VanRein Compliance Podcast

Navigating HITRUST Certification + The SPIRIT of Fall and Texas-style Halloween Fun!

Rob & Dawn Van Buskirk Episode 61

Ever wondered what it's like to navigate the maze of HITRUST certification for healthcare data security? Well, you're in the right place! Join us, Dawn and Rob, as we unravel the complexities of HITRUST, HIPAA compliance, and the various levels of HITRUST certification. We'll walk you through the cost, the importance of customization, and the crucial steps required for an effective implementation. Documenting everything is key in this process, and we're here to tell you why!

As we delve into the nitty-gritty of Control Mapping and Disaster Recovery plans associated with Hytrust implementation, we keep things light and seasonal. Embrace the spirit of fall as we celebrate the arrival of pumpkin spice season and the approach of Halloween. We share our experiences of Texas-style Halloween, complete with trailer-ride trick-or-treating and neon bracelets. It's a delightful mix of in-depth discussion and fun banter that you wouldn't want to miss! Keep listening because next week, Rob will be bringing back insights from the Hytrus Collaborate 2023 in Dallas. So, buckle up and enjoy the ride!

Hello and welcome back to the VaRein Compliance pod with Dawn and Rob. I'm Rob.


And I'm Dawn.


Oh, hello Dawn.


Hello, you look nice today, thank you.


I have to say that Do I look nice? I showered.


Your hair looks nice since you got it did.


I did get my hair dead because it's important to get your hair did even if you're working at home. We have a fully remote staff because we believe we invest in people, not buildings, so we build everything remote, but I did have to get purtied up because I was getting a little shaggy because I just got back from the Glitza.


Oh GL TSA that sounds great. The Great Lakes Telecom


I just messed it up the Great Lakes TeleAssociation in Detroit. So, as we've spoken before, we do a lot of service within the TAS industry, the Telephone Answering Service industry. Those are the men and women that are answering the phone at two in the morning when your kiddo's sick or you get sick and you call your doc. They're the ones on the other end. And so I just flew from Detroit to back to Dallas, so back in the great state. And where am I? Where in the world is Rob today? Where am I, dawn?


You are at the HITRUST Collaborate 2023.


Oh yes, yes, it's in Dallas and it's back in person this year in our home state of Texas, so this is going to be good. So I will have a lot of great nuggets about Hytrust and even HIPAA compliance and healthcare data security on next week's pod. And so we're going to have a lot of good stuff. Yeah, this is Hytrust.


So today, yes, we're going to talk about what's going on and then we're going to dive into Hytrust and what does it mean for your business and why it is that upper echelon of certifications because it's very complex and I've got to continue to learn and teach our team so that we can help you, our clients and our prospects. To make sure y'all know what's going on, but more importantly, oh gosh, oh, we got a little fun we got go for it. What do we?


got. This is the month of the pumpkin spice. No, it is so okay, no wait a minute. Everyone goes crazy over pumpkin spice. I mean, I don't, obviously Starbucks. As soon as they say we have it available, people flock to it. I'm not a Starbucks drinker.


I was at the airport.


They're all I know, but when you go into your grocery store, when you go into Walmart, when you go to Target, any store, what do you smell?


The pumpkin spice.


Yes, you smell something of the essence of pumpkin spice. They have pumpkin spiced everything to where it's like excessive. Anyway, it is excessive, but I do realize there's a lot of people that love it and they can't wait for it and they're excited and they want their house to smell like it, and so on and so forth. So I just thought I'd just put it out there. It is pumpkin spice month, if you like it. Go crazy, pumpkin, spice it up.


And they have gone. They the market has gone crazy because Starbucks probably pushed the trend, if not kind of started years ago. But yes, it's in muffins it's in, I don't know, was there like syrup, it's like candles.


Room deodorizer yeah, room deodorizers.


It's probably in deodorant. I was gonna say deodorant.




We went to. Where are we, oh Hobby?



Speaker 3:

And it smelled like pumpkin spice and Christmas Yep In plastic.


