May 9, 2022
If your company is thinking about pursuing a third-party cyber security certification, by now, you know it's a daunting task. You may have more questions than answers. What certification resonates the most in my industry? What is the first step in selecting an external assessor or auditor? Despite these questions, if you contemplate obtaining a cyber security certification, you know you have a long road ahead, and one size does not fit all.
When hc1® began identifying various certifications, we researched the many cyber security frameworks (e.g., NIST, HIPAA, ISO, SOC2, and HITRUST), reviewing the benefits, time, and cost. After weighing the options, we landed on the HITRUST (Health Information Trust Alliance) framework and the hc1 Platform®, along with the hc1 corporate headquarters located in Indianapolis, secured HITRUST Risk-based, 2-Year (r2) certification for information security in December 2021.
The path to certification was not easy and began in 2020. You may ask why it took over one year for hc1 to become certified. It’s not because hc1 didn’t have a best-in-class solution or adhere to industry best practices when we started the process, because that is not the case at all.
In fact, the hc1 Platform is purpose-built for healthcare and built on and hosted by cloud leader Amazon Web Services. Protecting our clients' data is hc1’s number one priority. This priority is the reason we decided to seek HITRUST certification. And not just any HITRUST certification, but the risk-based 2-year validation certification. The 2-year (r2) validated assessment certification is a tailored assessment for the highest level of assurance that an organization may earn from HITRUST. That's right; we decided to jump in feet first and go for the most stringent certification HITRUST offers because that's what we do at hc1. We face a challenge head-on and play to win.
We also selected the HITRUST certification as HITRUST leverages numerous security and privacy-related regulations, standards, and frameworks–including NIST and HIPAA for its certification.
By the time hc1 began the process of earning the 2-year certification, many of the nation’s top health system labs and independent labs had selected hc1 as a trusted partner, recognizing the stringent cyber security controls adopted by hc1. Earning HITRUST certification was the cherry on the top.
The Journey
Once we decided to become HITRUST certified, we signed a contract with a HITRUST authorized external assessor to complete an assessment of our information security program compared to the HITRUST framework. This assessment was the guide we used to map the hc1 information security program to the HITRUST framework. The framework includes cyber security controls, such as vulnerability management, access control, third-party assurance, and data protection and privacy, to name a few.
Once we mapped the hc1 information security program to the HITRUST framework, we were ready to complete the validation assessment with our external assessor. The validation assessment began with the arduous task of our internal team scoring hc1’s program to over 500 HITRUST controls. The scoring process involves using a weighted scale. The weighted scale was used to verify 1) each respective hc1 policy and process meets the required HITRUST control and 2) the control was implemented as required by HITRUST.
The next step involved interviews and documentation review with our external assessor over 12 weeks. Once we finalized the interviews and documentation review, the external assessor began scoring all 500+ controls, reviewing hc1's scoring at this time. Once the external assessor completed the scoring, the validated assessment was submitted to HITRUST to perform a quality control exercise required to confirm the external assessor performed their work following the HITRUST framework.
What does it take?
What does it take to become HITRUST certified?
- Goal
- Leader
- Committed team
- Well thought out project plan
- Focus
- Persistence
The process is complex and time-consuming. However, if you adopt the six points above, and have a strong information security program as hc1 did prior to HITRUST, the process will be easier to manage as you pursue HITRUST certification.
Visit HITRUST Risk-based, 2-year Certification to learn more about hc1’s HITRUST certification.