've got Angela Fitzpatrick, who's a managing director here at Meditology Services and runs our HITRUST security practice. 

Brian Selfridge: [00:02:57] We've got Michael Parisi, who's the vice president of Adoption for HITRUST, so leader at the HITRUST Organization. We've got Paul Gray, CISO at Meditology Services, Bethany Ishii, who's a director, also here at Meditology with decades of experience in HITRUST. There we've got Deana Fuller, who's a senior manager here, Derek Vorpahl, who at the time of the interview is the director of Information Security and risk management for Davis Vision, Ryan Freeman Jones, who's a leader here with Meditology, Brandon Weidemann, a manager here, and Jonathan Elmer as well, also a manager. Just so much experience, so many talented folks that you're going to hear from. And so I won't give you their full bios as that's we'll take a little bit more time than we have here, but I'll give them shout outs as we kind of transition throughout each of the topics that we cover here today. And speaking of those topics, just to give you a flavor for what we're going to cover and the things that we're going to hear about from all of these great leaders around security certifications. We're going to do a little bit of level setting around what is SOC 2 what is HITRUST, what different certification options do they have? I don't want to take an entire session on that because we could there's quite a bit we're trying to distill down for you. 

Brian Selfridge: [00:04:06] And then we're going to talk about business drivers for why organizations would get cybersecurity certifications for the organization. Why is that even a thing? Why are we doing it? Where are the pressures? And also a lot of discussion around that whole decision around what certification or certification should we acquire as an organization? Should we go with a HITRUST? I1 or HITRUST r2 or a SOC 2 type II, you know, all these different things and why would we choose one or the other or maybe even in some cases go with multiple certifications to, to address different audiences. So our esteemed panel will kind of talk through that. We'll talk about my favorite thing to talk about, which is pitfalls. What are the things that if we could just avoid them, could save us time, money, money, energy in some cases save people there their jobs and position and career trajectory. If you fall into two too deep of a pit. So we're going to talk about common pitfalls for HITRUST certifications as well as for SOC 2 examinations. We're going to debunk some certification myths and misunderstandings that I think folks have either going into the process or even well into the process of understanding what it's going to. What are some of the expectations for your teams and your stakeholders and your external assessors and all those things? We'll talk about accelerators, how to just do this faster and cheaper, frankly. 

Brian Selfridge: [00:05:21] And there are ways to do that. And I think everybody has a vested interest in learning those and applying them. We'll also talk about a little bit about the role that security certifications play in HIPAA compliance and OCR enforcement and how these certifications can play a factor in that. And then we'll round out the conversation with just some tips for selecting what kind of partners you want to work within your HITRUST to journeys or other certifications that you go through and what you should look for if you're early on in that process. So a lot of great conversation. There are so many great leaders that we're hearing from. So I'm very excited to share all that with you and to dive into it. So with that, let's dive into another great conversation with a whole bunch of great guests on this CyberPHIx. All right. So to get things started here, I just want to do a little bit of level setting on some of the terminology that we'll be covering today. There's really two dominant cybersecurity certifications that will spend the majority of the time hearing from our guests on today. And those are SOC 2 Type II examinations and HITRUST certifications. We'll start out a conversation with Michael Parisi from HITRUST is the VP of Adoption at HITRUST. Who's going to tell us a little bit about what some of the current options are for certifications? And just to sort of summarize it before we dive into his explanation. 

Brian Selfridge: [00:06:45] HITRUST as an organization is a certifying entity. They require assessor organizations, third party assessor organizations of which Meditology are company is one of those and that evaluate and assess organizations against their cybersecurity posture. HITRUST The common security framework that it's all based on is kind of a marriage of HIPAA and NIST and PCI and a bunch of other security control frameworks that are applicable to healthcare and allows you to kind of assess and certify against those. So there's a couple of different product sets that you'll hear about today as we get through this. I just want to make sure you don't get too confused by it. HITRUST offers an r2 certification, which is their traditional flagship certification. It's an every other year certification with an interim in between. They also offer an i1 certification, which is new this year, which is an annual certification, a little bit less level of effort and less volume of controls that need to be complied with for the i1 versus the r2. And so Michael Parisi will tell us more about that. But I wanted you to just be aware of those as we dive into it. So that's enough hearing for me. Let's hear from Michael about what are the current HITRUST options out there today so we can then talk about how to optimize our deployment and acquisition of those. 

Michael Parisi: [00:08:04] Yeah, sure. Absolutely. So. In today's day and age, you know, we currently offer really three different types of assessments for organizations that are looking to provide assurances to their stakeholders or if they are relying parties that are looking to obtain assurances from their vendors. Right. In their third parties. So today, those three are first our rapid assessment, which only lives within our assessment exchange, which is the third-party risk management platform. Think of it as a quick and dirty look under the hood type of assessment, usually using the due diligence or vendor vetting standpoint, very small subset of the CSF and it is a self-attestation. Next, we offer what we refer to as a readiness assessment, which applies the risk based approach of tailoring from the full framework of controls driven off of the risk of the organization, the service that they're providing, and also the compliance requirements or authoritative sources. Also a self attestation that comes along with the PRISMA scoring model. And then lastly, are at the top of the house, if you will, is the validated assessment or the validated assessment, which certification still applies the full rigor of a scoping exercise and tailoring the framework which has 2089 controls as of today to say which ones are relevant for me. It does require validation from an assessor like Meditology to come in and execute testing against those controls, and it does provide additional transparency through that Prisma scoring model at five different areas or elements around policy, procedure, implementation, and then whether that controls being measured and managed over a period of time. So high level of assurance, if you will, from a marketplace perspective. 

