As we enter 2021, it is time to reflect on everything that happened in 2020 and how it will affect HITRUST in the new year. Sabrina Serafin interviews two HITRUST experts, Michael Parisi and Andrew Hicks. They discuss how COVID-19 affected the HITRUST marketplace and how upcoming changes to the HITRUST assessment may affect companies and organizations.
– Sabrina Serafin, Partner and National Practice Leader of Frazier & Deeter’s Process Risk and Governance Practice
– Michael Parisi, Member of the HITRUST leadership team and Vice President of Assurance Strategy & Community Development
– Andrew Hicks, National Practice Leader of Frazier & Deeter’s HITRUST practice.
Culture of Compliance was recently named #1 in “Top 25 Regulatory Compliance Podcasts You Must Follow in 2020” by Feedspot.
Culture of Compliance: The State of HITRUST in 2021
This transcript was assembled by hand and may contain some errors.
It has been edited for readability.
Sabrina Serafin Welcome to Frazier & Deeter’s Culture of Compliance podcast series, where we discuss compliance as a competitive advantage in today’s marketplace. I’m Sabrina Serafin, Partner and National Leader of Frazier & Deeter’s Process, Risk & Governance Department.
Today, we’re talking about HITRUST, which is a globally recognized risk management organization with two HITRUST subject matter experts. Michael Parisi, who is a member of the HITRUST Leadership Team where he serves as the Vice President of Assurance, Strategy and Community Development.
We’re also joined by Andrew Hicks, who is the leader of Frazier & Deeter’s HITRUST Practice and a highly experienced assessor who has managed hundreds of HITRUST assessments. Welcome to the podcast.
Andrew Hicks Thanks, Sabrina.
Michael Parisi Thank you.
Sabrina Michael, I wanted to get started with a high-level discussion of the state of the HITRUST marketplace. It’s been well over a year since you were last on our podcast, talk to us about what’s changed.
Michael Oh my, Sabrina, nothing’s happened at all over the last year. Just kidding, quite a lot has changed. I think your opening remarks really align to a lot of the significant changes that we’ve seen. More specifically, you mentioned how using compliance and I’ll expand on to, say, strong security and privacy posture as a differentiator within the marketplace. We’ve seen a lot of movement in that area over the last year.
When you think about the traditional ways that organizations have tried to differentiate themselves, I go back to my old days of my marketing classes, and in graduate school, you had your cost leaders and then you had your differentiators relative to products or services. What we’ve seen, especially over the last year, is the evolution of this third category of organizations using strong security and privacy posture to be a differentiator relative to gaining new stakeholders, new customers, etc. We’ve seen a significant movement in that space as it relates to HITRUST ourselves.
One of the things that we’ve seen a lot of traction on is further global adoption of our programs and standards to help organizations manage the challenges of security and privacy compliance, but also making sure that they instituted strong programs from a foundational perspective within those organizations globally. Traditionally, we’ve seen a lot of traction within the US, but we’re seeing more and more globally relative to our programs.
The last thing that I would highlight that’s become extremely significant and top of mind, especially over the last year considering everything that we’ve been dealing with, is having strong third-party risk management programs that need to be put in place because the concept of having to onboard and bring in new business partners quicker than we’ve ever had to before is certainly something that we’re dealing with from an overall ecosystem perspective.
Sabrina Thanks. Andrew, from your perspective, what have you seen?
Andrew I don’t see any disagreement with what Michael said. The biggest thing I’ll piggyback on is adoption. I think we’re still seeing a lot of organizations that are adopting the CSF, the framework and a lot of these organizations there are first timers, so HITRUST does not run its course from what we’re seeing. Certainly, there’s a lot of adoption across healthcare as a whole, even into other industries but that adoption is still growing from our perspective.
