by Tyler Dornenburg
Article filed in

Takeaways From The HITRUST Community Extension Program San Francisco

by Tyler Dornenburg

Last Thursday I attended the HITRUST Community Extension Program at the Salesforce tower in San Francisco. I was invited to the event by Michael Parisi, VP, Assurance Strategy & Community Development at HITRUST.

If you went to the HITRUST annual conference, you’ll know Mike as the guy who led just about every keynote panel, he has also been a good friend of Paubox throughout our HITRUST journey and helped champion us into the RightStart Program.

Much of the 4 hour session was an open discussion on the lessons, strategies, best practices, and (spoiler alert) the extensive challenges of implementing an enterprise risk management program.

In a room of roughly 30-40 security and privacy professionals, it was clear that to me as a relative outsider (that is to say, someone who has not spent my career up to this point enforcing security and privacy policy) that this group was hungry for solutions.

As the cohost of the event, PwC has been fielding these concerns for years, and it seemed to me that they had found partner in providing strategic guidance as a certified HITRUST assessor firm.

There was one main point that kept coming up in a couple formats – “Our company needs to get HITRUST for [insert strategic / business / non-security related reason], but I don’t want to spend the budget and get a certification for the sake of a certification, is this framework really worth the effort?”

Fair question.

We similarly started our HITRUST journey when a Fortune 50 came knocking and we wanted to win that deal.

  • Is the deal off the table? Yes.
  • Did we do our diligence and decide HITRUST was a highly strategic decision for our company? Yes.
  • Did we have the same question when we were vetting it out? Yes.

Here’s the conclusion we had, while there are many enormous benefits once your company achieves its HITRUST certification, the biggest one is still the core competency of the certification – a validated security and privacy infrastructure.

The shiny logo on your sales deck is icing on the cake for a program that prides itself on a focusing on assessing risks and then implementing the correct controls, not just implementing controls for the sake of achieving compliance some arbitrary framework.

These are real risks, updated regularly, with real controls to keep your business secure.

In our opinion, with the amount of industry leaders (in healthcare and beyond) that are adopting the HITRUST CSF, the day is quickly approaching where HITRUST will be a requirement to sit at the table.

More importantly, it may just provide the answers you’ve been looking for to validate your security standards.