A Uniform Approach to Sharing Assurances and Other Certifications
Paddy Padmanabhan: So we’ve talked about what HITRUST certification means. And you know, the overall picture in terms of why it’s becoming more and more important.
So, obviously the next question and how difficult is it for a company to achieve their very first assurance or certification?
I’m wondering, Brian, if you want to, if you want to take that one off, because Brian, I know you consult with a lot of firms who are looking to get certified, and surely his assurances, right.
Brian Kline: Okay, of course. I mean, it’s a loaded question on how difficult it is. I mean, there’s obviously a lot of factors, a lot of scoping that goes into it.
But every single organization probably has a lot of the same, same questions or same issues that they’re gonna face. is they’re buying from leadership, are they going to provide all the needed resources to meet the standard? What’s the current maturity of the security program? Are they open to making changes? Is there a lot of red tapes to actually change policies and new technology? Of course, one of the biggest things is what standard Are you actually or certification you’re trying to achieve?
For instance, if you’re going after HITRUST, generally, there’s a lot more work that needs to be done than going for, say, ISO 2701. A lot of that goes back to what Michael had said earlier on, the SS ones report many, where some of your other certifications or assurances are focused in one area where HITRUST covers an umbrella. And we, you know, kind of aligned with our lot of our clients there.
But the difficulty, the biggest difficulty that I see from being on the right-hand side is the scope creep. As I mentioned, there are different certifications. And then there’s also just nice security practices that companies want to do or boards don’t want to do that don’t really adhere to any particular certification.
And so there’s just this constant scope creep of want to add this, I want to add that I want to add this, I’m gonna do some ISO 27, along with sprint, one incident GDPR, sprinkling in some HITRUST, and it just gets it gets unmanageable. So with any scope creep project, it becomes unruly timewise and resource-wise. So the difficulty really is as strong as your program management skills.
As we’ve talked about big the entire day is matures. The certification lets you know, all be on the same page of we’re trying to be certified. I care about security, but that is just kind of throwing darts at dartboard certifications. I love them, because of the black and white standard. Is there. Just run down there. Yes, no, yes, no. Can I do this? So to try to avoid any of that, that scope creeps. So project management is the I would say the difficult part, Patti, to you know, on how difficult it is for a client to get certified.
Paddy Padmanabhan: Howard, are you still with us?
Howard Rosen: Yes, I still am.
Paddy Padmanabhan: Yep. Would you like to take that on? What’s your perspective on the long does it take a lot of difficulties that, you know, comment on that?
Howard Rosen: Not to find a point, but I did have hair at the beginning of the process, we got a first HITRUST in terms of it’s it. And I think Brian said it is a management commitment to go through the process. And not in terms of technology is there but it is a project resource required to do it properly.
Because there’s a lot of elements to it, especially going for the first time it’s very extensive, and a lot of pieces to that. And it was really more an exercise and started gathering a lot of information like in terms of it’s it’s not hard if you sort of done it right and understood from the development of the product or the platform in our particular case that your security was opposed to begin with. So it was not as much going oh my god, we didn’t do this. It was just more frankly, it was more the documentation of it.
And the process involved. It was still a long process. I think for us, it was still a good 18 months, probably on the first run, just to go through it all like now in terms of the annual renewals, it’s much more straightforward. But especially for that first time because there’s just a lot of pieces to it and it’s like undoing an onion, you start religions more and more levels that you’ve got to go through.
To be honest, what’s really helpful is making sure you’ve got good auditors to work with. That made a huge difference for us as well. We did a lot of researches to the various auditors and I think the auditors make a big, big difference in going through the screen and going through it all, especially the initial assessment so you have an idea of really what you’re going to be dealing with.
But yes, it is a commitment and there is a group of us who have you know, survivors of our first HITRUST audit that get together on a regular basis and we tell stories.
Michael Parisi: Yeah. So I’ve got a unique perspective, obviously, I’m with HITRUST. But you know, prior to being here, I was actually I ran the HITRUST practice for PwC. globally.
Everything in anything HITRUST related. So I’ve been in Brian, right as an assessor as a consultant for many different years. So I look at it through two different lenses.
