In a recent podcast interview Robert E. Johnson III, Cimcor CEO/President, along with Mark Allers, Cimcor VP of Business Development discuss HITRUST and HIPAA requirements. The podcast can be listened to in its entirety below.
Moderator: Okay, well, I'm so glad that both of you could join us today. We have Robert Johnson, the President, and CEO of Cimcor, and we also have Mark Allers here, the Vice President of Business Development here at Cimcor. And, you know, what we really wanna focus on and kind of jump in today is the topic of HITRUST. And, you know, there's been a lot of talk about HITRUST lately. So Robert, can you clarify what exactly is HITRUST and really why is it important for people to know about it?
Robert: Sure, sure. Well, thank you for having me on this podcast. Well, first of all, HITRUST - and HITRUST actually stands for Health Information Trust Alliance. So that's where our HITRUST comes from. It's a comprehensive framework that helps organizations manage and protect sensitive information. Initially, it was sensitive healthcare information, but they've morphed now helping you with protecting all types of information throughout the enterprise. HITRUST is a framework that consolidates different security and privacy regulations and standards and frameworks including things such as HIPAA, NIST, PCI, ISO 27001. It takes elements from all of them and it combines them into a single unified framework that streamlines the process of managing healthcare data and other security-related data.
Moderator: Excellent. Well then, so I guess that kind of leads into my next question. We have a lot of people that will say specifically when they're talking to some of our team members here at Cimcor, they'll say, well, do you, does your software work with HITRUST or with HIPAA? And some people might think it's kind of interchangeable. I wanna know if we can talk about, not only how they're related, but then also some differences. And either of you can answer that question.
Robert: Okay, and I wasn't sure if Mark wanted to add something about HITRUST overall as well.
Mark: Well, I can add something here and there, you'll probably tag it in here.
So one of the things to dovetail onto what Rob was talking about, a framework that is very applicable to not just only HIPAA, but other industries. And given its framework and its complexity it's really broken down and consists of 14 control categories, 19 domains, out of those domains, there’s 49 control objectives, 156 control references, and all implemented in three implementation levels. So, it is very applicable not only to healthcare, but its application spans financial, manufacturing, telecom, and others.
Moderator: Excellent. And you were talking about all of those categories. Do most companies, do most organizations have to follow all, or are there parts, or some that they have to follow?
Mark: Great question. Very similar. I would consider HITRUST very similar to NIST 800-53 in that it’s a catalog of pretty much every control known to IT that can be detailed in a descriptive manner of best practices. They are complementary to one another and, Rob, do you have anything to add?
Robert: Well, I think you’re right. One way to look at HITRUST is that they were striving to create basically one framework to rule them all. If you can assess on a single framework, what would happen is then you have all the data necessary to assess against HIPAA. Or you have all the information necessary to assess against PCI. So that’s the beauty of the HITRUST framework - you do one assessment, focus on one set of controls, and then the result is that maps across a variety of different standards and regulatory requirements that you might have to engage with and deal with. So it really simplifies the process.
There a lot of different levels of HITRUST, but it does simplify it when you have multiple frameworks that you need to deal with. I guess the one thing I could bring up about HITRUST is that there are different versions of the HITRUST framework. You have the new e1 controls framework version of HITRUST, and that really stands for HITRUST essentials. Those are the initial controls that you need to comply with to basically have a strong cyber hygiene. It’s just those foundational pieces. Then you have i1 which means implementation-ready one, in year one. HITRUST i1 is more about being threat-ready and ready to handle evolving threats over time because i1 is not static. It’s designed to evolve based on new threats, I think they call it “cyber-threat aware” so it evolves over time. So, i1 is really targeted toward medium-sized organizations. And then finally you have r2, which is much more complex, more rigorous, and was the original flavor of HITRUST that many folks are familiar with. But yes, even entry-level organizations can now consider HITRUST. It could be small businesses, small healthcare providers, can now really consider e1 as that entry point and they can keep moving up if necessary. You can go from e1, to i1, to r2.