Brian Selfridge: [00:10:03] Okay. Next, we're going to hear from Brandon Weidemann from Meditology Services, who's going to talk a little bit more about the HITRUST i1 certification, which I mentioned kind of at the outset, is the brand new option from HITRUST. So he's going to give us a rundown on what that's all about. So I will transition it over to Brandon. 

Brandon Weidemann: [00:10:21] Okay. So at the start of 2022 was when the new i1 assessment was released by HITRUST and HITRUST is referring to the I one assessment as their quote-unquote best practices assessment. By that, we mean that it's limited to 219 controls that are standard across all organizations, all environments, regardless of size or complexity. Those 219 controls they're looking to kind of evolution-wise throughout, as with the expanding threat environment. But they're also calling the i1 an industry agnostic cybersecurity assessment, which is kind of a bit of a change from HITRUST. So it's not meant to be specific to healthcare and more so kind of in alignment with a SOC 2 from the AICPA. The i1 is an annual assessment, so it'll be the same set of controls on a year-to-year basis, which differentiates from the r2 assessment formerly known as the validated assessment. Additionally, there is no testing of policy and process for the i1 assessment. It is specific to the implementation. So for the 219 controls that are in place for the i1 assessment, it is only based on implementation. That's where your external assessor will be scoring for all of those controls. It's designed to be a more moderate level of effort compared to the r2 or the AR formerly known as the validated assessment, and also provides just a moderate level of coverage. So just in terms of comparison there, the r2 is considered higher level of effort, but also higher level of coverage. The i1 is meant to be more of a moderate level of effort and a moderate level of coverage. 

Brian Selfridge: [00:12:12] Great stuff there from Brandon. So next, we're going to hear in transition from HITRUST conversations into SOC 2 a little bit. Again, just level setting a little bit what are SOC 2 type II examinations, why do folks get them? And so we're going to hear from Paul Gray, also from Meditology Services, a chief information security officer, who's going to tell us a little bit more about SOC 2. 

Paul Gray: [00:12:34] So talk about what is it as a SOC 2 type of audit, attestation or whatever. Let's talk about the framework then. So the SOC 2 is done by is governed by an organization of the AICPA and they also do sock one on it. So it comes out of an accounting background for that audit framework comes from. And so there are other frameworks, as you know, HITRUST and, and ISO and the other frameworks and they all come from different backgrounds, so they are all done differently. The SOC 2 is an actual audit because it comes from a CPA background. And there's the SOC 2 type one. I'm sorry. There's a sock one type audit, which is the financial audit, and then the sock, too. Is the it technical? Or they add those criteria and those controls in there so that you can see how well you're meeting certain criteria. So it is a SOC 2 audit. You go through that. But if you want to talk about you can do a SOC 2 readiness. You can also do a scaled down type things the different consulting firms will do and a SOC 2 attestation. There is no such thing as those that I'm aware of, but you can get a consulting firm that will tell you that your SOC 2 ready or whatever. But there's only one official SOC 2 audit certification that comes through once you have completed an AICPA certified organization to provide that. 

Brian Selfridge: [00:14:17] All right. So now we've heard more about what is HITRUST, what is SOC 2 and just level setting some of those different options. We're going to start getting into some of the business drivers. Why are organizations pursuing certifications? Why? Why should your organization or your vendors that you work with get HITRUST and talk to certified? What's that all about? So we're going to hear from Bethany Ishii, who will talk us through some of those business drivers. 

Bethany Ishii: [00:14:44] Yeah, I definitely say there are several reasons. And I think, you know, I had mentioned the drivers from the big payers, the Blues United that required their business partners to receive a certification, either HITRUST or SOC 2 examination if they wanted to continue doing business with them. So there was a lot of uptick in the industry once that was communicated. You know, the other reason that I think is a big driver is that there's a lot more awareness around breaches and cybersecurity. You know you don't as I speak to various C-level executives from different companies, you know, they're hearing about breaches and security concerns from various sources. Now, you know, it's not just the security forums that are out there, but, you know, it's in the news now. We're hearing big names like Microsoft in the news and even the government putting out their concerns. You know, late last year there was a notice published by the FBI. So, you know, based on the various news outlets and publications out there, you know, it's getting to the sea levels and it's becoming more of a concern. And I think, you know, the idea is that, you know, these security certifications, they're not bulletproof, but it's, you know, allowing organizations to demonstrate that they're taking the right steps and again, demonstrating, you know, an act of good faith. The last thing I'll say as far as a driver and I think it's more of an act or fact or, you know, more of an afterthought is that there are certain monetary incentives from insurance companies. So if you are HITRUST certified, you can get a discount from your insurance provider. But I think, you know, I haven't heard of any numbers falling above 10%. It's usually around a 10% discount or so. 

