“The HITRUST process is the pinnacle today of IT security. Evolve IP’s customers can rest assured that the data that they entrust to Evolve IP is being protected at the highest possible standards.” – Tom Norman, Cybersecurity Consultant and Author, Ingram MicroData security and cybersecurity were among the hottest topics discussed at Evolve IP’s CUNA Governmental Affairs Conference (GAC) exhibit last week. The protection of member data and expectation of privacy are, of course, key pillars of the credit union service promise. At CUNA, we shared how Evolve IP supports the security objectives of our credit union clients by delivering our call center, omni-channel communications system, and disaster recovery services in a world-class, compliance-focused infrastructure that is HITRUST audited and certified.Ironically, as the GAC was concluding, the HITRUST organization issued a press release explaining that newest version (v9.1) of Common Security Framework has significant further implications for Evolve IP’s credit union customers and the credit union marketplace in general. As explained in the release, version 9.1 incorporates both the European Union General Data Protection Regulation (GDPR) and New York State Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500). The expansion of HITRUST to address the needs of financial services is the result of a strong wave of recognition and encouragement by the financial services community to ‘open up’ the robust HITRUST framework that emerged out of the healthcare industry in response to stringent HIPAA requirements. It is part of their ongoing initiative to make the HITRUST CSF more open and comprehensive so that it is applied more effectively to meet all compliance requirements across a variety of global industries. Security Assurance for Financial ServicesHITRUST is already applicable to and accepted by key players in the financial services industry. This fact was explained at Evolve IP’s Cybersecurity 2018 event held last November at our Wayne, PA headquarters. The first keynote speaker was Omar Khawaja, Chief Information Security Officer for Highmark Health and a board member at HITRUST. He explained how there has been extensive work over the last two years to harmonize the HITRUST framework with the AICPA to align it with the process of obtaining a SOC II. Also, he also explained that there was already one top 10 bank in the country that was going forward to obtain their HITRUST certification based on the general strength of the framework and because of the deep security assurances it provides.These sentiments were echoed during the second keynote address by cybersecurity expert and author Tom Norman from Ingram Micro. Tom explained how HITRUST evolved into such a comprehensive and powerful standard:
“This is the thing that’s most appealing to me about HITRUST. It started out in support of HIPAA. But they took a very strategic approach to this and understood that every healthcare organization also has to comply with PCI DSS. So that’s a very prescriptive process. And as they looked at the NIST framework, COBIT, and ISO 27001, each provided a checklist of all of the things that you have to do. Somebody had the bright idea of just making HITRUST compliant with the worst case of every compliance standard out there. So it’s not an accident that HITRUST became the go-to solution for compliance.”HITRUST is a single, best-practice approach and it has the potential to work across every single vertical sector…financial services, military, healthcare, retail, education, government, transportation, distribution…you name it. It looks like HITRUST is going to be, if not today, within the next couple of years a solution across all of those verticals and across all of the compliance standards, including European compliance standards.”Both of Tom’s predictions (for the financial services market and international market) have now come to pass with HITRUST’s version 9.1 release. The incorporation of the Cybersecurity Requirements for Financial Services Companies issued by New York, shows that HITRUST has clearly embraced the needs of the financial services industry. Further, incorporating the European GDPR requirement is a major step towards the internationalization of the framework.The key takeaways for credit unions are simple:
- The cloud communications and computing solutions that are part of OneCloud Credit Union are built on a robust, geographically redundant, HITRUST-certified environment (that is also PCI DSS compliant).
- Evolve IP’s infrastructure and solutions are built specifically to meet the needs of compliance-driven, privacy-minded companies with 24x7x365 services expectations. Assuring business continuity is our specialty.
- Our cloud solutions will at a minimum meet, and in many cases exceed, our clients’ on-premises data protection and privacy standards.