HITRUST Announces New Certification Model: Insights from HITRUST Leadership

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

HITRUST provides a range of cybersecurity and privacy certification and accreditation solutions, including their flagship HITRUST CSF certification, which is one of the most widely-adopted security frameworks for healthcare organizations.

The demand for cybersecurity certifications and assurances like HITRUST is at an all-time high due to escalations in breaches at healthcare entities and their vendors in the supply chain. However, not all certifications are created equal, and the industry is outgrowing the one-size-fits-all certification model. 

HITRUST has announced new security certification models, including the new HITRUST i1 certification. The new HITRUST options are designed to provide more flexibility and speed for HITRUST certifications, while reducing the cost and effort to achieve certification. 

Join us for this episode of The CyberPHIx as we hear from Michael Parisi, Vice President of Adoption for HITRUST. We discuss hot-off-the-presses details of HITRUST’s new security certification and solutions including:
-

  • Market trends and demand for security certifications for healthcare entities 
  • The history and evolution of security certifications including the HITRUST CSF (now called HITRUST r2), SOC 2, ISO, and others 
  • Detailed overview of the new HITRUST i1 certification option 
  • HITRUST i1 security controls requirements including focus on implementation of controls 
  • HITRUST i1 certification requirements, timing, level of effort, release schedule, impact to HITRUST CSF (HITRUST r2) certified entities 
  • Breaking news on changes to the Cybersecurity Maturity Model Certification (CMMC) security certification program 
  • Details of the HITRUST Basic, Current State Assessment (bC) 
  • HITRUST privacy certification updates 
  • Details of HITRUST’s new Results Distribution System (RDS) 

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:20] Hello, welcome to The CyberPHIx, the audio resource for information security, privacy risk and compliance for the healthcare industry. I'm your host, Brian Selfridge. In each episode, we bring you pertinent information from thought leaders in healthcare, cybersecurity and privacy. And in this episode, we will be speaking to Michael Parisi. Michael is the Vice President of Adoption for HITRUST. The demand for cybersecurity certifications and assurances, like the HITRUST CSF certification, is at an all time high due to escalations and breaches at healthcare entities and the vendors in their supply chain. However, not all certifications are created equal. The industry is quickly outgrowing the one size fits all certification model. HITRUST  has announced new security certification models, including the new HITRUST i1 certification. The new HITRUST options are designed to provide more flexibility and speed for HITRUST certifications, while reducing the cost and level of effort to achieve certification for everybody involved. In my conversation with Michael today, we'll discuss hot off the presses, details of HITRUST, new security certification and solutions, including the new HITRUST i1 certification and much more. And let's dive into another great conversation with yet another amazing guest, Michael Parisi from HITRUST. 

Brian Selfridge: [00:01:46] Hello and welcome to CyberPHIx, the leading podcast for information security and privacy, specifically for the healthcare industry. I'd like to welcome my guest, Michael Parisi. Michael is the Vice President of Adoption for the HITRUST Alliance, or just HITRUST for short. HITRUST is an organization that provides a wide range of cybersecurity and privacy certification and accreditation solutions, among other things, for the healthcare industry, including their flagship HITRUST CSF certification, which may be renamed shortly. And we'll talk about that, which is one of the most widely adopted security frameworks for healthcare organizations. And prior to HITRUST, Michael served as a risk assurance senior director for PricewaterhouseCoopers, who coincidentally is also my professional alma mater. So always happy and fun to ask to speak to PwC folks or ex-PwC folks. So I'm excited to be speaking to Michael today about the introduction of new security certification and assessment models and solutions that I trust is in the process of rolling out our organization. Meditology Services is also a certified HITRUST assessor organization, so we're very much excited to hear about these new developments and ways we can collectively help drive down cybersecurity and compliance risks for the healthcare industry and its associated vendors and supply chain, and all that good stuff. So with that, Michael, thank you so much for taking time to join us today on the CyberPHIx. 

Michael Parisi: [00:02:55] Yeah, thank you, Brian. It's great to be here. Always great to spend time with you and one of our top assessor partners. So thanks for the opportunity. 

Brian Selfridge: [00:03:07] Absolutely. So I was very excited to see that HITRUST is offering some new solutions, in particular a brand new certification called the HITRUST i1. And we are eager to learn more about that today. But before we get too much into the weeds there, I wonder if you could level set with the audience a little bit here about what the current HITRUST certification options are sort of before we tell them about all that, all the new fun ones. 

Michael Parisi: [00:03:32] Yes, sure, absolutely. So in today's day and age, you know, we currently offer really three different types of assessments for organizations that are looking to provide assurances to their stakeholders or if they are relying parties that are looking to obtain assurances from their vendors, right, their third parties. So today, those three are first are Rapid Assessment, which only lives within our assessment exchange, which is the third-party risk management platform. Think of it as a quick and dirty look under the hood type of assessment usually used in the due diligence or vendor vetting standpoint, very small subset of the CSF, and it is a self attestation. Next, we offer what we refer to as a readiness assessment, which applies the risk based approach of tailoring from the full framework of controls driven off of the risk of the organization, the service that they're providing, and also the compliance requirements or authoritative sources, also a self attestation that comes along with the PRISMA scoring model. And then last year, at the top of the house, if you will, is the validated assessment or the validated assessment. But certification still applies the full rigor, a scoping exercise in tailoring the framework, which has 2,089 controls as of today, to say which ones are relevant for me. It does require validation from an assessor like Meditology to come in and execute testing against those controls. And it does provide additional transparency through that PRISMA scoring model at five different areas or elements around policy procedure implementation, and then whether that controls being measured and managed over a period of time. So high level of assurance, if you will, from a marketplace perspective. 

