A Uniform Approach to Sharing Assurances and Other Certifications
Paddy Padmanabhan: What would you say is the first step for an organization to receive a certification? And I actually want to tack on one of my own questions to that.
First of all, if you’re dealing, you know, does a high trust certification become or some kind of an assurance become necessary? If, and only if you’re handling certain kinds of data? In other words, psi data in the context of healthcare, what if you’re not handling PHA? What if you’re not working with what is considered? Y
ou know, under the purview of HIPAA, for instance, there’s a lot of business data and information that don’t come under their purview. So what, what’s the initial question or starting point, before anyone starts going down the path of saying, Okay, I need a certification.
Michael Parisi: So, Brian, maybe you could start first.
Brian Kline: Yeah. Okay. So requirements analysis, I mean, kind of blending in some of the things you were just saying, Patty, what am I, stakeholders? What are they actually looking for? So when you go down the certification path, why am I going down a certain certification path? Is it for a certain client that I’m trying to secure? Is it to try to be that differentiator? And do we have a privacy officer? Is there any other kind of compliance pieces? Do I need to have that HIPAA piece in there is GDPR? Apply is there NERC for some of the energy type things or government contracts.
So I would really do that requirements analysis, otherwise, you’re just kind of really throwing money at the wall. And then immediately following that, is pretty much a gap analysis of where is the company currently at and where’s it needs to be, so you can really lay out that plan of action and milestones, maybe it’s gonna take you a year, maybe it’s gonna take you two years to achieve whatever certification doesn’t have to be, I want to be high trust, and I got to do it in three months, to kind of really map this out so that you’re being very cost-efficient, you know, with your, with your resources. And lastly, from the readiness side, we’ve had clients go through high trust, of course, healthcare is a big proponent in our largest vector. But we’ve done manufacturing, we’ve done nonhealthcare technology firms, some oil, and gas. So it’s all over the board. Online, so it does not have to be necessarily a healthcare, HIPAA-type organization for high trust.
Paddy Padmanabhan: Right. Michael, do you want to do want to add any comments on that? Where does anyone where does? Where does a company start?
Michael Parisi: Yeah. Sure. So I’ve had some thoughts I agree with, with everything that Brian just said. I’ll reference, you know, 111 of my favorite points to throughout the years, those of you familiar with, with the Golden Circle. You know, they talk about what we do, how we do it. But what a lot of companies fail to define is why we do what we do.
So I would answer that question. The first step is to define why right? Why do you need it? And it dovetails back to what Brian’s talking about? What are the requirements? Right? Why are we throwing this out there? are we throwing this out there? Because we’re trying to check a box? Just because somebody is asking you for it doesn’t necessarily mean, you have to do it, you need to understand what all the requirements are. And then how do you leverage that investment in those efforts? across the organization? I like to call it third-party assurance, rationalization, right? When you look at all the different things you’re being asked for back to Brian’s point around requirements. What regulators are asking me for this, what customers are asking me for this what investors and board members are asking me for this? How do you put that down altogether, working with, you know, a partner, or somebody who’s in professional services, like Brian to say, all right, how do we normalize?
All right, these are the options that can help you satisfy these requirements. And then you need to have executive sponsorship, if you don’t have executive sponsorship, it’s going to fail or you’re going to spend much more money than then is necessary. But it’s hard to get the executive sponsorship if you don’t have the wide defined. And I think, again, you know, in the spirit of pa box, right, which is bringing this all together here. That’s a great example. I mean, the CEO of this company, a Wallah, rolled up his sleeves and was in the room with the team every day working through their high trust certification, trying to figure out what policies we need to have in place. How do we implement these strategies? within the organization, if you don’t have that type of commitment at the executive level, it’s going to be a non-starter right out of the gate.
Watch every minute of this session here.
Learn more about Paubox Spring Summit, Secure Communication During a Pandemic.
Read a full recap of Paubox Spring Summit.
About Paddy Padmanabhan
Paddy Padmanabhan is the founder and CEO of Damo Consulting, a growth strategy and digital transformation advisory firm that works with healthcare enterprises and global technology companies. He is the host of The Big Unlock, a podcast focusing on healthcare digital transformation, and author of the book, The Big Unlock: Harnessing Data and Growing Digital Health Businesses in a Value-Based Era.
About Michael Parisi
Michael Parisi is the vice president of business development & adoption at HITRUST. He’s a seasoned information security and privacy industry professional. He has served as a lead healthcare industry expert, a national healthcare third-party assurance specialist, and the national HITRUST services lead for PricewaterhouseCoopers.
About Michael Mead
Michael Mead, BCPA, is the chief operations officer for The Medical Cost Savings Solution, where in just the past three years he has led the effort to save self-pay patients over $1.5 billion in their medical expenses. Before joining MCS, he led top Medicare Advantage programs in the reorganization and the implementation of new systems.
About Howard Rosen
Howard is the strategic and visionary leader of LifeWIRE, which he invented and developed as a patented population management communication platform that humanizes digital communication through personalized, responsive interactions between parties like healthcare providers and patients.
About Brian Kline
Brian Kline is the compliance and standards lead for Webb Adams — a veteran-owned business composed of cybersecurity and policy professionals well-versed in designing and managing security, privacy, and compliance programs. Kline is passionate about helping clients meet compliance standards and preparing them for industry certifications and attestations such as HITRUST, HIPAA/HITECH, SOC 2, GDPR, and ISO 27001.
Learn more about these panelists.