HITRUST certification is many things. It’s a shortcut to securing your system against the danger of data breaches; a process for ensuring compliance with HIPAA and other regulations; and a competitive edge for your business in the increasingly crowded healthcare information space. One thing it is definitely not, however, is an easy accomplishment.
The Road To HITRUST
Currently, the HITRUST CSF (certified security framework) monitors 1,800 potential controls across multiple regulatory bodies. At the beginning of your HITRUST process your assessor will determine how many of these 1,800 controls your organization must attest to based on a risk assessment. A low risk organization, for example, would require attestation to 400 controls, while a high risk organization may require attestation to 1,000 or more.
The Challenges Of HITRUST
Two basic barriers create delays to achieving HITRUST certification.
One barrier is the sheer complexity of HITRUST, which is difficult for newcomers to navigate. Not only are there 1,800 potential controls in the framework, but these guidelines are constantly changing. Businesses must continually respond to them and update their processes – or put in place automated tools that do so for them.
Having so many controls to satisfy creates another barrier – the need for extensive resources and expert guidance. Achieving HITRUST certification without an experienced cloud partner is virtually impossible. And in terms of both time and resources, satisfying HITRUST guidelines means considerable pressure on your bottom line. Naturally, the cost of HITRUST is expensive.
The HITRUST Solution
As one of only a few HITRUST inheritance partners in the world, we created the Cloudticity HITRUST Inheritance Program. A collaboration between Cloudticity and BEYOND LLC, the program is designed to accelerate your HITRUST certification timeline by 10-50%, depending on your organizations' risk profile. In order to understand how the program works we must first understand inheritable controls and how they help.
Understanding Inheritable Controls
Many healthcare organizations are choosing to move to public clouds like Amazon Web Services (AWS) and Microsoft Azure in pursuit of a faster, easier HITRUST certification process. Because security and compliance in the cloud is a shared responsibility, cloud service providers (CSPs), who are also HITRUST inheritance partners, share a significant part of the load in regards to attestation to HITRUST controls. For example, one HITRUST control requires least privilege access to the data center where protected health information (PHI) is stored. When your organization doesn't own the physical infrastructure it can't be responsible for this control. Instead, your organization inherits attestation to this control via the CSP.
Along with inheritable controls there are also shared controls which are partially inheritable. For example, one control states that you must have anti-malware or anti-spyware deployed on end-user devices. The CSP is responsible for installing endpoint security on the services it delivers while your organization is responsible for this control in regards to its own endpoints, so you partially inherit this control from the CSP.
Another way you inherit controls from your CSP is via automation. For example, one control states that keys must be rotated every 90 days. The CSPs have automated this control so that all of their users rotate their keys on schedule. Because of this automation, by signing up with AWS or Azure you automatically partially inherit this control.
How Cloudticity HITRUST Inheritance Program Works
When you purchase your AWS or Azure services through Cloudticity you get access to even more inheritable and partially inheritable HITRUST controls – 357 to be exact. This is because Cloudticity has automated 357 HITRUST controls that are shared with the client through the MSP relationship, and this number continues to grow. In fact, many of our clients seek out our managed services in order to reap the benefits of our HITRUST Inheritance Program, which shortens the HITRUST journey by approximately 150-257 hours of work, depending on your individual company's risk profile.
Along with HITRUST inheritance, partnering with Cloudticity provides managed services, managed security, and managed compliance services alongside an always-on help desk and virtual security operations center. This allows our customers to allocate their IT bandwidth towards activities that drive business growth and value for customers, like innovation and product development, rather than redundant operations and security.
A Partner For The Whole Journey
When you enroll in the program, the HITRUST experts at BEYOND LLC will work with you to determine how many controls you must attest to and provide one-on-one guidance to ensure you meet those requirements in a timely manner. With the Cloudticity HITRUST Inheritance Program, you're never on your own to navigate the complex and often convoluted terrain of HITRUST. We partner with you for the whole journey in order to provide the knowledge and tools necessary to ensure you don't make mistakes, get stuck, or need to backtrack.
Accelerate Your Path To HITRUST
To learn more about how the Cloudticity HITRUST Inheritance Program download the free white paper. Or schedule a free consultation to learn how you can work with us to make your HITRUST dreams a reality.