Brian Selfridge: [00:05:33] So those are all familiar options to a lot of folks in the industry that have been adopting those. So what are some of the what are some of the pain points that are driving HITRUST to look to create new options, a new certification options? What's changed? 

Michael Parisi: [00:05:47] Yeah, great. Great question, Brian. So take you on a bit of a journey that you know you and I have talked about for a number of years along with Meditology is one of our partners. You know, I think when you look at assurance mechanisms more broadly. Right. So let's not just talk about HITRUST assessments for a second. There's a lot of assurance mechanisms out there, as you guys know, right? You execute many of these and not all of them for your customers throughout the years. And you and I did this back at PwC for so many years. Everything from you've got your HITRUST certifications, you've got ISO certifications. SOC reports, of course, is huge, right? From a marketplace standpoint. Then you've got some more ancillary things like Fed Ramp and PCI. You have other types of questionnaires that are out there, like your SIG light, et cetera. So there's this whole bucket of assurance mechanisms that exist out there. And when you try and plot those along a continuum. And if that continuum really involves things such as what's the level of effort in order to produce it, what's the level of transparency, what's the cost right? How much validation needs to go into that? But they're kind of all over the place. And we went through an exercise of saying if you put assurance as the goal in recognizing there's varying levels of assurance, probably the easiest example is to say a self attestation versus something that's validated right by an independent third party. 

Michael Parisi: [00:07:20] They're going to be all along that continuum. And what we found is there was a market need for the middle. So what we're referring to as moderate assurance levels, there's a lot of big clubs out there and a lot of people are trying to kill mosquitoes with a cannon to say, you must do a full sac to report or you must do a full blown HITRUST certification. And the reality is those assurance mechanisms, although certainly suitable for some organizations, driven off of risk, a lot of times they're too big of a left or they're over clubbing how much assurance needs to be provided relative to the services in the relationship that third party has in the marketplace, right? Well, then what do you have left? Well, the only thing you have left is the other end of the spectrum, which is low level of assurance, which is usually self attestations or an equivalent of maybe like a type one sack report, right? Where it's not giving you a level of transparency and comfort over whether controls are actually implemented or operating effectively. So we saw this huge need for an assurance mechanism that fits in the middle provides moderate level of assurance. 

Michael Parisi: [00:08:31] I think an organization that's maybe dealing with PII or sensitive information, but not on the spectrum of fee and still being able to provide a level of validation and come along with a certification at 20 to 25 percent. The level of effort from an implementation or an assessment perspective that better aligns to the risk associated with that organization. There was a huge need there and we sought out to fill that need with one of our new assurance mechanisms that we refer to as the HITRUST i1. Additionally, on the lower end of the spectrum, as we think about what has existed traditionally for those very small businesses think like an insurance broker as an example or special interest organization, a lot of relying parties haven't done anything with that population of their third parties because they haven't been able to find something that fits relative to the risk associated with those organizations. And they know that they need to do something and a self attestation or trying to maintain a proprietary questionnaire relative to that population is very burdensome. Not only is it burdensome on the small business, but it's burdensome on the relying party as well. So we said we need to come out with an assurance mechanism that we refer to as our basic assessment to address that segment of the marketplace as well. 

Brian Selfridge: [00:10:04] Well, I appreciate the hunting mosquitoes with cannons, I keep thinking of that there's a Monty Python skit, I think where they were out there in their jungle gear, blowing up the jungle in the hopes of taking out mosquitoes so that that resonates well. I'm very intrigued by this HITRUST i1 option, and it's sort of lighter flavors as if you positioned it there. Maybe we can talk a little bit more about that one? So what are the frameworks or sub frameworks, maybe, that went into deciding what that lighter version is going to be versus the full 2000 some controls, I guess the HITRUST CSF or whatever it was that full set earlier. What is what's the HITRUST i1 looking like from a control perspective? 

Michael Parisi: [00:10:46] Yeah, good. Good question, Brian. So when we looked at it, we said, All right, we've got to be able to do a few different things. One, if we create the HITRUST i1 as being quote unquote risk based, meaning you go through the same process that you would for the full HITRUST certification that we now refer to as an HITRUST r2, by the way, risk based two year certification, it would be overly burdensome and you would have inconsistencies relative to what organizations were held to. So we decided to go the route to have a stagnant standard set of controls. So a subset of the controls, everyone has the same controls that they are subject to, and those controls are driven off of what creates a good security posture, right from a program perspective, security program perspective and program maturity overall. And when we looked at all the different authoritative sources and references that are out there, as you know, we've got risk management frameworks, we've got control frameworks, we've got regulations, et cetera. And I think most organizations identify or recognize NIST in some shape or form, right? It's probably the most widely used from a standard perspective that organizations are always asking about, whether it's internally from a stakeholder standpoint or whether it's externally. You know, NIST seems to be the flavor in some shape or form that organizations need to understand where their program is relative to those requirements. However, there's different versions of NIST. As we know, different flavors of NIST 853. Again, is that big club, right? That big cannon? And for a lot of organizations, they don't need everything from an 853 standpoint. So what we said was, let's look at one seventy one NIST 171 is the primary authoritative source or industry recognized standard that we're going to build the HITRUST i1 off of for a number of different reasons. 