So, a lot of firm startups, even a lot of firms that are are under venture capital programs, they’re also being adopted and kind of steered in the HITRUST direction. So, I think that’s all a very good thing. I think it’s kind of conducive of an industry as a whole, kind of adopting a framework that seems to holistically cover a lot of the information security vulnerabilities and concerns that organizations are having. So, tying back to what Michael said, I’ll come back and address kind of the obvious thing, which is COVID, right? I think we’re all maybe tired of hearing about it personally and professionally, but let’s call it what it is and it has had a big adjustment in terms of how we manage these compliance initiatives, HITRUST being one of them.
Michael, I’m going to put you on the spot in a second with regards to the bridge assessment, so just know that’s coming, because that’s one thing that you guys have changed as part of the process. I’ll highlight some of the others and those are being things such as removal of the mandatory onsite. That’s not just a HITRUST thing, we’re seeing that in PCI and quite frankly, a lot of the assessments that we do. It’s changed the course of how we do engagements and required assessor firms to apply different approaches to getting comfort with physical security and environmental security controls, so that’s one thing we’ve seen.
Holistically, another thing is budget constraints, a lot of organizations are looking at different approaches for handling a remote workforce, which drives up costs with new solutions. I think as I look at our customers or the organizations that we’re in contact with and the things that are challenging to them is how they get more for less. With budget constraints that are kind of consuming or changing the way they look at compliance initiatives and risk management initiatives, we might talk about that later on. But, I’m seeing more and more organizations that have less budgets to work for so they’re looking to their assessor firms to help them out with that.
Sabrina I’d like to shift gears a bit because we have listeners who haven’t yet been through a HITRUST assessment. Can you talk about what is involved in an actual assessment from a customer’s perspective? What are they going to have to prepare for?
Andrew This is a conversation I have probably half a dozen times a week. So, again, back to my point earlier, there’s still a lot of adoption that’s happening and I think the journey begins in a different spot, depending if you’ve been through before or if you haven’t been. To your question about those that haven’t been, I think just having a having realistic expectations about what the process looks like.
Case in point, a company called me a couple of months ago and said, “Hey, I’m under a tight deadline. Can you get me certified by the end of next month?”, which was about forty-five days away. I said, “No chance, that’s not going to happen”. Those false expectations are still out there and just tells me that there’s a lot of organizations that are adopting that really have no idea the rigor, the level of prescriptiveness or precision that is required to have a successful end state, which is certification that’s the sought after deliverable at the very end is your validated report with certification. So, I would say having realistic expectations, you’re not going to get certified in a month. Quite frankly, you’re probably not going to get certified if it’s your first time in three months, so I’ll talk a little bit about readiness and the importance there.
Obviously, you’re going through something that you’ve never been through before and sure, it helps if you have a stock to share. It helps if you’ve undergone an ISO assessment or PCI or something of that nature. But, there’s when you look across all the frameworks, nothing is nearly as prescriptive as what the CSF requires. Readiness to me for organizations doing this for the first time means we want to look at the posture or the maturity of your policies, your procedures and your implementing controls top to bottom across every single requirement that’s in scope for your organization. The output of that often is not a pretty sight. It’s a reality of, hey, listen, you might be good from a hit the compliance perspective or from a general security perspective.
But, with regards to what the demands are with HITRUST certification, here are all of the things that you need to go and address, which obviously kind of speeds up that remediation cycle, which is kind of the big unknown during the process, because we don’t know how long it’s going to take or really what’s necessary from a remediation standpoint to get you ready for validation. Remediation ends with a deliverable. Here’s all of the things you need to go and fix, which then speeds up that remediation cycle and after that begins what we call the validated assessment.
I would say right off the bat, doing a readiness assessment is probably the biggest thing to keep in mind. The other things kind of secondarily are pricing, like what does a budget look like? It’s not a $15,000 engagement. I would say at the other end of the spectrum is it doesn’t have to be one hundred or one hundred fifty or two hundred thousand dollar investment either. There’s a lot of organizations out there that charge exorbitant fees for HITRUST in the process, but I would say there’s certainly a middle ground. I think that’s the organization that we are. Frazier & Deeter is finding ways to work with the customer on kind of ad hoc or customer approaches to meet pricing and budget demands. Knowing what that is and having a solid butterfly budget ready to go at the end is always helpful.