Brian Selfridge: [00:16:38] Those are great insights from Bethany. Next, we're going to hear from more of an industry side of why organizations that are pursuing certification have achieved high certification. Why? Why did they do it? What's the sort of retrospective? So next, we'll hear from Derek Vorpahl, who is the director of security for Davis Vision at the time of this recording. This is a couple of years back, so it's still very relevant to conversations. They don't feel like it's too dated, but I thought he had a great way of framing it. So let's hear from Derek. 

Derek Vorpahl: [00:17:09] Well, Brian, I kind of think it's a combination of a lot of things that are coming down the pike. Of course, the security and risk compliance type of, you know, what's the best way to put it? Landscape that you see now, people are a lot more aware of it, especially with the big healthcare breaches and things like that. A lot of clients that we see now stipulate these types of accreditations or certifications within their contractual obligations. We also see a lot of it in RFPs, especially when you're going out to do work for state or federal or things of those sorts. You see a lot of a move towards a unified compliance type of program, especially from Blue Cross Blue Shield Association, some of the other large players where they're looking to standardize and stand on something that is really kind of an industry and widely accepted platform versus the older way of kind of doing stuff where everyone can go out and be looking at a SOC 1 or SOC 2 and creating their own controls. But at the end of the day, is it really able to compare apples to apples on one company to another? Because the controls may be different or they may be based on different standards or anything like that. So that's really kind of what we're seeing as the direction of both the client and the regulatory. 

Brian Selfridge: [00:18:40] Our next guest, Ed Dame, is the chief information security officer for Dasher Inc. He's going to tell us a little bit more about the comparison between HITRUST and SOC 2. And when you're looking at whether you would pursue one or the other or one, then the other. And so I'll let Ed talk through a little bit about how that worked for his organization as they were looking to get certified over the years and where they ended up. So so over to Ed. 

Ed Dame: [00:19:04] My philosophy for a long time, you know, as you mentioned, I've kind of been in the IT world and run some technology companies and things like that is that now every company is an IT company is what I had said for a long time. And now every company is a security company as well. And it permeates every aspect of operations. And so, you know, going through a process like HITRUST gets you to a baseline and a level of competency where you're on the same playing field, you know, and that's and that's the difference, you know, between like a SOC 2 Type II and HITRUST is that SOC 2 is so much more malleable too, you know, your organization. It's not as high of a barrier, it's not a standard. And so, you know, that's where we started, though, frankly, you know, on our journey as Dasher, we started with SOC 2 type II because it was a little easier. We were starting from zero. And so, you know, we had just thought about it and that was a great first step for us. But then it's about the constant improvement. And so HITRUST was an obvious next step for us and it frankly was a big step for us. We took that on and we weren't sure how to get there. And that's where partnering with Meditology and working on that together, which, you know, frankly, we couldn't have done it without Meditology and you know, but that has gotten us to a place where, you know, we are able to operate. And it brought some new technologies and controls into our sphere that allowed us to be more secure and allowed us to build that trust externally and internally, because our users see that our employees see that every day is when they're using things like MFA, you know, to connect. And as we had to pivot and go remote during the pandemic, you know, we had the baseline to make that switch securely and get that done. And if we had not been working on this journey, I can't imagine the Hill we would have had to climb to get there, you know, during the pandemic time. 

Brian Selfridge: [00:21:24] The next guest we're going to hear from is Angela Fitzpatrick, who works with Meditology Services. And she's going to talk a little bit about that process of when we're working with organizations to decide, do you get HITRUST, you get SOC 2 do you get ISO, what's the difference? What's it matter? So Angela is going to talk through some of that trust versus SOC 2 and some of the considerations there. So really good stuff. So over to Angela Fitzpatrick. 

Angela Fitzpatrick: [00:21:50] Yeah. So well, there's a there's a lot of differences. I think the main one that that comes to mind for me when looking at the two options is the control set that you would be audited against. So HITRUST, as we've mentioned, uses an algorithm to determine which controls will be included in your assessment. And neither you nor your assessor firm have any kind of control over those. What's included in your assessment? Right. So it's very set and you have to comply at the level which they set as their standard for SOC 2 there are trust service principles and typical controls that are audited against each of those trust service principles. But there is a little bit more flexibility in that control set. Right. So what controls do you have in place to meet this standard of the requirement? So there's a little bit more flexibility there. And so and there are other differences as well. Obviously, a HITRUST has to review and issue the report for a HITRUST certification, whereas SOC 2 type II is issued by the auditing firm so it doesn't go to another third party for verification. So it can be a little bit quicker of a process and there are some other differences as well. But those are two of the big ones for me. 