Michael Parisi: [00:12:51] As you know, 171 is a subset of 853 effectively. So it's going to get you comfort from a NIST standpoint. It's better than just the cybersecurity framework, just the framework, not necessarily the standard itself. And when you look at most organizations that have implemented aspects of 853, when you boil it down, it's usually one seventy one that becomes the basis or the baseline of what they're doing from a NIST standpoint. And when you look at some of the requirements that are out there from, for example, a DOD perspective, and I know CMMC is constantly in flux, especially with some of the things that came out today, you know, that is the primary driver as well. So we tried to strike the balance of what is a recognized and industry recognized standard and framework that most organizations will identify with what is an industry agnostic standard or framework that most organizations would identify with, but still has crossover into other authoritative sources as well. In addition to that, almost full coverage of the HIPAA security rule is also included within the HIPAA security rule, recognizing that a lot of organizations don't have a need to be fully compliant with overall. You know, that is some critical feedback that we've had throughout the years, which is why we moved out a lot of the HIPAA requirements from our standard HITRUST certification, and we focused on the crosswalk or crossover between one seven one. And then also the HIPAA security role. And there are elements of other authoritative sources in there as well, such as linkage to aspects of SOC 2 address service criteria and some other authoritative sources. But the primary driver is NIST 171. 

Brian Selfridge: [00:14:50] Well, you officially piqued my interest on the news that came out today, so we can digress a little bit. What was it that that broke today on the CMMC standard side? 

Michael Parisi: [00:15:02] Yeah. So on the standard side, there's a shake up around CMMC where to pontificate because I don't know that all the formal communications have come out, but basically CMMC is kind of fallen apart and the DOD is backing off on what they were trying to build from a CMMC standpoint. I think they realized and recognize that trying to build something net new instead of leveraging things that already exist within the marketplace really wasn't going to work. So they backed off on that. They've not necessarily backed off on the requirements and the vision of producing validated assessments against NIST 171 in the future over the next several years. But I think they're looking at the regulatory arm or the mechanism for which those are required, monitored and delivered a little differently. So it'll be interesting to see how that plays out over the next couple of days as we learn more. But certainly a shake up in terms of the initial direction they were heading in, 

Brian Selfridge: [00:16:10] They could have just looked back to HITRUST history, what, 15 20 years ago we realized that creating something brand new from the ground up was a bad idea and secret sources and cobbling all together. 

Michael Parisi: [00:16:20] That's what I'm saying, man. Right. 

Brian Selfridge: [00:16:24] So let's so back to the HITRUST i1 for a second here. How long is this certification good for? You mentioned that the CSF certification, now called HITRUST r2, is a two year with an interim. What's the what's the deal with the HITRUST i1 on frequency? 

Michael Parisi: [00:16:40] Yeah. So the HITRUST i1 will be good for one year, right? It is an annual assessment. We did that for a couple of different reasons. When you look at the scope of an HITRUST i1, again, the different aspects that we're concerned with from an overall implementation of a security program standpoint in our model says policy procedure isn't implemented, i.e. place in operation operating effectively. Are you measuring it and are you managing it for the HITRUST i1 certification? We said we're only going to focus on is it implemented? So the equivalent of is it placed in operation operating effectively for a couple of different reasons? Although I think we would all agree, good documentation and policies and procedures are important and relevant to a strong security program, regardless of what assurances we need to provide. However, there's a lot of organizations that don't need to necessarily provide assurances over policy and procedure. Specifically, think HIPAA. If you're subject to HIPAA, of course you are. Many organizations are not. So the real risk, you know, Brian, I care more. If you're not actually doing a control right, you don't actually have it implemented as opposed to if you've got a written down on a policy saying you do and a procedure that says how you're going to do it. But are you actually doing it or not? Right, that's really the highest risk. 

Michael Parisi: [00:18:02] And what do you look at our Prisma scoring model that's in place for the HITRUST r2 or the old full assessment? When you look at the quote unquote points that are assigned from a risk perspective, the majority of those are focused on implementation because when we apply the risk lens, we believe that's the highest risk aspect to be concerned with. Are they actually doing it or not? So as a result, however, the elements that help us extend certification over a period of two years is because there are forward looking aspects such as are they measuring and managing the programs? And if they have a good documentation process in place to ensure they have policies and procedures, that gives us further comfort, more forward looking and can extend the value of certification over multiple years with an HITRUST i1, the fact it's only focused on implementation. We feel as if that is something that needs to be redone on an annual basis, and it also addresses some of the questions we've gotten in the marketplace in the past around the full certification. There are some organizations that feel a full validation should be done every year, right? And the HITRUST i1 gets to that. And that also puts it more in line with the requirements and standards of other assurance mechanisms, like a SoC 2, for example. 