A good friend of mine who works for an assessor organization, the way that he describes HITRUST is it’s a significant emotional event. And I think that that probably aligns to what Howard was talking about, right? Or is that the first time through and when you break that down, not to get philosophical here for a second, but I think it’s actually a really good way to describe it, it doesn’t mean it’s all doom and gloom.
And the reason being is that I think it forces collaboration within organizations doesn’t matter what size it is, across different stakeholder groups that you traditionally want to get through other compliance or assurance-related activities, right by design.
So if you’re having to do a quote-unquote, HIPAA assessment, maybe there’s a HIPAA officer, a lot of times, it’s just owned by privacy, with maybe thrown a few things over the fence to security, but it’s very siloed. Right?
If you’re doing something like a sock report, a lot of times that may be in the finance realm, if it’s a sock one, if it’s a sock two, obviously, it would be with information security, but something what a certification effort does for an organization, it has been one of those is, I think it breaks down those barriers and brings people together as quirky as that sounds.
And to really address that the common goal of achieving the certification. The other thing that that does, is I think it helps organizations identify areas of duplication that exists within their own organization as it relates to compliance-related activities. It doesn’t mean it’s easy.
Frankly, it’s not designed to be easy. And I think Howard, you know, really said it best, which is, this is not a one-time activity. If you’re going to do this, right, you need to feed it, you need to water it, you need to nurture it for a period of time. And you see that as foundational components to our own programs, right? I mean, our framework is always changing. And we get a lot of complaints. Why are you guys releasing another update?
But we weren’t doing that we want to be relevant. The threat landscape is constantly changing. The underlying authoritative sources are constantly changing. When’s the last time Mr. ISO was updated, right to be relevant, if you will, that’s something that we really take seriously and to heart.
No other things that I think are important to note as to why it may be more difficult than other certifications is because there are different data sets that you’re prior to providing transparency over. So if you look at this concept of the prism of the scoring model that gives you additional transparency into the maturity of your programs that you don’t get through other assurance mechanisms, right.
For example, sack report, it’s either exception noted, no exception, notice very black. What we do through our Prisma scoring model is to give credit for aspects of, for example, measuring and monitoring programs.
One of the questions I had come up was around, for example, a bug bounty program, right, so what are you doing around bug bounty, we actually have a lot of organizations that have bug bounty programs in place, and that’s a good indication that they are measuring and managing their programs overall from a maturity perspective, right? Something that we support within the marketplace.
So I think there’s there’s a lot to consider. When you determine what certification path you’re going to go down. But again, I go back to assess once report many if you’re going to make an investment, do it across the organization try and satisfy as many demands that you have all at once.
Watch every minute of this session here.
Learn more about Paubox Spring Summit, Secure Communication During a Pandemic.
Read a full recap of Paubox Spring Summit.
About Paddy Padmanabhan
Paddy Padmanabhan is the founder and CEO of Damo Consulting, a growth strategy and digital transformation advisory firm that works with healthcare enterprises and global technology companies. He is the host of The Big Unlock, a podcast focusing on healthcare digital transformation, and author of the book, The Big Unlock: Harnessing Data and Growing Digital Health Businesses in a Value-Based Era.
About Michael Parisi
Michael Parisi is the vice president of business development & adoption at HITRUST. He’s a seasoned information security and privacy industry professional. He has served as a lead healthcare industry expert, a national healthcare third-party assurance specialist, and the national HITRUST services lead for PricewaterhouseCoopers.
About Michael Mead
Michael Mead, BCPA, is the chief operations officer for The Medical Cost Savings Solution, where in just the past three years he has led the effort to save self-pay patients over $1.5 billion in their medical expenses. Before joining MCS, he led top Medicare Advantage programs in the reorganization and the implementation of new systems.
About Howard Rosen
Howard is the strategic and visionary leader of LifeWIRE, which he invented and developed as a patented population management communication platform that humanizes digital communication through personalized, responsive interactions between parties like healthcare providers and patients.
About Brian Kline
Brian Kline is the compliance and standards lead for Webb Adams — a veteran-owned business composed of cybersecurity and policy professionals well-versed in designing and managing security, privacy, and compliance programs. Kline is passionate about helping clients meet compliance standards and preparing them for industry certifications and attestations such as HITRUST, HIPAA/HITECH, SOC 2, GDPR, and ISO 27001.
Learn more about these panelists.