Today in our corporate headquarters, Evolve IP hosted a unique compliance, security, and risk management event for Greater Philadelphia companies. Historically involving only the healthcare industry, today’s version of the HITRUST Community Extension Program (CEP) was the first tailored to incorporate audiences from all industries. Led by Michael Parisi, Vice President of Assurance Strategy & Community Development at HITRUST, the program included an engaging discussion about the HITRUST program and a live sample assessment demonstration driven by Paul Johnson and Karen Johnston from Wipfli LLP — the HITRUST assessment firm who helped Evolve IP achieve HITRUST-certification in January of this year.
The HITRUST security and privacy framework is utilized by 81% of US hospitals and health systems and is the most widely adopted control framework in the healthcare industry according to a 2018 HIMSS survey. However, Parisi explained that the strength, breadth, and depth of the HITRUST control framework has led to its adoption well beyond the borders of healthcare. Today the framework addresses a wide range of more than 20 state, national, and international security standards, including NIST, COBIT, ISO 2700, GDPR and the New York State financial services regulations. The audience — which included a range of healthcare, consulting, technology, and services firms — received a broad education on risk management best practices and openly discussed some the specific compliance challenges and risk management concerns that they have.
Joe Pedano, Evolve IP’s Executive Vice President of Cloud Engineering, also addressed the audience, explaining why the framework’s broad applicability and rigorous nature was why Evolve IP chose to get HITRUST certified. “We are a provider of cloud services to multiple industries, including over 250 healthcare companies,” he said. “But beyond the HIPAA concerns, more than 60% of our clients have some type of compliance or regulatory concern that is critical to their business success. Today, as a cloud company that has had our environment thoroughly assessed and certified to the HITRUST standard, we can provide peace of mind to all clients that our infrastructure, and consequently their data, is secured at the highest level.”
Further, Parisi shared a detailed explanation of how and why HITRUST is experiencing rapid adoption in compliance and security-focused industries such as financial services, travel, and hospitality, technology and manufacturing. Common drivers across all groups are the increasing risk posed by:
- The dramatically evolving cyber threat landscape
- Confusion in the marketplace regarding what types of security controls are reasonable appropriate or adequate (as is often the broad language used in security guidelines like HIPAA)
- Growing compliance and risk liability in the form of legal fees, penalties, and reputational damage that stems from breaches.
Today’s interconnected world also means that the need for greater third-party assurance is greater than ever. As a result, organizations are increasingly requiring their third parties to become HITRUST certified. By requiring HITRUST certification, companies can gain confidence that their vendors and partners have thorough data management controls in place. Further, HITRUST addresses these challenges by creating a systematic way to ensure the transparency, accuracy, consistency, and scalability of firms’ security and vendor management programs.
Another key concept discussed during the program was “control inheritance.” Paul Johnson and Karen Johnston illustrated this feature in their live demonstration of the HITRUST online assessment tool. As companies move services to the cloud, leveraging a HITRUST-certified cloud for infrastructure and communication solutions is increasingly important. The importance of inheritance is that it allows firms to leverage the certification of their cloud service provider within their own assessment to avoid cost and duplication of effort. For example, disaster recovery is a requirement within the HITRUST framework that would normally be assessed in the certification process. However, if a firm is performing disaster recovery in Evolve IP’s HITRUST-certified cloud, they don’t need to conduct an assessment. Rather, the company can “inherit” the controls related to disaster recovery from Evolve IP and they do not need to perform another assessment themselves.
Parisi concluded the program highlighted the agenda for the upcoming HITRUST annual conference which will be held in Grapevine, Texas from September 11th through the 13th. Evolve IP will be attending and participating in this event, which is highly relevant and helpful to all IT, security, and business professionals who are concerned with the ongoing efforts to protect information from cyber threats. The conference will provide an outstanding opportunity to collaborate with peers and gain valuable insights from a number of industry-renowned speakers on topics including, cloud adoption, compliance, cybersecurity, healthcare, risk management, and third-party assurance strategy.
For more information on the compliance and security feature underlying Evolve IP’s cloud computing and communications services, visit our compliance & certifications page.
Categories: Credit Union Finance Healthcare Veterinary