Brian Selfridge: [00:19:29] And just on the HITRUST r2 itself, the legacy full CSF certification, my understanding was that also earlier this year, there were some changes around implementation sort of waiting. The implementation factors a little bit more heavily. And if you could speak to that a little bit to a similar thought process, there it is. 

Michael Parisi: [00:19:46] Yes, exactly right. It's a similar thought process there from a waiting standpoint and also from depends on what vernacular you want to use, right? Whether we call it exceptions, weaknesses, discrepancies, corrective action plans, gaps, right? There's a lot out there. Our vernacular is corrective action plans versus a gap. And the way to think about that is a corrective action plan is a problem, right? It's something that needs to be solved relative to the maturity of the program and maybe achieving certain objectives. From a security standpoint, a gap is I don't want to go as light to say it's a nice to have, but it's an opportunity for improvement, right? Things that you can live with. You should obviously strive to address all of those. But what we realized is, again, you know, in the past, organizations that didn't meet the minimum necessary maturity scores of a policy and a procedure were often met with corrective action plans. So they were immediate issues that you needed to correct through our old assessment methodology, and we changed our thinking on that and said, again, if Brian has it implemented, fully implemented, we know he's doing it. More importantly. Brian, you know, the organization's doing it as the assessor and the auditor. You're the one that's going to be looking at it. The fact that they don't have it formally documented isn't as big of a risk. So we've relaxed that to say if organizations are fully implemented, however, there's opportunities for improvement on the policy and procedure. Those could be reflected as gaps and not full corrective action plans. 

Brian Selfridge: [00:21:29] That makes a lot of sense. So tell me a little bit about back to the HITRUST i1 for a second, talking about the relationship with the HITRUST Assessor organizations like Meditology and there and there are others in traditional art too, right? You need it. You need a necessity like Meditology to come in and do some prep work, help with some remediation, perhaps, and then run and run an audit. That's at least that's typically how we how we sort of lay it out with HITRUST i1, is it the same type of life cycle from your perspective or what changes with the role of the assessor organization and the customer, you know, relative to this location?

Michael Parisi: [00:22:05] Yeah, great. Great question. So not a lot relative to the role, Bryan, right? So the I want a couple different things. Let's talk about what isn't changing. So there's still a primary focus on implementation, a matter of fact. It's the only focus, right, with an HITRUST i1, just like there's a primary focus on the yard, too. We thought it was super important to ensure that the HITRUST i1 remained a validated assessment in order for it to carry a certification. As you know, we need that work to be validated by an approved assessor organization like Meditology. So organizations that are pursuing an HITRUST i1 will still be required to use an approved assessor organization. However, what's going to change is that the assessor only needs to focus on that implementation element and not all the other elements. So the level of effort that it's going to take for an assessed entity and also an assessor will be less, which means they should be able to be done quicker. Obviously, that remediation aspect is always an open switch, depending upon how long that takes, but they should be able to be executed quicker by both organizations. And from a cost perspective, it should be a much lighter lift on organizations as well, because there's less that they need to remediate or less that actually needs to be assessed. And the other thing that we've introduced this is more for our assessor partners, but certainly for our assessed entities as well is what I like to call quality of life improvements that exists with the eye that don't exist with the HITRUST r2 to today, although we will be incorporating a lot of those into the HITRUST r2. 

Michael Parisi: [00:24:01] For example, we're going to have specific seller's defined on the side of HITRUST to turn HITRUST i1’s around. As we know throughout the past, that's been a pain point, right? Sometimes it's taken a long time for those reports because there's such a volume of information to go through. And for organizations to get their actual certification on the HITRUST i1, we know exactly how much we're looking at. So we are going to commit to slaves to organizations that do an one into the marketplace. And that's going to be for both the assessors and the assessors. Entity assessors are going to have the ability to populate the My CSF assessment with, and I want so know more where the assess entity needs to go through and do all their scores. And now the assessor needs to come back and do all of their scores. Know we recognize that it bogs down the process and it takes slower and it's more administrative work. The necessary when you think about the assertions that need to happen today's day and age, the assess entity and the assessor needs to assert to every control requirement with the one. What we're rolling out is you do one assertion overall. So as long as you as Meditology are on board with the your assessed entity scores and where it stands, it's one assertion that you need to give. 

Michael Parisi: [00:25:19] You don't need the thumbs up all the different requirements, which really bogs down the process overall. So a lot of different things that we're going to put in place. Electronic signing of required documents you'll still have the benefits of the combined board for greater transparency. But we're really excited around those quality of life improvements. And lastly, I'll say a big pain point for a number of years is this concept of nested requirements is what I like to say is those organizations know and Brian, you guys are all too familiar with when you look at a set of controls that organizations need to be in compliant with from a HITRUST standpoint, it doesn't mean that that's all you got to test because when you look at those requirements, there's those evaluative elements, and some of those controls can have eight to 10 things that you need to do. Know more on the one. So when you look at the HITRUST i1, every evaluative element has been pulled up into its own control statement. So what you see is what you get. There's no guessing around how much I need to do in order to satisfy this, which we think is going to eliminate a lot of. Fusion and then ask it yet, but in case you couldn't tell, we're using a lot of these changes and model for the one so that we can roll it out across the rest of the assessment portfolio and implement those into the HITRUST r2 in future activities as well. 

