PDHI Proves IT Security Posture to Clients by
Leveraging HITRUST CSF®
Lee Penn, Chief Financial Officer, PDHI
A number of years ago, key customers requested PDHI obtain a third-party attestation regarding the strength of the PDHI wellness platform’s security posture in protecting personal health information. To take on this challenge, PDHI turned to the HITRUST CSF. By leveraging the framework, PDHI can respond to client information privacy and security posture inquiries with a certification that demonstrates the organization can protect the sensitive information it processes and stores on behalf of clients. The CSF Assessment also significantly reduces the amount of time PDHI invests responding to client security audits. In addition to removing one of the major roadblocks in the sales process (e.g., proving PDHI can protect information), obtaining HITRUST CSF certification enables PDHI to significantly increase its cyber insurance coverage—without a major increase in premiums. This also serves as a key differentiator when pursuing new clients.
The Challenge: Clients Require Third-Party Attestation to Continue Business Relationship
PDHI develops and distributes a platform that enables companies to deliver workplace wellness and population health management programs. PDHI clients include wellness providers, accountable care organizations, large employers, third-party administrators, hospital systems, and health plans. The wellness solutions allow clients to focus on the delivery of program services rather than the development, security and maintenance of the supporting technology. Given the nature of its technology solutions, PDHI handles millions of records containing sensitive personal information that must remain secure at all times.
In 2013, customers in the healthcare industry, who had been long-term PDHI clients, made a similar request. They enjoyed working with PDHI and received great value from the wellness programs, but to continue doing business, these companies needed third-party, independent attestation proving that the PDHI security posture complies with regulations pertaining to the protection of personal health information.
Assuming the client requests were bound to be echoed by other clients in the future, Lee Penn, who oversees finance and compliance for PDHI, realized the company needed to prepare if it wanted to continue providing services to the healthcare industry —a key industry vertical for PDHI.
“Prior to this time, when clients wanted to validate our IT security measures, they asked us to fill out an extensive questionnaire and would come onsite for a one-day or two-day visit,” Penn says. “They asked a lot of questions and took up a considerable amount of our time.”
PDHI is a small company with about 25 employees. The questionnaires are often long and undergoing security audits with every client annually a drain on internal resources, and Penn and his team had to spend additional time reacting to each client’s request for additional security measures. Every year, clients would present new issues that PDHI needed to address.
The Solution: HITRUST CSF Proves Security Posture and Reduces Audit Response Times
The companies requesting the third-party attestation recommended that PDHI investigate the HITRUST CSF and its assessment capabilities.
“They trusted that passing HITRUST CSF certification would ensure we properly protect PHI when processing and storing the information of their end-users,” says Penn.
The only other attestation PDHI considered previously was SOC2 but Penn says SOC2 didn’t meet their needs and that of their customers. He says HITRUST offered a set of specifics the company could strive to attain that would give PDHI a good sense of what it needed to do in order to meet privacy and security standards.
The HITRUST CSF and CSF Assessment enable organizations of any size—from small supplier businesses to large organizations—to address the challenge of complying with the multitude of federal, state and industry regulations, standards and frameworks pertaining to information security—both on-premises and in the cloud. By incorporating a risk-based approach, the HITRUST CSF provides a comprehensive and flexible framework of security controls:
- Harmonizes and cross-references globally-recognized standards, regulations and business requirements – including ISO, NIST, PCI, GDPR, HIPAA and various state laws;
- Scales controls according to organizational type, size and complexity;
- Provides prescriptive requirements to ensure clarity;
- Offers multiple implementation requirement levels as determined by specific risk thresholds;
- Allows for the application of compensating controls when necessary;
- Evolves according to user input as well as changing industry and regulatory conditions.
Based on the strength of the HITRUST CSF, PDHI contacted HITRUST to get the assessment and certification processes started. HITRUST provides a list of approved CSF assessors. From that list, PDHI selected a firm who was willing to teach PDHI about security compliance as well as assess the PDHI environment.
“The assessors apply an educational mindset; if you take the time and create the gap analysis and mitigation plan, you can improve your security posture better over time so that as you introduce new applications, you’re better prepared to get certified,” says Penn.
