Written by Hoala Greevy, CEO, Paubox
Our HITRUST journey began eleven months ago when a Fortune 50 company reached out to us. They were looking for a HIPAA-compliant email solution and they made it clear from the outset that a HITRUST CSF® Certification was a business requirement.
We felt we could certainly provide them a solution that fit their needs, we just needed the HITRUST CSF Certification first. In a nutshell, this sparked our HITRUST CSF Certification journey.
For me, the value of HITRUST was two-fold:
- Scalable Security Practices: As the Paubox team and product line grew, I realized maintaining company security policies would be a high priority. We didn’t just want to talk the talk however, we wanted every member of the Paubox team to walk it as well. My conclusion was that the HITRUST CSF would give us the framework to get there.
- Enterprise Sales: If you’ve built a SaaS company from zero to one, then you know the jump from SMB to the golden goose of enterprise sales is an important. Enterprise sales can make or break a company’s fortunes. In my opinion, HITRUST CSF Certification of our products would give us validation to get a seat at the table with larger organizations. I’d also received confirmation from our friends at Redox that their business had grown exponentially for them as a result of their HITRUST CSF Certification.
HITRUST RightStart Program™
As luck would have it, we found HITRUST at the same time was expanding their reach by engaging startup companies. The answer for their team was the creation of the HITRUST RightStart Program. The HITRUST RightStart Program is a dedicated package of start-up friendly HITRUST resources that culminates in a completed self-assessment. We opted however, to upgrade to the validated assessment.
Thanks to Michael Parisi, HITRUST’s vice president of assurance strategy and community development, we quickly learned the benefits of the HITRUST RightStart program. As such, it was a distinct honor to be the first startup firm to achieve HITRUST CSF Certification through this new program.
We also learned in addition to the HITRUST CSF Certification increasing the speed at which Paubox could address the risk-reporting requirements of our target market, we eliminated time-consuming tasks associated with completing the additional lengthy, and now redundant, security questionnaires that customers requested in the past.
Inside the HITRUST Experience
Initially, we considered preparing for the assessment on our own but soon realized we could benefit with some outside assistance in properly scoping and then applying the security controls to our risk gaps. We decided to find an authorized certified assessor who could assist our journey. This ultimately proved to be easier than we thought, thanks to an introduction to KirkpatrickPrice from the folks at Redox. Working closely with KirkpatrickPrice helped position us better to attest to the HITRUST CSF in a timely manner to meet our customers’ expectations and our business needs.
We set an ambitious timeline and then we went about and did it.
In order to complete our process, we were fortunate to have resounding buy-in from our team. From the top down, everyone understood the importance and potential of achieving the HITRUST CSF Certification. The Paubox team was determined to accomplish this objective to support our overall business goals.
Following several months of research and preparation – including developing a detailed playbook for our team to follow – we gathered the Paubox team together with our assessor to begin the detailed work. From our first day onsite with KirkpatrickPrice to the day we submitted our documentation to their quality assurance (QA) team, it was roughly four weeks of nonstop work.
Achieving our HITRUST CSF Certification become the primary focus for the Paubox team with many of us working six-days-a-week, logging long hours and countless cups of coffee. Typically, the certification process for large enterprises can take months and occasionally stretching out over a year. But as a startup however, we had an advantage of focusing our team on the certification process. In this way, our experience differed from most large organizations who undergo a HITRUST CSF Certification.
To get into the weeds a bit, here’s a playbook we compiled:
- Establishing Meeting Cadence. Our HITRUST lead, Tyler Dornenburg, set up meetings 2-3 times a week and five days a week during the home stretch, with our assessor to QA our work as we worked through our self-assessment.
- Eating HITRUST Controls for breakfast. Working backwards from our desired submission date, we made it a goal to complete policy, process, and implementation for about 20 controls a day. This meant doing them first thing in the morning or eating them for breakfast.
- Staying on track. Our assessor Jeff Pochily from KirkpatrickPrice would check our work to make sure we were on track, providing edits where we needed more evidence or more specific wording.
By following this playbook, we were able to convert our self assessment to a validated assessment. This was an important detail to us. Once official QA started, we saw that few changes were needed and that it provided an established feedback loop to work from.
For a startup that created strong security policies from its inception, our HITRUST assessment was still intimidating. For starters, our assessment included 310 total controls to account for. Some of these would take an hour or more just to understand, process, and document. Some of the best advice we got during the process was – when addressing HITRUST controls, consider how it applies to your business specifically.
I want to leave you with some final thoughts that stuck with me: by building the HITRUST CSF for enterprise healthcare organizations, HITRUST also created an ideal way for digital health startups to level up their security and sales teams.
In summary, here’s what we gained from our HITRUST experience:
- Level Up. We quickly built a wealth of new policies, processes, and training documents.
- Company Culture. Paubox values and prioritizes information security as an operational foundation of the company.
- New Energy. Paubox is fired up to be a part of the HITRUST ecosystem.
- Peace of Mind. HITRUST demonstrates to the world we’re doing everything in our power to protect the data of our partners and their patients.
Finally, I’d say HITRUST is well worth the investment. When we present our HITRUST CSF Certification, our prospects and customers gain confidence that Paubox invests in its security and risk management posture.