Request Information

Request Information

or Call 1.877.459.4347

How the HITRUST CSF Goes Beyond HIPAA and SOC II Requirements

How the HITRUST CSF Goes Beyond HIPAA and SOC II Requirements
January 15, 2018 / Evolve IP

Excerpts from HITRUST and Cybersecurity 2018: Part 2- Improving the Quality of Security Oversight

This blog is the second of a two-part series on Omar Khawaja’s keynote address on the topic of HITRUST at HITRUST and Cybersecurity 2018, an event hosted by Evolve IP in November.  Evolve IP hosted this educational event because of our commitment to the HITRUST CSF framework and our commitment to providing clients with the ultimate cloud environment for cloud computing and cloud communications solutions. We proud to have recently been awarded HITRUST CSF certification (view the HITRUST certification press release here) affirming that all of Evolve IP’s services adhere to the strictest security standards for electronic protected health information (PHI).

Below are some excerpts from Mr. Khawaja’s HITRUST keynote address that answer the following questions:

  • Why was HITRUST needed if we already have a compliance requirement like HIPAA?
  • Why doesn’t a SOC II prove that an organization meets high-security standards?
  • Why are security questionnaires only 50-60% accurate?
  • What’s the number one security risk that you see in your service providers?
  • How Does HITRUST interact with and related to other security standards?

Why was HITRUST needed if we already have a compliance requirement like HIPAA?

I could do something like HIPAA says which is “add administrative technical and physical controls”. However, YOU get to decide what constitutes administrative technical and physical controls. One person could decide that means 10 controls and another person could decide that means 1000 controls. It’s completely open to interpretation, versus the other side (with HITRUST) where it’s very explicitly prescribed with absolutely no deviations permitted. A good example is SOC II. SOC II is a reporting framework. It is not a control framework. Management gets to decide what controls you want to put into the SOC.  The AICPA has some basic requirements, but I as management can decide that for us a strong password means on that is four digits. Since that’s what I decided, I can bring in a CPA firm to then attest that those controls are in place.  A CPA firm isn’t necessarily going to say I’ve got good or bad security. They’re just going to say that I have the controls in place that I said I do. It’s up to me to decide what those controls are. It’s completely open to interpretation.

Why doesn’t a SOC II prove that an organization meets high-security standards?

You shouldn’t just accept any SOC II because there’s good SOC II’s and there’s not-so-good SOC II’s.  There’s an organization I had the opportunity to work with who agreed with their customer that they would go and get their SOC II. But their compliance, legal, and security teams did not even know about this agreement that they made to their customer. They had to scramble. They had to go get their SOC II a year before they planned to do it. And guess how long it took them to go get their SOC II? –Just six weeks! Why? Because a SOC II is open to interpretation. I can give you a SOC II that’s garbage or I can get you a SOC II that’s awesome. In this case, all they wanted was to check in the box. They got their SOC II done in six weeks without a single qualification. The reality is that organization did not feel like it had the right controls included, so a year later they went and got their next SOC II and the controls in it were probably 10 times more effective at reducing risk than that initial report. Does that gives you an example of how good the SOC II is? Yet the reality is most of your customers out there live and die by the SOC II and they’ll accept it. But as organizations get more savvy they’re going to start to say “well wait a minute…what’s inside the SOC II?  What do your control requirements look like?” If it’s based on something like the HITRUST or some other well curated and well thought out set of controls then that’s great. If not, then that’s going to be questionable. We follow the HITRUST certification because honestly that is what makes me feel good. If we had anything less than that, I really wouldn’t be able to stand in front of my customer and look him in the eye and say were doing a good job securing his information.

Why are security questionnaires only 50-60% accurate?

Every questionnaire I’ve ever seen says “do you encrypt data at rest”. If I had a flash drive that I encrypted last year, could I answer yes to that question? So how valuable is a questionnaire? It’s extremely open to interpretation. When you respond it’s very difficult to provide valuable information and accurate information. It’s not because people are necessarily being malicious or they’re being elusive. But it’s just that the questionnaire only has a certain level of efficacy and capability that it can deliver. We know from some of the reviews of self-assessment questionnaires and then subsequent comparison to the on-site assessments that the accuracy of an average questionnaire is somewhere around 50% to 60%.