I would also say is Sabrina, this is one of the the white papers we released a few months ago is the process of choosing a assessor partner. So, what should I look for as an organization in terms of who I partner with, what their capabilities are, what are their experiences? There’s a whole gamut of things to be considered in that process.
Michael Sabrina, if I can add just a few thoughts to Andrew’s comments, I think Andrew’s already alluded to this, it’s really about what is the goal of the organization. I’d put it into multiple different buckets or categories in terms of what we see. We have some organizations that, as Andrew mentioned, they already have a number of different compliance initiatives that are occurring within their company so maybe they’re needing to provide SOC 2, ISO, etc., and they look at HITRUST as another type of assurance that they just add to the pile, if you will.
They look at it as to say, “Okay, well, this is another exercise to go through. Let’s try and keep the scope and the level of effort down to a minimum, but still provide that level of assurance that we need to provide”. For those organizations that the goal and the path is going to look a lot different from, say, organizations that want to implement the framework and use that as the backbone of their information, security and privacy programs and we refer to those as adopting organizations, so they’re really embracing the framework. They’re putting that into the culture of their organization, that’s the profile of that organization. The goals that they’re looking to achieve is going to look a lot different than those that are just trying to say check the box and get a report. That journey may be longer; however, I think we believe and you and I talk about this collectively all the time, is that by going down that path of adoption, we always say lead with HITRUST. Lead with the HITRUST framework. You’re in a position to then pivot and produce all these other types of third party assurance reports that your stakeholders may be asking for.
So, for those not familiar with HITRUST, for example, the standards and requirements associated with SOC 2 reports are included within the HITRUST CSF. ISO 27001 and 27002 [0.5s] is included within there, PCI is included within there; HIPAA, as Andrew mentioned before, now CMMC and different versions of NIST. So, what we find is organizations that really want to tackle the struggle of reducing the cost of compliance, but still having the highest level of transparency and reliability relative to assurances that they’re providing their stakeholders around good security and privacy posture. Really, becoming an adopter is the most efficient and effective way to do that.
I think a lot of organizations miss out on the opportunity to really do what I referred to as a third-party assurance rationalization exercise. Look for those areas of duplication that exist today. Why am I running an entire separate assurance program around SOC 2 that is separate from PCI, that is separate from ISO, that is separate from HITRUST? There’s significant opportunities to run one assurance program by leveraging HITRUST and then being able to produce the different types of reports that you need. This is my soapbox and Andrew’s soapbox so we can talk about this for hours, but I think there’s a significant opportunity that exists for organizations and I know that’s how Andrew and that’s how Frazier & Deeter approached this in the marketplace.
Andrew Mike, I think you set me up well there and I’m going to take advantage of it. I’ll give you an example, what we’re seeing out there right now there’s so many organizations that are doing the HIPAA thing. They’re doing the PCI, the SOC, HITRUST, FISMA, you name it. There’s so many initiatives out there that our customers are taxed with, I think that’s probably a good word. I think the thing that we’re doing differently is instead of looking at it as, what’s the first assessment in the calendar year and then building everything off of that, which is completely dysfunctional, it’s the wrong way to look at it. We’re looking at it from a perspective of what is the most prescriptive framework?
Most often, if not every single time, it’s HITRUST when it’s involved. So, what we’re doing with our customers, especially the bigger ones, is we’re looking at what are all of the controls that are managed and enforced from the enterprise level. Let’s look at those. First and foremost, BCPDR, physical controls, environmental controls, encryption, things that are centrally managed, let’s look at those through a HITRUST lens, even though downstream there may be business units that are only doing a SOC 2 or a PCI engagement, perhaps if we want to look at it from the most stringent view at that enterprise level and then establish internal inheritance downstream to all of these other initiatives, it makes a lot of sense.