Mark: To give a little context on the number of controls in each one of those three categories, e1 has roughly 44 I last counted controls, as Rob said that’s the essential. That’s really the foundational elements of IT that absolutely needs to be addressed. And as Rob was mentioning, i1 v11, that has 182 controls, and then when you get to r2 you start to span into the thousands and it’s more of a pick and choose based on the industry and the compliance mandates that is needed to be complied to.
Moderator: So organizations can utilize this framework for more than just one compliance, you know a lot of people think of just HIPAA but this can be like you said the overlapping, they can use this for a variety and I think you mentioned this earlier when you first started speaking, Robert. Different compliances. Is there, with all of the frameworks that are out there that organizations form to utilize a framework for helping them with multiple regulatory requirements - Why would an organization want to align themselves with HITRUST, the HITRUST framework? What, you know, what would be an advantage?
Robert: Well, having such a prescriptive set of controls is one advantage. You’ll also be in good company. I think 75% of the Fortune 20 companies are using HITRUST in their assessments. So this is highly trusted throughout the industry. Another reason you might want to align with HITRUST is that in about 2015 or so, there were a couple early adopters of HITRUST that really said, listen, for future partners and business associates and suppliers, we're only going to do business with you if you're HITRUST certified. And that was really, really a turning point in our industry because at that point, many folks realized we need to get HITRUST certified if we want to continue to do business with these major healthcare institutions. So, but now things have evolved to a point that you know, many organizations are adopting HITRUST, even if they don't have healthcare-related information to protect. Any type of business can now adopt HITRUST. If you're looking for this Rosetta Stone, essentially, of frameworks where if you can comply with HITRUST, you can use that as the foundation for complying and tracking your compliance with a variety of other regulatory requirements. So but you're right with HIPAA.
Mark: I think the keyword Rob used was simplicity. You can take a HITRUST framework and map it across all the industries, whether you're dealing with ISO, SOC 2 compliance, 800-53, 171, HIPAA, PCI, you name it. You take all of those and you put them into a very common framework. Because at the end of the day, 85% of all best practices are all the same controls. They’re just given different verbiage. And so the objective that HITRUST has embarked upon to be a single framework that can address not just healthcare and HIPAA but it can address a multitude of compliance mandates.
HITRUST is really the checks and balances of IT doing what they should be doing on a daily basis. HITRUST comes in and validates and verifies that not only are those controls in place but they’re operating correctly. And so that’s the checks and balances and that’s really the fundamental requirement of why compliance exists today is because IT oftentimes would shortcut processes and technologies to meet the objective of the deliverable but yet that deliverable would either be unsecure or would have a complexity in it that would drive downtime and that became the birth of compliance.
Moderator: That's fantastic. Well, let's kind of, let's jump into that second question I had mentioned. So a lot of organizations will say yes, we have to be HIPAA compliant, but really, let's talk about what is the difference? I know that we were talking about a compliance requirement versus a framework, but you might have a lot of people saying, well, I'm HIPAA compliant, why do I have to worry about HITRUST, right? Or vice versa. Can you talk a little bit about the difference between HIPAA and HITRUST?
Robert: I can jump in here. Well, first, there isn't any official HIPAA certification. So if you really are a HIPAA compliant, the question is, how do you verify that and validate it and what's the proof? And that's where HITRUST is very helpful because it can act as that mechanism to verify that you are doing the right things to protect, you know, personal health related information, PHI. So, but the thing about HIPAA is that HIPAA is only applicable to certain, the term is cover entities. You know, so every organization doesn't have to deal with HIPAA. And so when I say cover entities, what that really entails are health plans like, health insurance companies, clearance, clearing companies related information, and healthcare providers. So those are the three big categories that are covered entities that need to be concerned with HIPAA.
