How Finding the Right Partner Helped Western Reserve Achieve HITRUST Certification

Explore this blog to get direct quotes from Mark about his experience working with SecurityMetrics, why Western Reserve chose to become HITRUST certified, and what you should look for in a HITRUST partner.

HITRUST
Assessment
How Finding the Right Partner Helped Western Reserve Achieve HITRUST Certification

Mark Davidson is the Chief Information Officer for Western Reserve Area Agency on Aging. After managing multiple different auditing processes each year, he decided to simplify everything by making the leap to become HITRUST certified. 

Explore this blog to get direct quotes from Mark about his experience working with SecurityMetrics, why Western Reserve chose to become HITRUST certified, and what you should look for in a HITRUST partner. 

Choosing to Become HITRUST Certified

So, what led Western Reserve to choose to be HITRUST certified? 

Mark explains that “We’re a nonprofit agency on aging and we work with a lot of different managed care providers, so we go through anywhere from three to a half dozen audits a year. In those audits, they ask various things, and there’s always a point within that audit where they ask if we are HITRUST certified or if we have a comparable certification.

We always knew we were going to get to the point where we’d want a HITRUST certification, and we finally got to the point where we thought, “Yeah, let’s just go ahead and do it.”

Essentially, Mark’s team realized that getting HITRUST certified would be a long-term solution to an ongoing need and represent a commitment to protecting patient health information and sensitive data. 

Why HITRUST Actually Made Audits Simpler

It’s well known that HITRUST has rigorous compliance standards that are both more comprehensive than other similar audits and, therefore, more committed to actual security. The hidden benefit of this is that becoming HITRUST certified often meets many of the demands of other assessments. 

Mark says this was “nice” because it meant “we could say we are HITRUST certified and our partners would reply that HITRUST is stricter than the security they had in place.” Mark’s team loved that “HITRUST is broad enough that it can take care of a lot of requirements for other audits.” It signaled a great sense of attention to detail and overall commitment to security.

When you become HITRUST certified, it makes sense to see which other assessments you qualify for. If you want to explore other compliance assessments, you should speak to a qualified assessor who can explain which other certifications are easily achieved. 

Choosing the Right HITRUST Partner

When they decided to become HITRUST certified, Mark and his team were new to the process and didn't know what to expect. They knew they wanted to find a partner with a strong reputation, deep expertise, and, most importantly, excellent communication.

Mark describes, “We were going into this with a fresh point of view, and we didn’t know what to expect when looking for an assessor or even what our HITRUST process was going to look like. But we did our due diligence and reached out to a handful of different consultants and companies that would help us throughout this journey of getting the HITRUST certification.”

He continues, “The number one thing would be expertise and experience. The reputation of the company we were considering was also really important, as were our general communication skills. Cost factors into that as well. But I’ve worked on a bunch of different projects and worked with different companies where communication is lacking, and especially when you’re going into a project such as this, you really want solid communication with those that you’re working with. And we have had nothing but great experiences when it comes to communication with SecurityMetrics.” 

Confronting An Intimidating r2 HITRUST Assessment

The most daunting part of the process for Western Reserve was the sheer volume of evidence needed for their HITRUST r2 certification. Even with existing policies, the task seemed overwhelming. 

Mark found that the most intimidating thing was “that we went straight for an r2 assessment, where I know a lot of organizations go for one of the lower certifications. Just seeing the sheer amount of controls that we had to gather evidence for was kind of an eye-opener. Luckily, we had quite a few policies and procedures in place that we were already following. I would say we were 80% of the way there. We didn’t have to add many systems or technology; we just needed to wrap it all up with a bow and formalize everything. So, we had to create a lot of procedures and then tighten up a few of our policies and combine things, but the sheer amount of evidence that we had to collect and populations to collect was intimidating.” 

No Dumb Questions: Working With SecurityMetrics and Privaxi

Mark’s team found that their partner, Privaxi, acted as a guide, providing comfort and expertise. Mark explains that “In the tech field, we like to say, ‘There’s no dumb questions.’ But in our weekly meetings, I had a lot of dumb questions, especially in those early meetings. And they handled them with such grace, kind of held my hand, and made me comfortable with the process. As we got further along the process, everything was just clicking. And even now–going into our interim assessment–I’m not sweating it at all. I have even talked to other CIO’s, directors of IT, and other organizations and let them know of the experience I had. I feel super comfortable with the process now.”

Having a HITRUST partner who is willing to meet you at whatever level of knowledge you have is important to a successful assessment. 

Would Western Reserve Recommend SecurityMetrics for HITRUST Assessments? 

In the end, by working with SecurityMetrics, Mark’s HITRUST certification process transformed from a stressful undertaking to a manageable one, leaving him confident and prepared for future assessments. Mark shares that during his assessment, “We reached some points where I was pretty stressed out about it, but I talked to the team over there and they said, ‘You know what, we’re going to put our focus here.’” 

Mike concludes, “It’s not a one size fits all. They will modify the project as needed. You’re not just given a template, and you have to run through the template; it’s custom to you and your organization. SecurityMetrics really helped us focus in and get everything wrapped up, to the point where it’s finalized, submitted, and it’s a product that you are proud to present.”

If you’re interested in a HITRUST assessment feel free to contact an expert or check out the free HITRUST price range calculator.

Join thousands of security professionals.
Subscribe Now
HITRUST Price Range Calculator
Access Calculator
Get Quote for HITRUST Certification
Request a Quote