Request Information

Request Information

or Call 1.877.459.4347

How the HITRUST CSF Goes Beyond HIPAA and SOC II Requirements

How the HITRUST CSF Goes Beyond HIPAA and SOC II Requirements
January 15, 2018 / Dave McCrystal

Excerpts from HITRUST and Cybersecurity 2018: Part 2- Improving the Quality of Security Oversight

This blog is the second of a two-part series on Omar Khawaja’s keynote address on the topic of HITRUST at HITRUST and Cybersecurity 2018, an event hosted by Evolve IP in November.  Evolve IP hosted this educational event because of our commitment to the HITRUST CSF framework and our commitment to providing clients with the ultimate cloud environment for cloud computing and cloud communications solutions. We proud to have recently been awarded HITRUST CSF certification (view the HITRUST certification press release here) affirming that all of Evolve IP’s services adhere to the strictest security standards for electronic protected health information (PHI).

Below are some excerpts from Mr. Khawaja’s HITRUST keynote address that answer the following questions:

  • Why was HITRUST needed if we already have a compliance requirement like HIPAA?
  • Why doesn’t a SOC II prove that an organization meets high security standards?
  • Why are security questionnaires only 50-60% accurate?
  • What’s the number one security risk that you see in your service providers?
  • How Does HITRUST interact with and related to other security standards?

Why was HITRUST needed if we already have a compliance requirement like HIPAA?

I could do something like HIPAA says which is “add administrative technical and physical controls”. However, YOU get to decide what constitutes administrative technical and physical controls. One person could decide that means 10 controls and another person could decide that means 1000 controls. It’s completely open to interpretation, versus the other side (with HITRUST) where it’s very explicitly prescribed with absolutely no deviations permitted. A good example is SOC II. SOC II is a reporting framework. It is not a control framework. Management gets to decide what controls you want to put into the SOC.  The AICPA has some basic requirements, but I as management can decide that for us a strong password means on that is four digits. Since that’s what I decided, I can bring in a CPA firm to then attest that those controls are in place.  A CPA firm isn’t necessarily going to say I’ve got good or bad security. They’re just going to say that I have the controls in place that I said I do. It’s up to me to decide what those controls are. It’s completely open to interpretation.

Why doesn’t a SOC II prove that an organization meets high security standards?

You shouldn’t just accept any SOC II because there’s good SOC II’s and there’s not-so-good SOC II’s (2 min 35 sec video clip).  There’s an organization I had the opportunity to work with who agreed with their customer that they would go and get their SOC II. But their compliance, legal, and security teams did not even know about this agreement that they made to their customer. They had to scramble. They had to go get their SOC II a year before they planned to do it. And guess how long it took them to go get their SOC II? –Just six weeks! Why? Because a SOC II is open to interpretation. I can give you a SOC II that’s garbage or I can get you a SOC II that’s awesome. In this case, all they wanted was to check in the box. They got their SOC II done in six weeks without a single qualification. The reality is that organization did not feel like it had the right controls included, so a year later they went and got their next SOC II and the controls in it were probably 10 times more effective at reducing risk than that initial report. Does that gives you an example of how good the SOC II is? Yet the reality is most of your customers out there live and die by the SOC II and they’ll accept it. But as organizations get more savvy they’re going to start to say “well wait a minute…what’s inside the SOC II?  What do your control requirements look like?” If it’s based on something like the HITRUST or some other well curated and well thought out set of controls then that’s great. If not, then that’s going to be questionable. We follow the HITRUST certification because honestly that is what makes me feel good. If we had anything less than that, I really wouldn’t be able to stand in front of my customer and look him in the eye and say were doing a good job securing his information.

Why are security questionnaires only 50-60% accurate?

Every questionnaire I’ve ever seen says “do you encrypt data at rest”. If I had a flash drive that I encrypted last year, could I answer yes to that question? So how valuable is a questionnaire? It’s extremely open to interpretation. When you respond it’s very difficult to provide valuable information and accurate information. It’s not because people are necessarily being malicious or they’re being elusive. But it’s just that the questionnaire only has a certain level of efficacy and capability that it can deliver. We know from some of the reviews of self-assessment questionnaires and then subsequent comparison to the on-site assessments that the accuracy of an average questionnaire is somewhere around 50% to 60% (39 seconds).

So 40% to 50% of information in the average questionnaire is incorrect, yet there is such an extreme reliance on questionnaires in the healthcare industry, and other industries as well. Yet we continue to use them and we continue to promote them and the reason is very simple: it’s because it’s easy. I could create a questionnaire and I can send it out to a hundred of my business associates. It may take me two days to do that versus if I had to go on site and painstakingly validate every single control.

What’s the number one security risk that you see in your service providers?

