by Hoala Greevy Founder CEO of Paubox
Article filed in

HITRUST CSF Gap Analysis for a Silicon Valley Startup

by Hoala Greevy Founder CEO of Paubox

HITRUST CSF Gap Analysis for a Startup - Tyler "Commish" Dornenburg & Jeff Pochily
Tyler Dornenburg reviewing the HITRUST CSF Portal with Jeff Pochily

As part of our journey on the HITRUST RightStart program, Jeff Pochily visited our office in San Francisco today.

The RightStart program is aimed at giving start-ups the tools needed to make information security and compliance easier to establish and manage. The newly introduced program helps startups like us accelerate adoption of the most comprehensive risk management, compliance, privacy and security suite of services in the marketplace.

Jeff Pochily is an Information Security Auditor at KirkpatrickPrice LLC and is our HITRUST assessor. He’ll be with us for the next three days as we get a handle on HITRUST.

HITRUST CSF Gap Analysis Takeaways

HITRUST CSF Gap Analysis for a Startup - Jeff Pochily
Jeff Pochily pointing us in the right direction for HITRUST

Here are some of my takeaways from our first day with Jeff Pochily.

  • There are approximately 320 control statements to be addressed
  • Document everything
  • “How do your vendors demonstrate HIPAA compliance?”
  • What is in HITRUST scope for Paubox?
  • Where is the data stored? Where is it processed? What systems transmit data?
  • Anything that affects the security of the system is in scope
  • What kinds of risk assessments have been done so far? Have they been scored?
  • The word formal is another way of saying documented
  • Asked about Change Management: What’s in place? How are changes managed?
  • Covered CIS 20 Critical Controls
  • In case you need to deal with it, make sure you know where the data is

About HITRUST

Founded in 2007, HITRUST Alliance is a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain.

In collaboration with privacy, information security and risk management leaders from both the public and private sectors, HITRUST develops, maintains and provides broad access to its widely adopted common risk and compliance management and de-identification frameworks; related assessment and assurance methodologies; and initiatives advancing cyber sharing, analysis, and resilience.