Brian Selfridge: [00:26:48] So it sounds like there's a ton of accelerators here to make this process quicker, hopefully thereby cheaper and less burdensome on everybody involved. So I'm going to add, but that said, I'm going to ask you a tough question, but you've been in the industry long enough. I can keep you on the hot seat. If you had to quantify sort of the order of magnitude reduction in cost, effort and time from the traditional art to this I one, we talk in half of the effort. What's your what's the number you want to throw on  we forced you to do that? 

Michael Parisi: [00:27:22] It's at least half and you don't have me on the hot seat at all. I just looked at it this morning with some of my other presentation. So right now we're averaging to be exact about twenty three percent of the level of effort of an HITRUST r2. So if you want to range, say, 20 to 25 percent, that's obviously contingent upon scope. Scope is still an aspect, right? Are you doing an HITRUST i1 one over one system or 40 systems? How many locations, et cetera? But you know, the pure reduction of having to look at only one element as opposed to five elements, you could do some pretty quick math, and we've looked at the size of what's the average HITRUST certification relative to scope and requirements and what's, you know, was a smaller one. And we've also looked at it relative to other assurance mechanisms like a SoC 2, for example. So we think that and I one is going to be roughly about 20 to 25 percent of the cost as an HITRUST r2 or the full certification is today and in line with the cost of executing a SoC 2, and in some instances, probably a little less. 

Brian Selfridge: [00:28:40] That's a huge help to compare it to the SOC tube, I think that's something a lot of organizations are familiar with getting through that annual audit cycle in terms of timing, and the yard too could sometimes an average take six months, nine months even to get start to end, especially organizations their first time out. And for, you know, an annual certification that would be kind of nuts, but for the HITRUST i1, can we use your twenty five percent number for the timing of this too? Is it is it bring it down to two to three months or sort of SOC two level type timing? Or what do you think on duration with the sleighs in place, obviously, that you mentioned are a big help. 

Michael Parisi: [00:29:15] Sure. Yeah. So I would tell you it's designed to take less time than a SOC 2 to write just because, as you guys know, there's less administration and bureaucracy and standards and risk management, all things that AICPA firms have to go through when they're producing. The AICPA report that they're not subject to what with this, right? So that's one factor. Another factor is where our organization's relative to their program today. So like our HITRUST r2 or full certification today, there's going to be a readiness option for an HITRUST i1 as well. So what we recommend, which I'm sure will resonate with you, Brian, as you do with many of your customers, if you're starting from zero. It's probably a good idea to do a readiness. So if an organization is going to undertake an HITRUST i1 one readiness, you may extend your time a little longer. However, the other beauty of it is that the chances of moving from a readiness into a full HITRUST i1 validated assessment quicker than you would if you're doing it, say an HITRUST r2 readiness to an hour to validate an assessment are much greater, right? You can move quicker. And so right now we're anticipating organizations would be able to do an I want anywhere from, say, three to six months. And those different factors are going to be what do they have in place today? And are they doing it readiness, exercise or not? And obviously remediation being more of an open switch, that's for the initial out of the gate. If they haven't done anything, our vision is going forward a typical to what you would see from a psych report, you know, two to three months. In order to refresh that and roll it forward on an annual basis is what we're thinking it will take organizations to execute. But we've got a couple of pilots running right now, and it'll be interesting to see what the timing ends up being from those organizations. 

Brian Selfridge: [00:31:23] So this is really exciting that we now have we're adding to this menu of certification options for the customer and just getting HITRUST certified may mean several things now. So how what types of organizations do you think are the ideal candidates to pursue and HITRUST i1 versus an HITRUST r2. And maybe what are some of the decision points if you were counseling organizations to pursue one or the other? 

Michael Parisi: [00:31:49] Yeah. So I'll answer that through two different lenses, Brian. So for example, if I am an assessed entity, meaning I'm an organization that needs to provide assurances to the marketplace, there's a number of different decisions that I need to go down. And if I am a relying party, meaning do I request and I one, do I accept that I want? What is this thing? This is new to the market, right? So I need to be educated and understand what's the value that it provides to me relative to other assurance mechanisms out there that looks a little different to get on my soapbox for a second. You know, this is the way I've kind of viewed that assurance continuum in the marketplace for a number of years. Organizations, I think most organizations identify and recognize that a full HITRUST certification is the quote unquote gold standard, if you will, right? It includes multiple things that other assurance mechanisms don't have, whether it's relative to the scope, the coverage of multiple authoritative sources, additional data elements to help improve transparency, et cetera. All that being said, it's hard for a reason, right? It's not the it's not the gold standard to be easy, and it's hard for organizations to do it. There's a lot in there that they don't necessarily do. So organizations that look at, say, a full HITRUST r2 or HITRUST certification when they look at that and say it's going to take me too long, it's going to be too expensive. There's more in there than I need, but I still need to provide validated assurances over my information security program to my stakeholders. 