So 40% to 50% of the information in the average questionnaire is incorrect, yet there is such an extreme reliance on questionnaires in the healthcare industry, and other industries as well. Yet we continue to use them and we continue to promote them and the reason is very simple: it’s because it’s easy. I could create a questionnaire and I can send it out to a hundred of my business associates. It may take me two days to do that versus if I had to go on site and painstakingly validate every single control.

What’s the number one security risk that you see in your service providers?

There’s just one question I would want to ask my third-party or anybody to determine how good of a security program they have. I’d say “how many people do you have that are dedicated to security?” If the answer is zero, I pretty much know they probably don’t care about security. If the answer is two or three, that’s pretty good. And I’ll tell you, the gap between zero and one is huge. The moment you have one dedicated security person, the game totally changes. In terms of risk reduction, the leap from one to twenty is not nearly as much as the leap in between zero and one.

How Does HITRUST interact with and related to other security standards?
The HITRUST CSF is a risk-based control framework  and it actually maps to 20 different compliance requirements and authoritative documents. If you’re concerned with PCI, HIPAA/HITECH, various state privacy laws, ISO 27001, NIST, FFIEC requirements and probably about eight or ten others, HITRUST essentially harmonizes them. It doesn’t come up with something new, it just takes a lot of those existing compliance requirements and build crosswalks against them.
Categories: Business Continuity & Disaster Recovery Healthcare
Recommended For You
The Evolve IP Compliance CloudTM

Compliance is a way to do business … not an afterthought when clients need it.

At Evolve IP we have a dedicated compliance and security practice and work with two of the world’s top 3rd-party compliance auditors, Grant Thornton and Ernst & Young, to enable customers to extend their compliance to our fully audited cloud. This focus allows us to deliver the documentation and assurances that other’s simply cannot including HIPAA / HITRUST, PCI-DSS (all 12 sections), SOC 2/3 and more. The Compliance CloudTM includes true client isolation, encryption in transit and at rest, private VLANs, firewalls and dozens of other security measures.

What Our Clients Say
  • “High-level technology, better compliance, cybersecurity, and communication capabilities are expected of all providers of financial services, regardless of size. With the rate of change and costs involved, it is difficult for any size credit union to keep pace. So when we were looking for a cloud technology partner, we emphasized the need to provide to our members with technology solutions that help them compete with larger banks and financial institutions, at a cost they can afford. Evolve IP offers all that, plus broad financial services industry experience and a pedigree of providing first-rate service to support growth and continually enhance the entire member experience.”

    David Frankil, Chairman of the NJCUL Services Corporation and President/CEO of the New Jersey Credit Union League

  • "The people that Evolve IP are more personable; you don't feel like there's necessarily a script when you're talking with them, they’re easy to understand, quick to get a hold of, and they follow through on what they say they're going to do."

    Watch Testimonial

  • "Evolve IP has been a vendor partner that has grown with us, that has helped us, and that you know stands by us and stands by their word."

    Watch Testimonial

  • "I was a bit of skeptical because I've been told that by sales guys before...but you've all came through on every one of their promises and not only that, but even throughout our subsequent years of working with us as partners, you’ve stepped up to the plate whenever we needed something and provided a helping hand"

    Watch Testimonial

  • "…we were assigned a project manager for our implementation they weren't just force-feeding one process down. they listened, they work with us, they adjusted schedules and they held our hand every step of the way…"

    Watch Testimonial

What the Experts Think

Our analyst-acclaimed solutions are built on a world-class, compliant architecture that leverages the blue-chip technologies organizations already know and trust.


We deploy best-of-breed solutions including: Disaster Recovery, Contact Center, Unified Communications, DaaS, IaaS. Our services are analyst-acclaimed, vendor-validated, client recommended and award-winning.


Evolve IP is proud to have achieved the honor of being HITRUST CSF certified! Certification to the HITRUST Common Security Framework (CSF) affirms that all of Evolve IP’s cloud computing and cloud communications services adhere to the strictest security standards for electronic protected health information (PHI). The HITRUST security standard was developed by and for the healthcare industry as a means of going above and beyond the compliance requirements of HIPAA.

