Cloudticity Oxygen Compliance - A New HITRUST Audit Experience

| Author , tagged in Technical Articles, Healthcare Industry, About Cloudticity, Compliance, Security, Encryption, HITRUST, Cloudticity, Healthcare, audit
Cloudticity, L.L.C.

Now that you are acquainted with HITRUST and have chosen to continue your journey, I want to thank you again for being proactive! If this is your first compliance series post, please start below:

  • If you are new to HITRUST, start here.
    • To get a complete picture of the HITRUST Maturity Model and get some helpful tips from Cloudticity's experience, read this blog post.
  • If you need more information on Cloudticity Oxygen, start here.
    • Interested in how Cloudticity Oxygen alerts map to HITRUST? Check out this blog post.

For everyone else, each month we (usually) look into at least one Cloudticity Oxygen service or feature, focusing on how it helps achieve HITRUST controls. This month is slightly different! Our last full HITRUST audit happened in 2017; we have now begun our updated full HITRUST audit based on a substantially updated set of controls, thus we want to share our new experience with you. Stay tuned next month for more Cloudticity Oxygen services or experiences.

HITRUST Audit 2019 - A Completely New Experience

In 2017, we completed our first HITRUST audit. At that time, we did not process or store sensitive information and we did not have explicit regulatory requirement needs, so we originally attested to 164 controls. This process was slightly painful because we did not have policies and procedures at the time we started the audit. In a very short amount of time (3 days), because we had a small, agile team of highly effective personnel, we were able to create our policies and procedures based on the way we conducted our business. We were also able to work hand-in-hand with our auditors to complete evidence requests and explanations for the required controls in short order. Overall, this was a stressful, but good experience.

In 2018, we completed our interim audit. This was a ridiculously simple process where we verified that we were still performing on the controls audited in 2017 by attesting to a very small subset of them.

Now it's 2019 and everything has changed. We added over 300 required controls due to updated requirements from HITRUST, a change in the regulatory controls we need to attest to, and our desire for our Oxygen product to be HITRUST certified for full inheritance on as many controls as possible. Not only have these 300 controls added a significant amount of time to our audit, but the audit itself changed to be much more stringent. HITRUST recently modified their auditing guidelines to require a much higher quality of evidence and increased the number of evidence samples necessary for many of the controls. This created an interesting scenario where the evidence supplied in 2017 is no longer relevant, meaning we are providing attestation from scratch on all 426 controls.

We are now in the middle of our evidence collection, with about 80 controls left to provide evidence for, and things are going smooth. After learning (in 2017) that this audit is very time consuming, we hired another vendor to help us with our evidence gathering and explanation writing needs. This has been a wonderful, although costly, experience that is highly recommended. This has given us time to, over the last couple of months, map the HITRUST controls to our managed services, professional services, and internal workflows to get an idea of the value Oxygen provides.

We are excited to provide some real numbers based on an analysis of the controls we attest to and based on the controls many of our customers attest to. Without further ado, we help our customers attest to approximately 37% of controls. This means a rough savings for an organization of our size, based on 30 minutes per control, of 78.5 hours of evidence collection and writing explanations. There is also an implementation savings that is impossible to calculate, for the cases where a requirement is not yet implemented.

We knew our products and services were valuable, but this truly helps solidify how much! Let us know if you're going through, or about to enter, a HITRUST audit and how we can help you achieve success.


Meet MagicBox:


When it comes to obtaining a HITRUST certification, you wish there was a better way. So we created one. Meet MagicBox, the brainchild of two of the leading innovators in the healthcare information security space: Cloudticity and BEYOND, LLC. MagicBox is the first and only end-to-end HITRUST solution on AWS.

MagicBox reinvents the certification process, using the breakthrough integration of Cloud-driven technology with one-to-one expert guidance, significantly reducing time and creating efficiencies that will allow you to obtain your certification with a 100% success rate. For more information, check out our thoughts on the importance of compliance and visit to contact us.


Stay tuned while Cloudticity continues to innovate on forward thinking ways to approach compliance. In the meantime, visit us on the web, or leverage our free, fully automated HIPAA technical assessment as a great way to chart your path toward HIPAA compliance.

 Meet MagicBox What's in the box?

Get On The Fast Track To HITRUST

TAGGED: Technical Articles Healthcare Industry About Cloudticity Compliance Security Encryption HITRUST Cloudticity Healthcare audit

Subscribe Today

Get notified with product release updates and industry news.