Michael Parisi: [00:33:42] There's really only one option right now that they fall back on, and that's a SOC 2. And a SOC 2 has its place within the market. Obviously, I mean, it's super popular and it satisfies a number of those requests. What we have strived to do with the I one, I want to be clear this is not a replacement of the SOC 2. It's an alternative to the SOC 2. So we haven't come out to say, Oh, you know, if you're currently doing a SOC 2, that doesn't make sense abandon that come to an one for some organizations. Maybe that's the case, but we haven't released this to compete with the SOC 2. We've put it out there to introduce another mechanism that organizations can leverage to provide assurances over their security program and the posture of their program. And you know, similar to if you look at what happens internationally, most organizations go when an ISO start, right? 27001-2. Well, that looks very different than a SOC to that doesn't mean that they're not equivalent mechanisms, if you will. So we're trying to put another option out there. What I would advise organizations to do instead of defaulting to everyone else is doing SOC 2. So I'll just do that first and foremost understand is that the right mechanism for you, right? Or is an HITRUST r2 the right mechanism for you? What are you being asked to provide? And I'm using SOC to compared to I just as an example, but that that goes with any assurance mechanism that's out there. 

Michael Parisi: [00:35:14] So look at what you contractually required to provide. I mean, there's some relying parties out there to say, you must do SOC 2. You must do HITRUST. So if that's the case, you may not have a lot of flexibility. And now you're in the realm of working with somebody like you and Meditology to say, How do I assess once report many? How can I work with you guys to do one assessment? You help me pivot produce all the different types of reports. I need to produce the different decisions, different process, but really look at the attributes that you want to provide. You're relying parties. How do I ensure I'm giving my relying parties consistency enough transparency into what's going on within my organization? How do I do that efficiently? How do I make sure the mechanism that I'm giving them has the highest level of integrity relative to the quality assurance process? How do I make sure it's scales based upon my organization right now, I'm not doing more versus less, et cetera, et cetera, and that there's appropriate accuracy. So I would look at those elements and ask yourself if I have to spend. Mining, which is the cost of doing business, right? If you're not in a position and you're not going to take it seriously enough to spend money to show the posture of your security program, it's going to be a barrier to entry if I'm going to spend that finite set of dollars. 

Michael Parisi: [00:36:39] Where am I going to get the biggest bang for my buck? And in looking at what we've built from an HITRUST i1 standpoint, we've tried to ensure that the HITRUST i1 provides additional support relative to those considerations that I talked about more consistency, more transparency with the prisoner scoring model, which other mechanisms don't have more efficiency across multiple authoritative sources, additional integrity, having more levels of quality assurance review than, say, in AICPA report on ISO certification has. But at the same time, ensuring that their scalability and accuracy. And lastly, I would say when you look at the relying parties understand what relying parties are willing to accept or accepting today, because a lot of relying parties based upon the work I've been doing over the last several months and I'll continue to do is educating all these different relying parties on one and I one is and I'll tell you, many of them not only have said, that's great, I will absolutely accept it. Many of them have also moved in the direction to say, I'm going to require that. I'm going to ask for that. And it could be also, you know, at the cost of not requiring and are too. So it could actually work out better for a lot of organizations that are staring down the barrel of a full HITRUST certification today that may be backed off a little bit with some of these relying parties. 

Brian Selfridge: [00:38:12] I wanted to ask you about that, particularly around this sort of mobility of this, this certification, the I in two directions, I guess. Would it be possible if you get the HITRUST i1? Does that then provide some sort of stepping stone toward the gold standard are two? And maybe conversely, if somebody's got the HITRUST r2, can they can they kind of backslide into an HITRUST i1 and do the easy button? Or what would you advise organizations that are sort of maybe going to go one way or the other? 

Michael Parisi: [00:38:40] Yeah, it's a good question, Brian. So when we thought about this and when we designed it, one of the things that we looked at was, we want to we wanted to make sure it didn't degrade the value of an HITRUST r2 or full HITRUST certification in the marketplace for a couple of different reasons. One, you've got many organizations that really strive to achieve that highest bar. And we didn't want them to feel as if, well, do we need to continue to maintain that Eibar now that we could? And you mentioned like slide back or step back into this? No, of course we wouldn't recommend that because remember, there's they both have their own place within the ecosystem. The HITRUST r2 is certainly going to remain relevant, but we actually don't see any degradation because it provides more transparency, more clarity. And let's not forget if you need to provide assurances over specific authoritative sources that is not NIST 171, for example, but anything else you are to is the only way to do that, right? So as soon as somebody says, Well, I got to be HIPAA compliant, I got a show. I'm meeting all aspects of HIPAA. The HITRUST i1’s out, the HITRUST i1 is only going to help me from a security standpoint. So there's a lot of organizations in in that bucket, if you will. So we don't really see a degradation of moving away. However, you do have some organizations out there whose eyes are bigger than their stomach, and they go down the path of a full HITRUST certification, maybe because they're striving to have a differentiator in the marketplace, which I applaud them. That's great. But once they get through it, you know better than me with all the readiness that that that you guys do and how many customers you help on this path. 

