HITRUST Certification Empowers MX2 Technology Executive IT Leadership Solutions
Small and mid-sized businesses (SMBs) face similar cybersecurity threats to those of large enterprises, with far less in-house IT expertise. At the same time, the consequences of a ransomware attack or data security breach are arguably greater for smaller organizations: It’s not uncommon that the threat is existential. The IT security industry estimates more than half of small businesses that fall victim to cyberattacks either enter bankruptcy or close their doors within six months. Keep in mind that SMBs are also subject to meeting their industry’s data security compliance requirements – IT resource limitations notwithstanding.
It’s fair to say that most small businesses need outside experts to ensure not only the baseline security of their networks and data handling, but also how to best leverage their IT environment and investments to support their goals – experts like those at MX2 Technology, Inc.
The San Jose, California-based executive IT leadership firm was established in 2005 to provide owners and operators of small and mid-sized organizations with expertise, insights, and options to protect and grow their businesses.
SMB Compliance Spotlight: HIPAA and CMMC
The two main verticals MX2 serves are healthcare and the defense industrial base (DIB). The data security and compliance challenges in healthcare are well known – HIPAA standards have been in place for a long while now, and the need to secure personally identifiable information and health record data is clear.
Probably less well-known are the compliance requirements facing contractors within the DIB. In short, any business that contracts with the Department of Defense or its supply chain is required to meet the demands of the Cybersecurity Maturity Model Certification program. The overwhelming majority of businesses in the DIB are small or mid-sized. Based on the type of data they receive, contractors will either need to attest to their compliance annually or be certified and regularly recertified by a third-party organization.
“The stakes are high for our existing and prospective DIB clients,” said Divyash Patel, founder of MX2. “Without compliance, they will be effectively shut out of the marketplace.”
Well before the 2.0 version of compliance standards were set, contractors were receiving questionnaires from downstream vendors or insurance companies asking them to prove their level of cybersecurity, and many of them simply did not have the depth of knowledge necessary to do it on their own.
Walking the Talk: Why MX2 Technology Chose HITRUST Certification
MX2 Technology wanted to show the world that it was not just another managed IT service provider. It is one thing to be able to stand up a robust on-premises or virtual IT environment, but it is another to maintain and support it properly from a security and compliance standpoint.
MX2 wanted to offer solutions based on a credible, well- respected, evidence-based framework, and HITRUST was the obvious – or perhaps not so obvious – choice. The HITRUST CSF Framework is used by some of the largest and most sophisticated enterprises in the world, but MX2 was truly a small business with less than a dozen staff at the time.
“MX2 chose HITRUST because it is the gold standard of information protection assurances,” Divyash Patel, CEO said. “We wanted to know we were following the most rigorous processes and procedures ourselves, both because it is the right thing to do and because we wanted our clients to know they could trust our experience. Being HITRUST Certified offers a tremendous degree of credibility.”
The reason for that credibility is coded into the HITRUST DNA. It brings together some of the most stringent and exacting standards – FDA/CFR, HIPAA, ISO, NIST, and more – and builds a framework that contains and exceeds them individually. We serve a diverse group of clients and our experience with HITRUST has been beneficial to all of them.”
Meeting HITRUST Certification standards is a significant undertaking for any organization, but perhaps especially for a small business like MX2 Technology. MX2 enlisted the help of ecfirst, a leading provider of information security assessment services with a long history of guiding its clients to successful HITRUST Certifications.
“It was a rigorous process, which lends credibility,” Patel said. “Our entire team benefited from being deeply involved in thinking through how we operate. We became a more capable and unified firm. Under ecfirst’s guidance, MX2 analyzed, redeveloped, and implemented policies, procedures, and systems that met HITRUST requirements. The experience we had working with ecfirst was excellent,” Patel says.
How HITRUST Certification Empowers MX2 Technology and Its Clients
HITRUST Certification has improved MX2 Technology as an executive IT consultancy and as a provider of IaaS. “We built our cloud-based virtual infrastructure service, the MX2 Platform, on the foundation of HITRUST Certification. We’ve been very successful in migrating the majority of our clients to our platform, which offers them a full and secure virtualized environment – from servers to desktop and mobile devices – supported by well-trained people, using certified policies and procedures.”
HITRUST CSF Highlights
- Protects PHI, PII, and digital assets from cyber-criminals
- Proves attestation to regulations pertaining to sensitive information and digital assets
- Generates one report that demonstrates to all customers that their data is secure
- Reduces the cost and time spent by IT on compliance audits requested by customers
- Provides a framework to measure the security and compliance postures of partners
- Raises the level of awareness of security and compliance importance across the company
HITRUST Certification Highlights
- The gold standard in providing responsible assurances for information risk management and compliance.
- Provides a competitive advantage for strengthening existing business relationships and earning new business partnerships.
- HITRUST Validated Assessment + Certification can help justify a reduction in cyber insurance premiums.
- Comprehensive HITRUST Certification Report can reduce costs and effort compared to completing proprietary questionnaires, multiple assessments, and single-use assurance reports.
- Adds peace-of-mind that your organization’s data networks and IT assets are protected from intrusion and breaches.
The Business Benefits of HITRUST Certification
A recent experience by one of MX2’s clients illustrates one of the benefits of holding HITRUST Certification. This client had already virtualized its IT infrastructure via the MX2 Platform when a new opportunity arose for them. This opportunity would require them to handle personally identifiable healthcare information, governed by HIPAA. The healthcare firm sent MX2’s client a cybersecurity questionnaire – it had to be absolutely confident that its data would be protected. Patel explains, “Because we are doing the hosting of the data, our client rightly sent the document to us. I’ve seen many of them and this one was especially thorough. We replied with our HITRUST Certification letter, along with the policies and procedures we’d codified during the certification process. This gave them a high enough degree of confidence that there were no questions, follow-ups, or concerns on their end.”
For clients in the DIB, MX2 chose to add CMMC to the scope of its certification process. “It’s given them far greater peace of mind knowing we carry HITRUST Certification. It’s proof that we follow the best practices in cybersecurity and a respected third-party organization attests to it. Whatever the compliance mandates are, whether it’s HIPAA, CMMC or something else, those mandates are being followed.
“The HITRUST CSF Framework today is a global standard that provides flexibility with its r2 Certification, and a cost-effective option with the i1 Certification,” Ali Pabrai, CEO of ecfirst, says. “In including CMMC in its scope for HITRUST Certification, MX2 continues to reinforce their position as the expert in executive IT leadership. ecfirst is honored to help MX2 improve performance and transform in a positive way.”
MX2’s HITRUST Certification is also beneficial when clients choose to host some or all their infrastructure in-house. The technology environment for many small businesses develops incrementally. Oftentimes, the result is a patchwork of software, hardware, and equipment added to their networks as demand for them arises. Tracking who has access to what data within the networks is often fragmented. Processes develop idiosyncratically, and there is often no documentation. “We are working with a manufacturer that needs to be Level 1 CMMC certified – which requires them to self-attest that they meet the standards. We’ve been able to take the knowledge we developed through the certification process and help them put together the processes, procedures, and systems that we know are high enough to satisfy any regulators or downstream vendors,” stated Patel.
Certification has also had direct operational benefits for MX2. “I can say without question that our processes are leaner now than they were before, and our staff is more knowledgeable, more proactive, and more efficient from top to bottom than we were,” notes Patel.
For Additon Information About How to Get a HITRUST Certification for Your Organization’s Information Program, Contact HITRUST by Calling: 855-448-7878 or Emailing: email@example.com