After educating PDHI on the HITRUST CSF, the assessor worked with Penn and his team to perform a gap analysis. PDHI then mitigated the gaps before going through the formal assessment, which resulted in no corrective action plans needed, thereby demonstrating to clients that PDHI takes information security seriously and that they know what it takes to deploy and manage secure IT systems.
“The entire process took about a year,” says Penn. “We worked with our clients to set a target deadline, and we gave ourselves enough time to properly adjust our business processes according to the CSF. We know we couldn’t simply just ‘check the box’ for HITRUST CSF certification; we also wanted to learn how to apply controls to new services that we will develop in the future so that our applications can launch initially with certification.”
Looking back on the process, Penn says that the HITRUST CSF is now embedded in the organization’s culture.
“It’s ideal for small companies without in-house security expertise. It costs a lot to hire consultants to analyze and mitigate security gaps, but HITRUST makes it possible to do
most of the mitigation on your own and just have a consultant check your work.”
The Results: Sales Roadblock Removed; Cyber Insurance Costs Lowered
Penn says that one of the key benefits to earning HITRUST certification is that it quickly removes the initial roadblock that prospects and clients usually present first. They want to know if PDHI will protect patient information.
“The concern over protecting information has risen greatly in recent years as more and more security breaches are publicized in the news,” says Penn. “Our HITRUST (CSF certification), attesting to the strength of our security posture, immediately resolves that concern with prospects who have heard about HITRUST. They know it’s legit, and we can then move onto the conversation about the value that our services provide.”
For prospects that have not heard of the HITRUST CSF, PDHI is able to quickly demonstrate the validity of the HITRUST CSF certification.
“The report itself is comprehensive,” says Penn. “And HITRUST provides a guide for how to interpret the report, so our prospects can quickly discern the results.”
Upon completing the initial HITRUST CSF certification, PDHI sent the report to all of its clients and avoids the need to fill out questionnaires every time a new client comes on board.
“Initially, we were ahead of the industry in adopting HITRUST, so it took a little selling to convince clients that the CSF is the only proof they need,” Penn says. “But since then, it has become easier as the industry is now more familiar with HITRUST and broadly accepts the validity of CSF certification.”
PDHI now leverages the HITRUST CSF certification as a differentiator of its services. The certification logo appears prominently on the company’s website as well as on marketing collateral and sales presentations.
“A seasoned IT person will understand what HITRUST certification means,” says Penn. “The client stakeholders we work with directly can just turn the report over to their IT team, and the validity of our security posture is accepted.”
The certification has also played a key role in reducing the cost of cyber insurance for PDHI while increasing coverage limits.
“We have a credential in hand that we can present to our broker that proves the strength of our security posture,” Penn says. “When we first showed them the report, they agreed to double our coverage limits without adding significantly to our premiums. Carrying more coverage is a big plus in the eyes of our clients.”
A Security Credential for Clients and a Guide for the Internal Security Team
Many of the requests for proposals (RFPs) Penn sees today include a reference to the HITRUST CSF and that certification will allow an applying vendor to easily pass the client’s security requirements.
When PDHI receives annual security review requests from clients, the organization simply presents the latest HITRUST report and perhaps answers a few clarifying questions.
“That’s all we have to do until we add new services for a client,” Penn says. “Instead of spending time answering audits and meeting with clients in person to prove our security, we can focus more time on new technologies that will improve the performance of our wellness platform and meet the requirements of the HITRUST CSF. We can also look ahead to future versions of our platform, identify where there will be security gaps, and plan how to close them. It’s the same thing we do with our application features and user interfaces—security gets built in from the beginning and is fundamental to how we build our applications.”
For other companies considering security attestation, Penn says HITRUST certification is not meant for a company that just wants to get something done and put some certification logo at the bottom of their website; it’s meant to demonstrate an organization has a comprehensive information risk management and compliance program.
“You need to take the time to prepare, but once it’s in place, you’ve got a powerful tool, and you will improve your security over time as you launch new applications and systems. It’s a certification (credential) for your clients and a guide for your internal IT security team.”