There’s just one question I would want to ask my third-party or anybody to determine how good of a security program they have. I’d say “how many people do you have that are dedicated to security?” If the answer is zero, I pretty much know they probably don’t care about security. If the answer is two or three, that’s pretty good. And I’ll tell you, the gap between zero and one is huge. The moment you have one dedicated security person, the game totally changes. In terms of risk reduction, the leap from one to twenty is not nearly as much as the leap in between zero and one.

How Does HITRUST interact with and related to other security standards?
The HITRUST CSF is a risk-based control framework (2 min 3 sec) and it actually maps to 20 different compliance requirements and authoritative documents. If you’re concerned with PCI, HIPAA/HITECH, various state privacy laws, ISO 27001, NIST, FFIEC requirements and probably about eight or ten others, HITRUST essentially harmonizes them. It doesn’t come up with something new, it just takes a lot of those existing compliance requirements and build crosswalks against them.
Categories: Business Continuity & Disaster Recovery
Our LinkedIn page is a great place to keep up to date with all our latest news, releases, and updates.
Click to follow us:

Clients We Work With

  • Association Resource Group is an award-winning technology consulting and brokerage firm with over 25 years as an industry-leader.

    We have been Evolve DaaS clients for just about 2 years. What execs really need to know is how much productivity DaaS brings to an organization. We have estimated that each employee saves 10 minutes a day in startup and shutdown time. Probably another 5 minutes a day in work from home productivity - i.e. more likely to log in from their home PC than if they had to carry a laptop home every night and no clunky VPN or Citrix session to dissuade them from getting on.

    So, 15 minutes a day, that is 3% of their day back. 3% of an $80,000 a year employee is $2,500.

    DaaS has a 300% return, with no capital at risk. That is what I would tell your execs. Feel free to ask questions.

    Best!

    Steve Murphey, Vice President

  • Based in Northern New England, ClearChoiceMD treats urgent, non-life-threatening medical needs.

    "With Cloud Connect, we have eliminated intermittent phone and internet service drops, increased the reliability of daily business tasks like writing e-prescriptions. We’ve even resolved printing issues. We have zero down time now as a result of connectivity because we’re always up and running.”

    Alex Fuchs, IT Director for CCMD

  • CCI Health & Wellness Services is a group practice, empowering patients to partner with staff for an unparalleled healthcare experience.

    “Usability is one of the most important factors in selecting technology solutions. We needed a solution that our staff could learn quickly and rely upon each day through high call volumes. Evolve IP emerged as best choice and the deployment has been very successful.”

    John Torontow, MD, MPH Chief Operating Officer - CCI Health and Wellness Services

Awards & Recognition

View More

Compliance & Certifications

View More

Latest Blog Posts

The Challenges of Cloud Sprawl
Cloud Adoption is Blowing Up. But Beware, the Dangers of Cloud Sprawl are Lurking
February 16, 2018 / Scott Kinka
Many IT leaders, myself included, were cautious of cloud and software-as-a-service (SaaS) solutions at first, but have since converted to…
Evolve IP Disaster Recovery Comic - Blazek
Top 5 Disaster Recovery Resolutions for 2018
January 19, 2018 / Erika von Hoyer
Unfortunately, in all seriousness, our 2018 Survey on Disaster Recovery Technologies, Implementations and Incidents uncovered some very distressing disaster recovery statistics that…
How the HITRUST CSF Goes Beyond HIPAA and SOC II Requirements
How the HITRUST CSF Goes Beyond HIPAA and SOC II Requirements
January 15, 2018 / Dave McCrystal
Excerpts from HITRUST and Cybersecurity 2018: Part 2- Improving the Quality of Security Oversight This blog is the second of…
View More

Latest Press Releases

TelecomReseller Recognizes Evolve IP in Gartner's Market Guide for Midmarket UCaaS
February 20, 2018 / Evolve IP
TelecomReseller interviews our very own Scott Kinka to talk more about Gartner’s recognition of Evolve IP in their Market Guide for Midmarket Unified Communications as a Service. Don Witt, from…
Evolve IP and Yealink Partner to Provide Unified Communications (UCaaS) Capabilities on a Global Scale
February 5, 2018 / Evolve IP
Leading Cloud Strategy Provider Increases Geographic Footprint with Global Leader in Business Communications Devices WAYNE, Pa.—February 5, 2018—Evolve IP®, The Cloud Strategy Company™, today announced a partnership with Yealink, a premier global,…
Majority of North American Companies Exhibit Risky Disaster Recovery Behaviors: Evolve IP Biennial Survey Reports
February 1, 2018 / Evolve IP
Seven in Ten Disaster Recovery Plans Incomplete; Less Than Half of Companies Tested DR Plans in the Last Year; Cyber Attacks Fastest Growing Cause of DR Incidents WAYNE, Pa. —…
View More
close

Contact Us

or Call 1.877.459.4347