Angela Fitzpatrick: [00:23:30] And then, you know, as far as which one to get, I think it really depends on the type of organization that you are. It depends on your contractual requirements, obviously. But it's really what will meet your needs the best. So if you are healthcare, only if your clients are healthcare only you're working with payers and things like that. They're likely going to want to see the HITRUST certification over a SOC 2, as opposed to if you work across industries, the SOC 2 type II might be a little bit more accepted. And so you may want to go that route. You may want to consider the differences for your size and complexity. Also, if you're just starting out and and you're not ready to dive right into the HITRUST assessment, you might consider a SOC 2 type II first so that you can kind of get your feet wet into that audit framework and see what that's like. But if you if you need to do both, I recommend doing them concurrently. You can utilize quite a bit of the same evidence for both and kind of review one's report twice. So there's a lot of efficiency to be gained there if you have a requirement to do both assessments. 

Brian Selfridge: [00:24:52] Great perspectives there from Angela. And we're going to also hear from Paul Gray, who's going to talk about his perspective on HITRUST versus SOC 2, and that whole decision process. So let's hear from Paul. 

Paul Gray: [00:25:05] As far as different flavors of them. You know, HITRUST. Like we said, HIPAA is actually a standard that you don't really get a certification or anything on. There are there's ISO. Which is. The overlap of ISO and. SOC 2 is only about 50%. So half of what's required on SOC 2 is required in ISO. At half of what's required in ISO, it's only required in SOC 2. The reason to get any any defined framework is more or less dependent upon what your customers are asking for and for. What industry standards are you trying to live up to within your operations as well, and which fits the better guideline? Iso is another framework that is like HITRUST, where it is more directive saying you will do this and this is how you will do it. It's not as flexible as a SOC 2 audit is. So for an industry such as the healthcare industry, you have a plethora of environments within there that you're going to have clinics, you're going to have hospitals, you're going to have doctors offices, you're going to have pharmaceutical companies. You're going to have all kinds of different companies that are basically doing healthcare but delivering those services in a different way. The software gives you a lot more flexibility and functionality to put it to how you're operating and what you're delivering and showing that you're meeting certain standards instead of you having to force your business model into another framework. 

Brian Selfridge: [00:26:59] So we've heard now from different practitioners, practitioners as well as organizations that have gotten HITRUST certified. And so I want to hear now sort of from the horse's mouth, if you will, from Michael Parisi from HITRUST, talking about a little bit more about the rollout of this HITRUST. I won certification, this new model, what that's all about, what are some of the best practices and how does that compare to SOC 2? Again, as we sort of look to compare and contrast. So let's turn it over and hear from Michael Parisi. 

Michael Parisi: [00:27:29] Sure. Yeah. So I would tell you, it's it's designed to take less time than than a sack to write just because, as you guys know, there's less administration and bureaucracy and standards and risk management, all things that AICPA firms have to go through when they're producing the AICPA report that they're not subject to witness. Right. So that's one factor. Another factor is where are organizations relative to their program today? So like are two or full certification today, there's going to be a readiness option for an i1 as well. So what we recommend, which I'm sure will resonate with you, Brian, as you do with many of your customers, if you're starting from zero, it's probably a good idea to do a readiness. So if an organization is going to undertake an i1 readiness, you may extend your time a little longer. However, the other beauty of it is the chances of moving from a readiness into a full i1 validated assessment quicker than you would if you're doing it, say an r2 readiness to an r2 validated assessment are much greater. Right. You can move quicker. And so right now we're anticipating organizations would be able to do and I want anywhere from say 3 to 6 months and those different factors are going to be what do they have in place today and are they doing a readiness exercise or not? And obviously, remediation being more of an open switch. That's for the initial out of the gate if they haven't done anything. Our vision is going forward a typical to what you would see from a soc 2 report 2 to 3 months in order to refresh that and roll it forward on an annual basis is what we're thinking. It will take organizations to execute, but we've got a couple of pilots running right now, and it will be interesting to see what the timing ends up being from those organizations. 

Brian Selfridge: [00:29:34] Great stuff there from Michael. So now I want to hear from my my colleagues, Angela Fitzpatrick, Jonathan Elmer, Ryan Freeman, Jones, all all experts in HITRUST and SOC 2 compliance. And they're actually going to talk about some of the common pitfalls specifically around HITRUST certifications. And this is one of my favorite topics to dig into. I just love the lessons learned that can learn from history and avoid repeating history in cases where there are pitfalls and challenges. So so let's hear from them all sort of in a row here from Angela, Jonathan and Ryan on trust, challenges and pitfalls. For me. 

Ryan Freeman Jones: [00:30:12] I think starting out is structuring on the organization side internally, having a stakeholder that is responsible for the day to day management of the HITRUST engagement. And so I guess the pitfall is not having that almost. So not having that one person that's really on point to coordinate and keep all the ducks in a row with the organization in terms of collecting documentation, setting internal timelines, kind of oiling the wheels almost. That is one of the most critical success factors that we see in the lack of that generally results in a prolonged, inefficient assessment. So that would be really. Really where I'd like to start out there. 

Brian Selfridge: [00:31:06] Excellent. Thanks, Ryan. Angela, what do you think? Have you seen some delays, pitfalls? Challenges. 

