HITRUST Services for a Healthcare Company
February 29, 2024
A $10 million private company and healthcare industry-leading enterprise data migration, integration, and web application solutions provider engaged Cherry Bekaert to perform HITRUST assessment services to meet certain requirements.
Situation
A large healthcare company (“Company”) was seeking HITRUST certification and approached Cherry Bekaert’s Information Assurance & Cybersecurity team for HITRUST assessment services for their historical clinical records solution, a platform that helps hospitals centralize patient information from a variety of Electronic Health Record (EHR) databases. Given the complexity of the HITRUST requirements, Cherry Bekaert recommended the Company first complete a readiness assessment. Through the readiness process, Cherry Bekaert identified gaps which would require remediation to achieve HITRUST certification.
One gap identified during the readiness assessment was the requirement for third-party penetration testing and a formalized risk assessment. Cherry Bekaert performed an internal, external, and web application vulnerability and penetration assessment against the in-scope networks. Additionally, a cyber risk assessment was performed against the organization to assist in meeting HITRUST requirements.
Challenges included
- Lack of automated processes for risk and security assessments and reviews
- Lean staff with multiple designations and responsibilities
- Large number of HITRUST Risk-based 2-year (r2) Validation Assessment requirements that the Company is responsible for implementing and maintaining
Cherry Bekaert’s Guidance
Cherry Bekaert advised the Company to develop a secure platform for accessing historical data stored in the cloud. The platform should have certified security measures and follow risk management practices. Additionally, the Company was advised to obtain a HITRUST r2 Validated Assessment Certification to meet the contractual obligations of their customers and to pursue additional business.
The Company also needed to conduct a detailed external and internal penetration test and vulnerability assessment against in-scope networks, perform an assessment of web applications based on both unauthenticated privileges and customer authentication privileges, and test identified applications for common vulnerabilities and security exploits.
Results
Cherry Bekaert worked with management to conduct a readiness assessment over the in-scope HITRUST r2 Validated Assessment requirements to identify gaps towards obtaining certification. Using our readiness approach, Cherry Bekaert was able to scope the assessment, conduct a gap analysis to identify and communicate gaps, and confirm Company remediation of identified gaps.
Collaborating with our in-house cybersecurity professionals, the HITRUST and Cybersecurity teams identified findings to remediate while maintaining independence during the HITRUST Validated Assessment. The Cybersecurity team completed a comprehensive risk assessment, as well as external and internal penetration test. Upon the Company’s completion of remedial activities, the HITRUST Validated Assessment commenced.
Using a maturity model to demonstrate “current state” and “gap-to-future state,” Cherry Bekaert developed a “crawl-walkrun” deployment model that addressed changes in people, processes and technology. Furthermore, the Company engaged Cherry Bekaert Advisory to assist with continuous operational improvement and optimal technological support in support of the HITRUST certification and cybersecurity best practices.
Cherry Bekaert’s Information Assurance & Cybersecurity team assists companies in the healthcare space and beyond to achieve regulatory, compliance and internal security objectives.