Michael Parisi: [00:40:30] If you look at and say, Guys, there's a lot of work to do here in order to achieve this, and there could be a lot of cost from a remediation effort. However, what might be a better option is you're doing pretty good on implementation. So you are in a position where you can get a version of a HITRUST certification today and it helps you along your journey. But at the same time, it shows you are taking it seriously. You've gone through the effort to evaluate your security program. You're providing assurances over the fact that I've got a program at least fully implemented, and I'm working on maturing that over a period of time. And for those organizations that may be requiring or requesting you to get a full HITRUST r2, you're showing them that you're making progress. And I'll tell you that relying parties I've talked to those that were HITRUST certification have said if somebody puts in the effort to show me that they can get it, HITRUST i1. I'm going to relax the timeline that I currently have on them to do an hour to maybe another year, right? As an example, the beauty of it is all of the requirements that will be in scope for an HITRUST i1 will be nested within the minimum requirements for an HITRUST r2. So you'll be able to use those requirements in the work that you've done as you move toward an HITRUST r2 or as you move along the assurance continuum. 

Brian Selfridge: [00:42:03] So, so last thing on HITRUST i1 because I do a couple of other questions for you and I know we'll run out of time because there's so much to unpack here. Just is the HITRUST i1 live now? Can organizations go and get it as their rollout plan? Sort of. How do they learn more about how to our listeners, learn more about how to go, go get it. 

Michael Parisi: [00:42:21] Yeah, sure. So there is information on our website about the expansion of the insurance portfolio today, right? So you can go there in order to learn more about the HITRUST i1 specifically and then also the basic assessment. It will be live Jan 1 2022 so organizations can select and I want to object or build, and I want assessment as of 1/1/2022. However, in the meantime, anybody who doesn't want to wait and wants to get a sneak peek on what are those controls, something that I am happy to provide any organizations with so that they can see what's included in there. And if you wanted to get a head start. We have the ability to build a customized assessment for you today. Although it's not a pre-built I want object, we can build you what would effectively be and I want to object in the form of a customized assessment today. If you want to start taking a look at it and perform readiness activities alongside with your assessor partner. And we have now five organizations that have elected to do that between now and the end of the year. 

Brian Selfridge: [00:43:37] Those are gluttons for punishment. Those organizations, the bleeding edge, get it done. So we're already almost at Thanksgiving. Good for them. I applaud their ambition. You mentioned the basic assessment there. Maybe we could just briefly sort of tell folks, what is that the BC basic option, just relative to everything else we talked about today? 

Michael Parisi: [00:43:58] Yes. So the basic assessment, it's a little bit of a departure from our traditional assessments. The idea is the basic assessment is building from the ground up. So there's a library of think of good security hygiene controls that are included within the library for basic assessment to be exact at 71 controls, OK. And a lot of those are driven off of NIST cybersecurity framework. And the idea is that if you're a small business, you can build a basic assessment off of the full population that will get to the typical elements that organizations will ask for or want to know about as part of your security program. Let's talk about use cases. I am a small business, a broker. I'm a broker that works for a number of different health plans and that is traditional vendor. And some would argue, although under the hippo regulation, I am considered a business associate, there's no way I come in contact with as much as a full business associate would do. What do I do? I get hit with all these questionnaires. Is there some type of small assessment that I could show? I have Good Housekeeping in place. Another use case, organizations are using it for a lot of times. You may outsource functions such as marketing and sales, right? So for those types of individuals and organizations and vendors, a basic assessment is designed for you to satisfy that. Think about in the sales cycle. Let's say you don't want to share your full HITRUST assessment or your full SOC 2 report throughout the sales cycle. You know, after you close the deal, that's something I'm willing to share. How do you share a skinny down version to at least give people comfort that I have a good security program in place? Basic Assessment is designed for you. So the idea is that organizations can do a basic assessment that is also a subset of the HITRUST i1. That's a subset, too. So you see the pattern, the theme there, you build up from an assurance standpoint in order to provide those assurances to the market. Also great for startup organizations. 

Brian Selfridge: [00:46:05] Ok, so I want to switch gears a little bit and talk about privacy for a second. You mentioned that a little bit earlier that, you know, organizations sort of have cybersecurity focused needs, which we've covered sort of the gamut of those. But my understanding is also HITRUST been putting a lot of energy around incorporating privacy controls either into the traditional sort of HITRUST r2 or CSF type model. But there was some discussion around a standalone privacy certification. Or you could just talk a high level about what's going on with privacy these days at HITRUST. 

Michael Parisi: [00:46:53] Yeah, unfortunately, I can only keep it at high level because it's not fully built yet, but you're absolutely right. Again, when you look at it in the marketplace today, there really is no overall privacy certification that organizations can leverage. There's elements to your point, Brian, of privacy controls and certain regulations for which we have some of those included within our framework today. But there is no standalone privacy certification that necessarily exists, and I'm using certification purposely, right? Because certification means a lot different than, say, an assessment that exists out there. So what we are doing is you're absolutely right. We are creating a privacy certification just like our certifications exist today, which by the way, there will be an equivalent of an HITRUST i1 one and an HITRUST r2, right? So two different flavors that is focused on privacy program, build and operation. You can't boil the ocean when it comes to privacy. And as we know, there's so many different requirements, depending upon what regulation you're talking about, that can't necessarily be normalized. So we're starting with what is a privacy program look like, and we're leveraging things such as ISO, NIST and HIPAA as the baseline authoritative sources to build that certification. More to come in Q2 of next year. But we will have a brand new full privacy program that's focused on privacy assessments and certifications stand alone or in conjunction with security assessments and certifications that the market will begin to leverage and utilize starting in Q2 of next year. 