From our customer perspective, let’s think about them for a second, because this is near and dear to them; now, you’re talking about budget savings, you’re talking about dramatic efficiency, you’re talking about reduced audit fatigue. So, all of those meetings with the SOC team, the PCI team, the HITRUST team, etc., those all go away. You now have an approach where you’ve got a collaborative team that’s working to represent all of those initiatives instead of siloed teams. Our customers are ecstatic about the way we’re looking at this. I think back to HITRUST and what they’ve done, having all of these different frameworks tied into theirs, it just makes that process much more simplified. Quite frankly, it’s something that’s a huge service to the marketplace as a whole because nobody wants to be bankrupt by compliance.
Sabrina Andrew, you mentioned change and the reasons for a lot of those changes. Speaking of, HITRUST is working on the next version of the framework, Version 10. Michael, can you talk about the upcoming changes expected with the new release?
Michael Sure, Sabrina. For those of you that aren’t familiar with HITRUST, one of the things that we put a significant investment in is our programs and making sure that those remain up to date and relevant. When you look at a lot of other framework and standard organizations, oftentimes, those programs are not updated that frequently, if at all. When we think about the fact that the threat landscape is constantly changing, underlying regulations are either changing or new ones are being created, it’s really important to make sure that these tools and resources are maintained and up to date.
Organizations don’t need to take on the cost and the level of effort of updating it themselves. Going back to Andrews comments and looking for levers that they can pull to ensure greater efficiency. With that, our framework being one of our programs and tools is something that we are constantly updating to make sure it remains relevant. Sabrina, I know you asked about Version 10 specifically, I’m going to broaden that and tell you we are working on a new strategic initiative that we refer to as the HITRUST Approach 2.0, or Version 2. The reason why we call it that and we incorporate the upcoming Version 10 release within that overall umbrella is because the HITRUST Approach 2.0 includes a holistic group of improvements that are going to come out from an overall programmatic perspective, Version 10 is certainly part of that.
Those that are familiar with HITRUST, I think there’s always a little angst in the marketplace whenever we release a new version, especially a major release as we’re going from Version 9 that acts for which there’s a series of dot releases for Version 9 to now Version 10.0 But I would tell you, don’t worry, the whole point of release of the HITRUST Approach 2.0 is to make it more streamlined and easier for organizations to adopt and assess against the framework. So, you’re going to see a lot of things that we are excited about, such as elimination of duplication. Right now, when you leverage the framework and adopt and assess against it, as Andrew could tell you, there could be certain control requirements that repeat multiple times just based upon the old structure of the framework, those are going to be eliminated.
Certain concepts around assessment domains that has created some confusion in the past, when you compare it to, for example, control objectives and categories, that is going to be restructured and it’s going to be a lot easier to understand. Also, it’s important to note that we are going to be maintaining the classic view, if you will. So, for organizations that are currently on Version 9, they will be able to crosswalk and map back to what they’ve done already from a policy procedure and implementation perspective. So, alot is coming, it is scheduled to be released on March 31st of 2021, and we’ve started through our marketing and communications team where we are going to publish at least one update per month. Kind of like, “Hey, this is what’s coming, these are the new things that have been solidified and incorporated as part of the approach, and those updates can be obtained from HITRUST Central,” that is our new online community. All the details around key enhancements and new information will be available there so organizations and individuals can sign up for our newsletter through the HITRUST website as well and receive email updates in addition to joining HITRUST Central to see what some of the upcoming things are going to be as it relates to the HITRUST Approach 2.0.
The last thing that I’ll say is part of the HITRUST Approach 2.0 is what we’re referring to as our relevancy strategy. Part of what organizations are going to get insight into that we haven’t necessarily been in a position to provide in the past is not only are you going to understand what’s changing with Version 10, but we’re going to give you insight into what are we doing a year, two years down the road. What is 10.1 going to look like? What is 10.5 going to look like from an overall enhancement perspective? That’s driven by what we’re referring to as our relevancy strategy. So, lots of exciting things coming up as it relates to HITRUST Approach 2.0.
Sabrina Michael, you made reference to some strategic initiatives on HITRUST radar. Can you provide us with some insight?
