Written by Lee Penn, Chief Financial Officer, PDHI.
PDHI is a technology services organization that develops and distributes the ConXus Platform for delivering workplace wellness and population health management programs. PDHI clients include wellness providers, accountable care organizations, large employers, third-party administrators, hospital systems, and health plans.
PDHI uses a Software-as-a-Service business model so all the electronic Protected Health Information (ePHI) that it collects, stores, disburses and analyzes on behalf of its clients is always accessible via the internet.
The ConXus Platform was first delivered in 2004. It is a proprietary application developed with in-house resources in response to the needs of PDHI’s clients and the operational, competitive and regulatory challenges they face.
To be honest, no one at the company was aware of HITRUST until the summer of 2013, but PDHI is fortunate to have among its clients some of the founders of the HITRUST Alliance. Following the usual annual onsite IT security audit from one of these clients, the risk manager conducting oversight suggested that PDHI obtain certification under the CSF as a way to reduce the time and effort involved in the onsite review process.
PDHI is a small company, and preparing for and participating in two-day onsite reviews for each of several clients consumed a large amount of employee time. This resource issue was combined with the frustration that there was a lot of variability in the audit requests of each client, and even from the same client year to year, so we were trying to hit a moving target.
While one suggestion about HITRUST was an interesting data point, the second one coming right on the heels of the first was enough for PDHI’s managers to plot a line and investigate where it led. The incentive to pursue HITRUST certification was a commitment on the part of both of these client risk managers to waive the onsite review requirement if PDHI was able to present a HITRUST assurance report that confirmed certification of the ConXus Platform.
From that point, the timeline PDHI followed was:
- 2013 October-December: Interview, select and engage a HITRUST Assessor.
- 2013 December-2014 January: Make the initial application to HITRUST and obtain a MyCSF account.
- 2014 January-March: Create and confirm the CSF BASELINE requirements applicable to PDHI by taking into account its products and services, exposure of the ePHI it touched, size and how it related to its clients. This was more challenging than it first appeared because of the need to first learn how to apply the CSF to a SaaS deliverable.
- 2014 February-April: Analyze PDHI’s current state of operations and create a gap analysis to identify those areas that would require remediation before they would be sufficiently mature to support a successful application for HITRUST certification,.
- 2014 March-December: Perform the work necessary to close the gaps identified and then operate by and with the CSF compliant policies, procedures, hardware, software and applications to be able to demonstrate that sufficient compliance had been achieved.
- 2014 December-2015 January: Submit HITRUST CSF assurance application and related evidence to PDHI’s assessor and respond to assessor’s questions, comments and requests.
- 2015 February: Assessor submits CSF assurance application to HITRUST compliance reviewer.
- 2015 May: Receive DRAFT assurance report from HITRUST. Review draft and discuss and resolve report scoring and wording.
- 2015 June: Receive FINAL assurance report which contained no corrective action plans from HITRUST dated February 23, 2015.
To their credit and PDHI’s great satisfaction, the onsite review requirements were indeed waived by both risk managers in the summer of 2015.
Since receiving the assurance report, PDHI has used it to fulfill IT security review requests from both existing and prospective clients and has been able to successfully push back on requests to complete the dreaded 300+ question multi-tabbed IT security due diligence Excel spreadsheets.
PDHI used its assurance report for the first time in 2015 as part of the supporting documentation for the annual renewal of its cyber risk insurance (privacy insurance in the parlance of its insurer) which is coverage provided under its information technology professional liability insurance. For the past three renewals, PDHI had requested an increase of the limits of this coverage both to protect the company and also to better comfort its clients. These requests were denied without comment even though comment was requested. As a result of the process, we had no idea how to do better at the next renewal!
For the 2015 renewal which occurs mid-year, the request to increase the limit was made again, and this time, the insurer was interested in learning more, as was evidenced by the many follow-up questions that arrived after the application was submitted. The assigned underwriter even performed part of their investigation via conference call. The request was granted and PDHI was able to double its previously low limit to a level more commensurate with its size and the number and size of its clients.
The only essential difference between the 2015 and 2014 applications was the inclusion of PDHI’s HITRUST assurance report. It made PDHI’s request worthy of consideration and, I believe, the statement it made about the risk of doing business with PDHI was the primary reason the increased limits request was granted.
While it was time and resource intensive, PDHI is a better company for having made the effort to achieve certification under the HITRUST CSF. It is now part of the company’s culture and we promise to maintain our certification status as part of obligations undertaken in our license and service agreements.
Lee Penn, is Chief Financial Officer at PDHI. He holds a bachelor of science degree from Cornell University and a master’s of business administration degree from the University of Connecticut.