Angela Fitzpatrick: [00:31:16] Oh, geez. Where to start? There's a lot that goes into HITRUST certification. So and we've seen a lot of troubles along the way with our clients. So I think one of the most important things for me is scoping the assessment. So this happens very early in the process and is critical to success. I think, especially for organizations that are going toward HITRUST for the first time, it's tempting to want to certify everything. And so keeping the scope narrow and very focused with limited systems services applications is critical because the evidence collection and, basically the requirements from HITRUST can get unwieldy as the scope grows. And so keeping it small the first time around, especially I think is kind of critical. So having too large of a scope kind of going in with really ambitious ideas can be one of the pitfalls that I've seen happen most often. 

Brian Selfridge: [00:32:32] Excellent. Thank you, Angela. And we'll come back to you guys if you have others. I'm sure there are not just one or 2 pitfalls. This is for many years of doing this. I'm sure there are many. But I'll go to Jonathan here. Jonathan, what have you seen in your experience of things that could have gone better? 

Jonathan Elmer: [00:32:48] Sure. Thanks, Brian. One of the roads bumps that I see kind of happens very early and engagement and then if it's not addressed will be a consistent issue throughout and leads to scope, creep and timeline disruption is really a lack of availability around key stakeholders. It's very important to note that HITRUST can't be attained in a vacuum. It's not a one team or 2 person engagement or initiative for the organization. It really takes a substantial amount of effort on the part of many teams. Hr legal i.t infosec there's you have to interpret the requirements as they relate to your specific environment. You have to collect the evidence. You have to perform remediation activities and ensuring that all those involved teams have the throughput to actually contribute and help where needed is very important. So it's important early on to think about making sure that those teams will have the availability. It almost needs to be part of their daily and weekly and monthly work routine. Another kind of side note to that is internal major initiatives. So it ties into stakeholder availability, right? So if you have a go-live system that's coming up and it's requiring a ton of time from your infrastructure and i.t teams, you need to plan accordingly for maybe any, any lack of availability that you might have for a certain period of time there.

Brian Selfridge: [00:34:30] Yeah, Jonathan, I agree. And I think kind of one of the other things that I see that ties into that is making sure you have an appropriate timeline in place. So when you know, when you're working with your assessor to determine the timeline of the assessment from beginning to end, taking into account some of those internal initiatives, other areas that may be pulling some of your stakeholders away from HITRUST and just ensuring that you have some buffer time for anything that does come up because inevitably something will. So make sure that you have an appropriate timeline, it's not too aggressive or ambitious. HITRUST doesn't happen overnight. So I think the timeline really ties in well with the stakeholder availability. 

Brian Selfridge: [00:35:24] And I think going off of that one additional thing is, especially if you're getting your executive teams on board with this initiative or there's a mandate from a key client to become certified as is really doing a good job of setting those internal expectations well. So not trying to rush the timeline, working with a vendor that can help you kind of understand what you know, what a realistic timeline looks like, but not overselling internally because that will set you up for failure when if you're not able to meet those timelines and objectives. So I think that's a key part, is that internal messaging with stakeholders as well. 

Brian Selfridge: [00:36:10] Next up on this same topic, we're going to be hearing from Bethany Ishii about additional pitfalls that she's seen play out with her colleagues and folks in the field. So over to Bethany to tell us more about those. 

Bethany Ishii: [00:36:26] Yeah, I'd say first and foremost, a pitfall and a recommendation is going through a readiness assessment. So you want to go through the exercise to go through and assess the requirements that will be in scope for when the certification time comes. So it's almost like a, you know, we call it a readiness because it's getting not only the organization ready, but also you're building that relationship with the client. So the assessor and the organization are building that relationship. The assessor is getting to know the stakeholders and the control owners ahead of the certification period. So it's really just setting up both parties to be successful as possible when the certification period comes around. So not doing a readiness is definitely a common pitfall because organizations will be seeing a request for the first time. Whereas if you go through a readiness assessment, you're familiar with the requests, you know what documentation needs to be provided. And by the time the certification comes, you're really just refreshing the documentation that was collected during that readiness period. Another common pitfall I see is having external drivers setting the pace. 

Bethany Ishii: [00:37:48] So sometimes there's a deadline and you're backing up into the deadline. Sometimes you can't help that. But you know, to that end, if there is a hard deadline, I've seen organizations not give themselves enough time following a readiness assessment to really go through and remediate the gaps that were found during that readiness period. And, you know, there are certain rules HITRUST has. Right. And one of those is a 90 day control run period. So you need to have policies and procedures in place for 90 days leading up to that certification period. And outside of policies and procedures, you also need to make sure that you have a control implemented and operating effectively for 90 days. You know, and the whole intent behind that is just to ensure that, you know, the organization doesn't install anti-malware on all their servers a week before certification and then we go through and test it. So the 90 day rule makes sense and is something that organizations definitely need to make sure they bake into their timeline when they're looking to achieve HITRUST certification. 

Brian Selfridge: [00:39:04] So that's great insights on the trust side. But we also I know some similarities and overlap between HITRUST and SOC 2, but, but the pitfalls sometimes are the same. Sometimes they can be quite different. But let's hear again from Bethany on SOC 2 specifically and what are some of the pitfalls that she's seen on SOC 2 versus HITRUST? 