Michael Gosh, we have a lot and we don’t have a lot of time to cover all of them here today, but I’ll highlight some for you and Andrew’s well aware of these. He’s actually helped us and thinking through these initiatives and what they should look like. So HITRUST Approach 2.0, as I mentioned, included under there are relevancy strategy and obviously Version 10, and a series of other things.
Another one that we’re working on is what we’re referring to as our Broker Initiative. We’ve spun up a new initiative working with a series of insurance companies and also the broker community to do something very similar to what we’ve done through our other HITRUST assessments to offer a broker assessment that is going to provide those health insurers, those property casualty companies with the right level of assurances around security and privacy, but not be overly burdensome on the broker community because they are in a position to assess and report. Many use that one broker assessment and share with all the different insurers that they’re working with. So, we’re really excited about that, we’re making a lot of traction.
We expect that to launch in Q1 of 2021 as we work through that on the steering committee side. Andrew mentioned the bridge assessment before, that is something that we are going to continue to support. The idea behind the bridge assessment is although it came about as a result of COVID, it is not COVID specific. If you think more broadly when things happen within the world that actually result in operations either being halted or significantly challenged, organizations still need to be in a position to provide assurances around security and privacy. A lot of times they’re not able to do that through the traditional full assessments, so we design a process where organizations can extend assurances around their current environment until they have an opportunity to come back and do a full reassessment of that environment. That vehicle that we use to do that is what’s referred to as the bridge assessment.
So, it’s something new and it’s something that organizations are in a position to leverage when there are significant events. From an operational perspective, obviously, they still need to provide information around their programs to make sure that there’s not been any significant changes, but something that we designed this year and something that we are going to expand on and continue to offer in the future. Another one that’s more HIPAA specific, Andrew and I were just talking about this last night, is we’re releasing some enhanced reporting that we’re referring to as a HIPAA compliance pack. As you know, Sabrina, that’s not just for your traditional covered entities and not just for health plans and for hospital systems, it’s really for anyone that needs to show that they are in compliance with HIPAA and have a defensible position in the event that they’re asked by a stakeholder and or a regulator like the OCR to show how they’ve done that through leveraging HITRUST programs. That’s going to be coming out by the end of this year. That will be released as enhanced reporting that organizations can leverage and we have the help of many different law firms that have been in a position to help organizations go through OCR investigations, etc., that have been guiding us in that space in addition to feedback from other stakeholders and experts within the marketplace, including Andrew with his years of experience and HIPAA compliance.
I’ll give you two more quick, CMC, and those not familiar with CMC, that’s the new DoD requirements that any DoD contractor within the supply chain, whether they be direct or indirect, will now have to provide validated assurances around this 800-171 starting in 2021. We’ve designed the entire CMMC program that organizations can provide those assurances by leveraging their HITRUST assessment or the HITRUST framework from an adoption perspective; we’ve got a whole landing page on that. We’ve got an upcoming webinar that will be in the January timeframe to talk more about that, we sit at the table with the DoD and with CMMC. We chair a number of those committees and also have representation on the board, so we’re very plugged in to what’s going on there.
We’re excited to help organizations again do that as more of a complementary activity by leveraging what they’re already doing with HITRUST as opposed to adding on another compliance related activity. Lastly, this is hot off the presses based upon some discussions that Andrew and I were having yesterday, is we’re looking into PCI to a greater extent to see how we can make the process of organizations showing that they are PCI compliant, more streamlined, and building that into the HITRUST assessment process that they’re already going through, especially considering the PCI requirements are already included within the framework.
So, working with Andrew and some others within the marketplace to think that through and help organization streamline that PCI process, in addition to working with some of our own stakeholders and partners such as MasterCard, Visa and American Express, we’re excited to see where that goes over the next several months. I’m going to have to stop there, Sabrina. I can keep going, but I will I will stop there.
Sabrina Michael and Andrew, that was a great summary and I appreciate you joining us today for really timely information as we head into the new year. The strategic initiatives are exciting, and I want to again thank you for joining us. To our listeners, thank you for listening to Frazier & Deeter’s Culture of Compliance podcast. Please join us for our next episode as we continue to discuss transforming compliance requirements into investments in your business.