The HITRUST Common Security Framework (CSF) was developed to address the multitude of security, privacy and regulatory challenges facing healthcare organizations. The HITRUST CSF was developed by healthcare and IT professionals to provide an efficient and prescriptive framework for managing the security requirements inherent in HIPAA. HITRUST CSF rationalizes healthcare-relevant regulations and standards into a single overarching security framework. An important part of the “What is HITRUST” answer is understanding that the CSF is risk-based and compliance-based so that organizations can tailor the security control baselines and vendor management programs that they follow based on their specific organization type, size, systems, and regulatory requirements.


The Privacy regulations of the U.S. Health Insurance Portability and Accountability Act (HIPAA) require health care providers, organizations, and their business associates, develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared. This applies to all forms of PHI — paper, oral, and electronic, etc. Those who fail to adhere to HIPAA can suffer from huge fines climbing into the millions of dollars for major violations.

The Compliance Cloud™ fully enables covered entities and their business associates subject to HIPAA regulations to leverage a secure environment to process, maintain, and store protected health Information (PHI) featuring among other controls.

SSAW 16 Service Organization Control II (SOC 2)

Evolve IP has received an SSAE 16 SOC 2 Type II report on our internal controls relating to how we assess and address the potential risks associated with the security, availability, and confidentiality of not only the cloud-based services that we provide, but also our physical and logical infrastructure. Evolve IP utilizes the Certified Public Accounting firm of Grant Thornton to perform its annual audit and attestation in accordance with the Statements on Standards for Attestation Engagements No. 16 and the associated Trust Services Principles, as published by the AICPA, to evaluate the effectiveness of Evolve IP’s service organizations controls.


While Forbes regularly features coverage and recognition about Evolve IP, they've most recently recognized Evolve IP as being the "Best Cloud Computing Companies And CEOs To Work For In 2017".  They've ranked Evolve IP in the Top 3 just behind Google and Microsoft in the Cloud Infrastructure classification.  (Feb 2017). Forbes  also recently recognizes Evolve IP for bringing Singer Equipment Corporation, a mainstream business based in PA, into the cloud by means of unified communication. (Sept  2017). Last year, Forbes recognized Evolve IP's survey of 1,080 executives citing that the number one reason to go to the cloud is the same reason that it is avoided. (Mar 2016).

Unified Communications Product of the Year

TMC and Internet Telephony Magazine have named Evolve IP’s unified communications platform as a 2017 Unified Communications Product of the Year Award winner. This marks the 6th time Evolve IP has been honored with this prestigious award and follows a series of product innovations that have allowed the company to rapidly expand its international coverage.

Evolve IP’s business collaboration tools and IP phone system dramatically improve employee productivity in the office and on the road with a Unified Communications as a Service (UCaaS) platform that fully integrates voice, video, instant messaging & presence (IM&P), desktop sharing, audio/web conferencing and more. The company also provides a sophisticated Web-based management portal, OSSmosis®, that allows administrators to easily configure system functions and quickly modify users without the need to reach out to a third party for changes.


Inc. magazine has recognized Evolve IP in the 34th annual Inc. 500|5000, an exclusive listing of the nation's fastest-growing private companies. The list will be unveiled in the September issue of Inc.

The story of this year's Inc. 5000 is the story of great leadership. In an incredibly competitive business landscape, it takes something extraordinary to take your company to the top," says Inc. President and Editor-In-Chief Eric Schurenberg. "You have to remember that the average company on the Inc. 5000 grew nearly six-fold since 2012. Business owners don't achieve that kind of success by accident.

Payment Card Industry Data Security Standard (PCI DSS)

Evolve IP has achieved Payment Card Industry (PCI) Data Security Standard (DSS) compliance covering all 12 sections of the PCI DSS. The PCI data security standard is a comprehensive set of standards that require merchants and service providers that store, process, or transmit customer payment card data to adhere to strict information security controls and processes. It was created by the founding brands of the PCI Security Standards Council, which includes American Express, Discover Financial, JCB International, MasterCard Worldwide, and Visa Inc.