Bethany Ishii: [00:39:24] Similar pitfalls and best practices. But the one unique component of a SOC 2 is you have what we call a reporting period. And that reporting period is the audit period. And I'd say for organizations going through a SOC 2 for the very first time, you know, think about starting with a smaller reporting period for the first year and then the following year, you know, adding on more months. And what that shows is, one, if we have a smaller reporting period and in the smallest reporting period you can have is three months. But typically organizations are eager to go ahead and get that SOC 2 report so they can share it with their business partners and say, hey, we got it. You know, we're taking the right steps. And so a three-month reporting period allows you to go through a readiness within, say, two or three months go through. Remediate anything that may have come up during the readiness period and then that three-month clock starts, you know. So if it ended in December, that three-month period would be January through March. And then, you know, a CPA firm like Meditology Assurance could come in at the end of March and start that SOC 2, and you're not waiting as long. So that would be my recommendation for SOC 2 organizations or for organizations looking to be holding a SOC 2 report within a year or so. And then from there, you really want to demonstrate that your controls continue to be in place and operating effectively. So you look to increase that reporting period. So you go from a three month to a six month to a nine-month to a 12 month, if you want to do that, that gradual increase in the reporting period. And really what you want to work up to is that 12 month reporting period, because what that tells other organizations is, you know, your controls are in place and operating effectively for an entire year and there's no lapse in that time period. 

Brian Selfridge: [00:41:33] We've also had some insights from Paul Gray, who's the CEO of Meditology Services on SOC 2 pitfalls as well. And so see how that compares and contrasts to Bethany's perspective there. So I'll turn it over to hear from Paul on additional pitfalls for SOC 2. Specifically. 

Paul Gray: [00:41:51] You've got to dedicate personnel and if you're just coming into an audit to some of the biggest pitfalls I've seen, we're going to write our own policy in this guy's going to do it, but he's going to do his regular job it and you beat with him. I've met with him on a monthly basis, two-week basis, six months a year later, the guy's made you know, he's gotten two sheets written up because he's got to do his regular job. You have to dedicate resources to this, and you need to dedicate them upfront so that you get the framework. You get it designed, built, and implemented correctly up front. It's easier to maintain if you're just trying and you're struggling with this to go through on and on. It's going to be very hard to do it. Actually. There's recently another customer that I know a friend of mine is working on it. Another company, the owner is dead set on. He is going to be able to implement all these tools and everything himself without and we keep we kept explaining to him, there's all these tools, there's all this stuff out there that's already designed, built, and it's been out there for years. Don't try to recreate the will. Find the best tool that fits your environment. Buy it and get it in. Don't try to build it yourself. It's going to take too much. It doesn't mean you don't have the skill set. Doesn't mean you don't understand anything. It just keeps focus on your business and let the specialist in implementing and keeping these frameworks going do their job because they're just as good at their job as you are at delivering your products and services. 

Brian Selfridge: [00:43:39] Okay, so we've covered and heard from some of the pitfalls and challenges of going through the certification process. The next thing we want to talk about and hear from our guests is around. When you go through HITRUST certification, what are some of the common myths and misconceptions, and misunderstandings that can get organizations into trouble? And there are really a lot of different ways this can go. And so our goal here is to debunk some of those myths and share with you some insights. So you go in eyes wide open with how the process works and what to expect and maybe what not to expect. So with that, we're going to hear from our HITRUST experts, Ryan Freeman Jones, and Angela Fitzpatrick. 

Ryan Freeman-Jones: [00:44:18] I think one of the biggest myths and probably a lot of folks on the caller where there are a thousand plus controls in the HITRUST framework. And here a lot of times do we have to have all those controls in place to get certified? And luckily, no, the answer is no. Certification is really based on your environment and the risk that your environment kind of has at that level of risk as assessed by HITRUST tool. And so really based on that risk, you could have a lot lower number of controls. So I think that's a, you know, a big myth we want to break up right now is that you know, you're not having to certify in a thousand plus controls to really get started. And there's definitely lower entry points to get going. 

Angela Fitzpatrick: [00:45:11] Ryan, I'm glad you brought up risk. So it's interesting because HITRUST does actually take into account kind of at a high level risk in there in their algorithm to determine which controls are going to be included in your assessment. But one thing I hear often is that, well, doing the HIPAA or doing the hydro certification is something we can use for doing a risk assessment. So kind of thinking that the two are equivalent. So a HITRUST certification or a validated assessment is not the same thing as a risk assessment. So the controls that are chosen may be based on a level of risk, but within the hydro certification, there's no determination of of threats to your environment. We may be looking at some vulnerabilities due to controls not in place, but we're certainly not assessing the likelihood or impact due to any exploits or incidents. So very, very different from a risk assessment. So I do hear that from time to time and just kind of want to make sure that everyone knows there's a distinction between the two. So HIPAA does require that you do a risk analysis. And so and also so does HITRUST. But the two are not synonymous, so organizations certainly need to make sure they're performing both. 

Brian Selfridge: [00:46:45] Now, Angela, can organizations leverage any of the HITRUST work for their risk analysis? And there's a lot of documentation collecting those types of things. Is there anything to be gained by sort of some overlap between the initiatives or not so much? 

