This blog is the second of a two-part series on Omar Khawaja’s keynote address on the topic of HITRUST at HITRUST and Cybersecurity 2018, an event hosted by Evolve IP in November. Evolve IP hosted this educational event because of our commitment to the HITRUST CSF framework and our commitment to providing clients with the ultimate cloud environment for cloud computing and cloud communications solutions. We proud to have recently been awarded HITRUST CSF certification (view the HITRUST certification press release here) affirming that all of Evolve IP’s services adhere to the strictest security standards for electronic protected health information (PHI).
Below are some excerpts from Mr. Khawaja’s HITRUST keynote address that answer the following questions:
- Why was HITRUST needed if we already have a compliance requirement like HIPAA?
- Why doesn’t a SOC II prove that an organization meets high-security standards?
- Why are security questionnaires only 50-60% accurate?
- What’s the number one security risk that you see in your service providers?
- How Does HITRUST interact with and related to other security standards?
Why was HITRUST needed if we already have a compliance requirement like HIPAA?
I could do something like HIPAA says which is “add administrative technical and physical controls”. However, YOU get to decide what constitutes administrative technical and physical controls. One person could decide that means 10 controls and another person could decide that means 1000 controls. It’s completely open to interpretation, versus the other side (with HITRUST) where it’s very explicitly prescribed with absolutely no deviations permitted. A good example is SOC II. SOC II is a reporting framework. It is not a control framework. Management gets to decide what controls you want to put into the SOC. The AICPA has some basic requirements, but I as management can decide that for us a strong password means on that is four digits. Since that’s what I decided, I can bring in a CPA firm to then attest that those controls are in place. A CPA firm isn’t necessarily going to say I’ve got good or bad security. They’re just going to say that I have the controls in place that I said I do. It’s up to me to decide what those controls are. It’s completely open to interpretation.
Why doesn’t a SOC II prove that an organization meets high-security standards?
You shouldn’t just accept any SOC II because there’s good SOC II’s and there’s not-so-good SOC II’s. There’s an organization I had the opportunity to work with who agreed with their customer that they would go and get their SOC II. But their compliance, legal, and security teams did not even know about this agreement that they made to their customer. They had to scramble. They had to go get their SOC II a year before they planned to do it. And guess how long it took them to go get their SOC II? –Just six weeks! Why? Because a SOC II is open to interpretation. I can give you a SOC II that’s garbage or I can get you a SOC II that’s awesome. In this case, all they wanted was to check in the box. They got their SOC II done in six weeks without a single qualification. The reality is that organization did not feel like it had the right controls included, so a year later they went and got their next SOC II and the controls in it were probably 10 times more effective at reducing risk than that initial report. Does that gives you an example of how good the SOC II is? Yet the reality is most of your customers out there live and die by the SOC II and they’ll accept it. But as organizations get more savvy they’re going to start to say “well wait a minute…what’s inside the SOC II? What do your control requirements look like?” If it’s based on something like the HITRUST or some other well curated and well thought out set of controls then that’s great. If not, then that’s going to be questionable. We follow the HITRUST certification because honestly that is what makes me feel good. If we had anything less than that, I really wouldn’t be able to stand in front of my customer and look him in the eye and say were doing a good job securing his information.