Evolve IP is also a registered and participating member of the CSA Security, Trust & Assurance Registry (STAR). The CSA was formed to encourage transparency of security practices within cloud providers. It is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with. CSA STAR is open to all cloud providers, and allows them to submit assessment reports that document compliance to CSA published best practices. The searchable registry will allow potential cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experiences. CSA STAR represents a major leap forward in industry transparency, encouraging providers to make security capabilities a market differentiator.

Deloitte’s Technology Fast 500TM

Evolve IP has been ranked for the second consecutive year on Deloitte’s Technology Fast 500™, a ranking of the 500 fastest growing technology, media, telecommunications, life sciences and energy tech companies in North America – both public and private. Technology Fast 500 award winners are selected based on percentage fiscal year revenue growth from 2012 to 2015. The list is a veritable Who’s Who of technology that has included tech companies like Google, VMware and Facebook.

Technology Fast 500 provides a ranking of the fastest growing technology, life sciences, and energy the companies – both public and private – in North America. Technology Fast 500 award winners are selected based on percentage fiscal year revenue growth during the period from 2012 – 2016.

Red Herring

Red Herring has named Evolve IP as one of the Top 100 Companies in North America.  Red Herring’s Top 100 recognizes the leading and most promising private companies from around the world. Among the over 20 criteria used to analyze companies for the award, Evolve IP was noted for its financial performance, technological innovation, customer footprint, the DNA of its founders and addressable market.

Red Herring selects the award winners for North America from approximately 1,200 privately financed companies each year in the US and Canada. Since 1996, Red Herring has kept tabs on these organizations and its editors were among the first to recognize that companies such as Facebook, Twitter, Google, Yahoo, Skype,, YouTube, Palo Alto Networks and eBay would change the way we live and work.


Evolve IP has been recognized as one of the “Best Entrepreneurial Companies in America” in Entrepreneur magazine’s Entrepreneur360™ Performance Index, a study involving a comprehensive analysis of private companies in America. Based on this study forged by Entrepreneur, Evolve IP is recognized as a company that exemplifies growth, not just in top and bottom line, but in sustainability and the ability to achieve lasting success.

According to Entrepreneur, after evaluating approximately 10,000 U.S. based firms, the team of editors and researchers behind the E360 Performance Index collected more than 250 pieces of data from the finalists, focusing on growth drivers and challenges, goal setting, resource allocations, and reward systems. The analysis uncovered a class of leading companies, including Evolve IP, whose continued success is largely based on superior value creation for their customers, building an adaptive learning culture, and aggressive geographic expansion—placing them amongst the most dynamic firms in America today.

Latest Press Releases

Evolve IP Named For Seventh Time to the Inc. 5000 List of Fastest-Growing Private Companies
August 14, 2019 / Evolve IP
World’s Leading Provider of Integrated Cloud Communications and Collaboration, Computing and Identity Management Recognized for Unprecedented Growth WAYNE, Pa.—August 13, 2019—Evolve IP®, The Cloud Strategy Company™, today announced its inclusion on Inc. Magazine’s…
UC-One in Antarctica
July 8, 2019 / Evolve IP
TXi, a partner of Evolve IP, made news for the company bringing and using UC-One to Antarctica, while remaining connected, despite the remote isolation. TXi noted that the cost savings…
Evolve IP Revolutionizes DaaS Delivery with High Security, Flexibility and User Experience
June 25, 2019 / Evolve IP
WAYNE, Pa. - June 25, 2019 - Evolve IP®, The Cloud Strategy Company™, today announced the availability of the Evolve IP OneCloud Desktop, the next generation of its highly acclaimed Desktop-as-a-Service (DaaS) solution.…
Partner Day for thevoicefactory, now Evolve IP
June 18, 2019 / Evolve IP
UCToday's Rob Scott, highlights his experience at the annual partner event for thevoicefactory last week. Our very own Guy Fardone took the stage to discuss the exciting opportunities available in…
View More

Contact Us

or Call 1.877.459.4347