Angela Fitzpatrick: [00:46:58] Yeah, certainly. So when you're going through your HITRUST certification, it's really it's quite similar to a controls review or something of that sort. So as you're going through, you're certainly going to be identifying vulnerabilities to your environment. You're going to be looking at control, effectiveness, at least at some level. And those types of things can be used to inform your risk assessment. So as you're developing kind of an idea of what your threats are in your environment and going through your risk analysis process, it's a great idea to take a look at your HITRUST assessment and see what controls do we have that we're implementing very well. Where do those apply to the risks you've identified so that maybe the risk is lower due to control, effectiveness? And where are we not doing so great with these HITRUST controls where that may affect our risk and the risk on our risk analysis may be a little higher in some areas. So certainly some, some, some ways to work with both together and utilize your HITRUST to inform your risk assessment. 

Brian Selfridge: [00:48:08] So the time it takes to get certifications and the process can really vary pretty widely from organization to organization. And so our next topic is we want to share some insights into how do you make the process as quick as possible and as painless as possible. So we're going to start with some of the accelerators and we're going to hear from Angela Fitzpatrick on what are some ways that can kind of speed up the certification process. As often, organizations sort of have pressures to get certified quickly in order to facilitate sales cycles or meet compliance requirements or contractual obligations otherwise. So so let's hear from Angela on that front. 

Angela Fitzpatrick: [00:48:46] And then I think having some pretty standard and pre approved language for policies and procedures can be helpful. I think this is an area not as much policy, but procedures is an area where we do tend to see a lot of gaps during readiness. And HITRUST is fairly specific about what they want to see in the procedure, and in policy. So using some templated language and then building off of that to customize it to your environment can really, really help in moving things along quicker. And, if you can utilize a third party to help out with that effort so that you just have to go through the approval process internally, that can really help to speed the process as well. 

Brian Selfridge: [00:49:37] Next, we're going to hear from Jonathan Elmer, who's going to talk about some more accelerators to the certification process that he's seen from his experience. 

Jonathan Elmer: [00:49:46] I think messaging and internal communication, right. So getting that leadership and organizational buy in up front and early is important. Oftentimes we see that this may be contractually driven, but not always the case. But regardless, having not just the owners of HITRUST. Right. Or whoever may be driving it, but all of leadership all the way up to C-suite and understanding the business case. Right. Maybe the contract is the reason, but it's also going to add value to the organization overall. So make sure you have more than just as this is a requirement and you get that buy in. And then also back to my earlier point, having the buy in from all the teams that will be partaking as well. So again, back to our legal I.T. infrastructure, all of that, make sure that they understand the drivers, that this isn't just a check, the box type of mission we're going through here. This is important to the organization and be able to reiterate that upfront and throughout the process. Again, back to back to my earlier point, it can't be done in a vacuum. So it really is an organization-wide effort. 

Brian Selfridge: [00:51:06] We've been spending a lot of time on HITRUST here so far. So I don't want to leave SOC 2 you out of things here. So we're going to transition over to Paul Gray, who's going to talk about some SOC 2 best practices, accelerators, things that help make the process less painful and more cost effective. So let's hear from Paul. 

Paul Gray: [00:51:24] But the big things that you have to think about if you're going to go down this path is you need to do your homework upfront. You have to realize and understand what the criteria is and have a plan of how you're going to meet those criteria. Define what you want your controls to be. Work with a firm that you're going to have, do the audit for you so that you know the path to find that path, get on that path, go through, then test them upfront, make sure that they're effective. Make sure your policies and procedures in place. Give yourself time to roll out policies and procedures so you can train your people, train the organization, get everybody on board. And this is one of those things, too. It really needs to come from the top down of an organization. You need to have from the very top of leadership all the way through so that you can help implement the changes and operational, because it is one of those things that will change the way you do business. It'll change the way you operate, and it'll change the way that you look at things. And one of the things I've always said is security is a mindset, it's not a technology thing. And if you can adapt that mindset through and buy into that and understand what's trying to be done, it's easier to implement. And that'll make your time frame actually even faster. 

Brian Selfridge: [00:52:55] Now getting certified is not just always about checking the box, meeting a contractual obligation. There can be ancillary benefits and reasons why organizations go into this process, one of which is supporting their HIPAA compliance initiatives and OCR enforcement sort of activities. So I'm going to turn it over to Bethany Ishi, who talks about what are some of the reasons why getting a hydro certification, for example, would support and help HIPAA compliance initiatives and programs. 

Bethany Ishii: [00:53:27] Recently, there's this new HIPAA, OCR Safe Harbor Rule that was released earlier this year. And the law really is incentivizing covered entities and business associates to adopt security frameworks and really just adopting security best practices. And they specifically call out, you know, the HITRUST CSF certification as well as CSF standards. And really what this will do is if a business associate or covered entity gets into a resolution agreement with OCR, OCR actually has to take into consideration, you know, and recognize these security practices, including adoption and certification of the HITRUST CSF. So, you know, in summary, it does serve organizations well to go through a security certification like HITRUST because it will ultimately end up saving money if they ever do get into an OCR resolution agreement and start having those conversations with the government. As far as the HIPAA goes, you know, HIPAA does require that a security risk analysis be performed. And, you know, HIPAA can be vague. You know, it lays some groundwork of what needs to be in place, but it's not prescriptive. We all know that now. And one great thing that HITRUST does is that you know, HITRUST is very prescriptive. So it does provide a great risk management framework for going through and being able to satisfy the risk analysis requirement of the HIPAA security rule. And of course, it does touch on a lot of the other HIPAA security rule components. And in fact, if you go through with a HITRUST certification, you do kind of have that alignment. And there's a report that kind of lines an organization up and shows where there is overlap with the HITRUST framework and the HIPAA security rule. 