Brian Selfridge: [00:48:43] We're very excited about that. Keep an eye on is that rolls out and you want to have you back on and tell us all about that when it comes out. But I want to touch on one. At least one last topic here is as we're coming, coming a little short on time, unfortunately. And talk about one new announcement. Another new announcement from I trust you guys are busy, which is great for everybody in this whole results distribution system or RDS platform solution. Can you tell us a little bit about what that one's all about and what we're trying to do there? 

Michael Parisi: [00:49:13] Yeah, this one's interesting, Brian. When I talk about definitely trying to buck the trend and think outside the box. So again, we're trying to get away from this concept of just thinking about HITRUST assessments. As you can tell, when we talk about the HITRUST i1, when we talk about the basic, we're talking about the assurance continuum more broadly, looking at all the assessments out there and identify the market. Meet with RDS, as you mentioned, referred to as the result distribution system. We're trying to solve for the following business issues around sharing assurances more broadly, and they include the fact that sharing assurances in today's day and age is often inefficient due to the methods that that we have. Let's face it, we're still pushing paper around even though everything's electronic and all of these reports are usually protected PDF reports, it's manually intensive to email them. Once I receive them, I've got to actually read them. Where do I go within these reports to understand what I quote unquote care about? What you care about might be different than what I care about, and for those elements, those data elements that I care about. Now I got to extract them just in order to interact with them and use them to make better informed decisions, right? So it's very manually intensive and it's inefficient. Authenticity, authenticity of assurance reports. You know, it's funny back when you were at where you see know, I mean, I remember 20 years ago, you would never think of a assurance report or a stock report being shared that wasn't authentic. 

Michael Parisi: [00:50:53] Are you kidding me? This is coming from some of the largest professional services firms in the world. When you get that, it's kind of like getting a set of financial statements. It's signed by a financial statement auditor and saying, Well, oh, well, maybe those are fake. What's so interesting is that we're seeing a movement in a trend where some organizations are actually producing and sharing reports that are fictitious. They're not true. They figured out a way to pull the wool over the eyes of relying parties or those making decisions to contract for new business who don't do the legwork on their side to ensure that it's actually authentic. So what if you can solve for that through a mechanism of sharing assurances that are automatically authenticated through, say, a portal or through a digital badge or through a QR code? Right. Requesting assurances is also become, you know, mind boggling, inefficient. What do you ask for? Do I really want to ask for this full report when I really only care about these three different data elements, et cetera, et cetera, et cetera. So what we've tried to do with RDS, which will also be launching in Q1 and we're starting with just HITRUST assessments because let's face it, that's what we do, right? And we know the ins and outs of those assessments. So every organization that has a HITRUST assessment will have access to the RDS module. So it is a new module and there's going to be varying levels of functionality. We're starting with a basic module, if you will, that every organization will have access to.

Michael Parisi: [00:52:33] And the idea is to address and eliminate these things of what can go wrong. Expired report sharing the wrong report. No visibility in terms of who actually gets that report and where it's going. Copy and paste errors of taking data elements out of those assurance reports and putting it into a VRM tool or a GRC system. I'm having outdated reports being able to validate that the auditor actually executed the report. Misunderstanding overall conclusions. Not being able to find the relevant data elements, the complexity of the reports, all these non value added activities throughout the process is what's really distracting. But these relying parties and individuals focused on managing risk from doing their job more efficiently, more effectively. So although we're not looking to quote unquote kill the PDF, it's kind of like hashtag kill the assurance report and move toward an assurance. Results mindset is really what we're trying to do is at the end of the day, it's the results that we care about, and we want to be able to share those more seamlessly track what's being shared, what's being consumed and consume those more efficiently, whether we are an assessed entity or a relying party. So more to come on that. But we think it's really going to buck the trend in the market and the vision in the future is how can we continue to build out this results distribution system so organizations can share any type of assurances they have within their organization with any stakeholders where, where relevant? 

Brian Selfridge: [00:54:28] Fantastic, it's really exciting to see all these movements and innovations, and we can't wait to see as these things roll out and get adoption and work with our own customer base and listeners in this case to learn more over time. So with that, I want to thank you so much, Michael, for joining us today. My guest has been Michael Parisi from HITRUST for a fantastic conversation on all these innovations that HITRUST is undergoing and the market in general as things shift and the threats and risks continue to escalate. So. Michael, thank you so much for taking the time to be here with us today. 

Michael Parisi: [00:54:59] It's great. Thank you very much, Brian. Ok. 

Brian Selfridge: [00:55:13] Again, I would like to thank my guest, Michael Parisi, from HITRUST for sharing his insights on all of these new innovations and evolutions of security certifications and assurance models available for healthcare entities today and going forward. There's a lot of great information to digest here. I'm looking forward to continuing the dialogue with HITRUST as they deploy these new models and help drive down risk and cost for cybersecurity assurances across the healthcare industry. 

As always, we'd like to hear your feedback and hear from you. Our listeners feel free to drop us a note about what topic you'd like to hear about or a thought leader you'd like to hear from. Our email address is [email protected]. Thanks again for joining us for this episode of the CyberPHIx, and we look forward to having you join us for another session coming up soon.