Those categories and then business associates which are companies that have engaged with the healthcare organization and have contractually said, yes, we're sometimes receiving personal health information, but we will follow HIPAA and proper procedures to ensure that this information is protected. So only a subset of folks really need to be concerned with HIPAA. But that also means that what was interesting about HITRUST is that HIPAA is just one major category that HITRUST can help with. So but sometimes yes, folks can complete the two, but HIPAA is a federal law for protecting personal health information and this law has been around for a while. It actually came to be around 1996 and then was enhanced with the HITECH Act right after that. So, but it has a narrow focus. But HITRUST, again, it’s a framework for assessing HIPAA, it can help with assessing PCI, it can do credit card transactions, and any other frameworks. If you think about, say, a typical hospital system, yes they have personal health-related information that they need to protect, but almost every hospital out there takes credit cards, don’t they? So they also should be concerned about PCI. So having this common framework that you can use and follow in your organization for HIPAA, for PCI, for GDPR if you're in Europe because, you know, HITRUST is a global assessment standard. That's just invaluable. Mark, you have anything to add?
Mark: One of the things that’s a unique value proposition by HITRUST is not only having the framework, but they have the compliance framework on the back end where certified assessors will actually go in and do the assessment whether it’s HIPAA, PCI, SOC, or any number of compliance mandates and then provide somewhat of a certification that that entity has met those requirements as defined by the compliance mandate and as correlated or through the framework of HITRUST. Those controls that map to those requirements and then they can say, “Yes, we are HITRUST certified and we meet the objectives of PCI, we meet the objectives of HIPAA.” Or whatever the compliance mandate is.
Moderator: Okay, excellent. Anything else to add before, I think I'll do the last kind of follow-up question here unless there's anything else you guys have. I wanna kind of talk about your relationship with HITRUST as an organization. And I know that there has been additional things that Cimcor as a company has been doing with HITRUST and I didn't know if you wanted to elaborate and talk a little bit about that.
Mark: Yeah, so great question, Jackie. Cimcor and our product CimTrak is the first technology partner of HITRUST. That certification designation was given to us in 2022 and we’re closely working with HITRUST and their development team to further integrate our product into theirs so it becomes more of a seamless activity of reporting the specific controls that meet the objectives of those compliance mandates.
Moderator: Excellent. And realistically, I know we've been talking a lot about HITRUST in general, but I do want to take a moment since, you know, this is Cimcor. What would that essentially do for CimTrak users? I know you talked about things being seamless, but tell me in a sentence or two, what would, what would those capabilities do?
Robert: Sure, sure, well I’ll take a step back. One of the issues with any framework and anytime we're trying to comply with some standard is that if you really look at what happens in an organization, it's really more of a sprint where there's a lot of effort in an organization to organize, gather the information related to an upcoming audit, make sure everything's in order, and after that, this sprint of effort, you go to the audit process for that year and then things settle down and then later, you know, nine months later, you'll see everything ramp up again in preparation for the next audit. And this is the cycle that you see.
And where the industry needs to move to is more of a continuous compliance. Imagine being always audit-ready. That would be the ideal state. So now, and to accomplish that, that means taking some of the elements of this framework and finding ways to automatically identify, create, and curate evidence related to many of the controls. For instance, in a HITRUST framework. And that's exactly the core of what we're trying to do in this relationship between HITRUST and Cimcor with our CimTrak Integrity Suite is have this connection where we can actually provide relevant and clear evidence specific to certain controls in HITRUST, in the HITRUST framework. So you always understand where you stand in regard to the technical controls that we can help within a HITRUST framework. So we are that first major step toward moving your organization from a reactive, once a period, prepare for an audit mechanism, to moving more toward that continuous compliance mentality and strategy in your organization.
Mark: To give a little bit more information relative to what Rob just described there. When we talk about e1 and i1 and those two particular frameworks of HITRUST. e1 is made of 44 controls. Of those 44 controls, CimTrak aligns either through technology or enabling a process of 13 of those 44. So, essentially 30% of those controls can be accomplished by using CimTrak technology. When you talk about i1, version 11, there's 182 controls. Of the 182 controls, we align either through technology or process with 42 of those 182. So, essentially we align with 23% of those total controls of i1.
Moderator: Excellent. Well, thank you both. This was great information and if I have any follow-up, I'll let you know. But I really appreciate your time and thank you so much for talking with us about HITRUST. Thank you.