Brian Selfridge: [00:55:49] Paul Gray also has a perspective on how SOC 2 similar to HITRUST can support HIPAA compliance initiatives. So let's hear from Paul on that front. 

Paul Gray: [00:56:00] Well, when it comes to HIPAA, SOC 2 can help you greatly. HIPAA doesn't have any kind of testing framework. It's more of a this is a guideline of what you have to do and you have to do due diligence. And the way to prove that due diligence could be through a SOC 2 audit. They'll go through and the controls will be specific for your industry and for your environment of how you have all these implemented. And they'll define how you're meeting certain security and certain framework measurements. And so it'll definitely help support your HIPAA. It'll make sure that it's in. It'll also validate whether it's effective or not and if it's actually doing what you think if you have it configured to do, and if it's not, it'll identify what the gap is. 

Brian Selfridge: [00:56:57] We've covered so much ground today. We're going to close with one final topic here because it's never quite complete for organizations that have said, okay, we're going to get to certified or HITRUST certified or we're going to go down this path and go through this process. A major, major success criterion is being able to partner up with the right certification body and third-party assessor in the case of HITRUST, or a CPA-accredited firm in the case of SOC 2. So we are going to hear from some of our panelists on this front of what goes into selecting an assessor firm to partner with and what are some things you should look for and make sure that you vet out before you go down that path because it is a truly critical decision point. So with that, I'll turn it over to our panelists to talk through that some more. 

Ryan Freeman-Jones: [00:57:49] Great. Yeah. I think one of the things I always advise organizations to look at is qualifications. And in particular, does the assess firm that you're planning on working with have experience working with firms with similar business models as yours or not, and similar complexity? So if you're a very large environment and you have, you know, very large security team, is your assessor firm going to be able to keep up with working with, you know, maybe 50 different stakeholders throughout the engagement or more perhaps, or there's several different teams that need to be worked with. Do they have the organization kind of experience to conduct those type of conversations, structure those interviews, etc.? So that would be one thing. And then on the flip side, with a very small organization that has not really built out a formal security plan yet, does that firm have the experience on the operational side as well? I think those are two things. So really vetting out is the firm that we're working with. Do they have the knowledge, do they have a track record, in fact, of kind of working with organizations like the US before? That would be one of the first questions I'm asking as I'm going down my checklist with with these sort of groups. 

Speaker4: [00:59:17] Yeah. I think related to qualifications, I would look at a couple of things. One being, you know, how long has the assessor firm been? A HITRUST assessor does some vetting to make sure that all of their assessor firms are qualified to do an assessment. You know, so background checks and, you know. Some things like that. But it doesn't it doesn't make it. It's not all things being equal. So having that experience with HITRUST over time is key because really you can speak to your clients about what has worked in the past, and what has not worked in the past. What do we know about HITRUST and these assessments that that will help you get there efficiently? So so that it's the HITRUST knowledge. But additionally, it's kind of that we've been through this process and have things to bring to bear. We also have audit experience. Right. So you want your assessor firm to have kind of depth in their audit experience because there are certainly a lot of pitfalls on the auditor side if it's your first time going through a HITRUST assessment, I think an additional factor that can be helpful for a couple of reasons is if the assessor firm is also able to issue SOC 2, type II attestations, then that speaks to an ability to perform a true audit. First of all, HITRUST does follow some AICPA guidelines for how to audit against populations and samples and things like that. So, so understanding that process and, and performing a true audit like a SOC 2 type to that, that's great. Additionally,, you may be able to gain some efficiency efficiencies by combining the two assessments. So contractual obligations and sometimes we'll see that you're required to do HITRUST and SOC 2. So if your assessor firm can do both, then there can be some efficiencies to be gained there. So kind of looking at all of these things while you're looking at the background of the assessor firm you're planning to work with are good to look at. 

Brian Selfridge: [01:01:50] So that's all for this very special session of The CyberPHIx Healthcare Security Podcast. We've covered a lot of grounds here, and hopefully, if you are interested in HITRUST or SOC 2 certifications, this has helped elucidate and elaborate on some things that maybe you didn't know before. And we'd love to hear from you if you have any additional comments or feedback or lessons learned. Do you want to share with us? We'll love to hear those. If we can circulate those to the audience, I'm sure they would appreciate it as well. So we hope this has been informative for you. We'd love to hear from you. If you have any other questions, feel free to reach out to us at [email protected]. Thanks for listening to this special 100th episode of the podcast. We hope to have 100 more coming at you soon, so thank you so long, and thank you for everything you do to keep our healthcare systems and organizations safe.