Yeah, everything.

Speaker 3:



The pumpkin spice.


Yeah it is October. What else is going on in October? Oh well, we call it bento.


Well, it's bento. We've already talked a lot about bands. Yeah, we have talked about bands. So, we'll skip past that, but Halloween's the end of the month.


Yes and we have the perfect scary tree in our neighbor.


We do have a scary tree because it's dead. It's not okay, stop. All right, all right.


This is kind of what we do on the potters, your banter. The tree is dormant, it is a Texas live oak.


That's been dormant, dead, for about six months.


I have have what? How many cards do we have? Six, seven cards. Oh, true tremors that come by on the corner.


People stop by. Hey, I'll cut your chaser down the tree. No, no. Um but we do have a neighbor other than our dead tree, and I've seen a couple other dead trees.


It's coming back in the spring, I guarantee it's. We've talked.


So as we as we leave and turn out, and turn out to multiple streets, but anyway we come to one stop sign straight ahead, the guys at this huge skeleton.


That is really cool and it's like whoa.


It's kind of freaky, yeah, and the eyes do light up. I think it should be a little bit more.


It means more prominent prominent but, um so things are starting to come out.


People love to put. I don't know our neighbor. People love Halloween. Texas is a big Halloween thing. We moved here they. They do a lot of where they. They get their trailers out to their pickup trucks and they tool the kids around the neighborhood. We do all pile in a trailer, silly string, you know, neon bracelets, all sorts of stuff. It's really big here like it is. It is really big here and yeah and growing up in Mostly in Colorado, it was cold pretty much. You're. You're wearing, you know, snow pants over your outfit.


Yes, we all did.


You know, it's kind of it's not as enjoyable sometimes, and here it's warm and so they just they do it up, but it's it's pretty fun to watch everyone as they start putting their stuff out for Halloween. So, yes, halloween is fun.


Well, I remember, you know, let's go back. You know that that first year, what, five or six years ago, yeah, we would, we would, we would walk around and do the trick or treating. And here there's a guy with a truck or a tractor, and this is a giant flatbed and you put a bunch of hay on it, you dress it up, you put some lights on it. Yes, when candy for the kids and you go around the neighborhood, it's a really good time.


It's a big thing yeah but, you have to have a big dinner before and then you go out, so spider dogs, remember those, oh yeah all spider dogs, oh, all kinds of fun things, oh yeah. So yes, we got Halloween this month we have pumpkin spicing and. Rob's at a high-trust conference. Yes, are you, are you happy to get rid of me for a week? Sure, that means yes. Throw the lessoners. Yes, that means yes. She's like you know what? I think you need to go for a week. I'm like good you know after 23 years. Like I keep things together.


Go learn, go learn go learn.


Yes, I'll bring back some good nuggets next week, rob, All right.


Why don't we when we start?


shift over and dive.




What high-trust is? Yes.


Why don't you tell us what the definition is? Everyone knows. Everyone knows, obviously, hipaa. We've talked about HIPAA. We've talked about SOC2. We've talked about ISO 27001. So what is high-trust? What does it actually stand for?


The old high-trust. Is it really trusting? Yes, all right, I would go into. So high trust stands for the health information trust alliance. So the trust alliance is a nonprofit organization and it was formed pretty much right after HIPAA was introduced 30 plus years ago. This is really where the healthcare industry came together to form their own alliance. It's, you know, even though it's nonprofit, it's is a business. You have to pay to be. You have to pay to be a member.


Mm-hmm and they really married the high trust common security framework Into the NIST standards national security technology standards, which is pretty much the global security standard and. And created high trust, which has an emphasis on healthcare. Now a majority, I will probably say about 60%, of the members of high trust, csf Are traditional hospitals, large practices. You know you're talking, you know 15 story hospitals that have a lot of data. But what we've seen, especially in the last, I'm gonna say, seven years, six years, is a lot of it has gone into the SAS models.


So we have clients going through high trust because we do high trust, readiness and preparedness and management here van Rijn. We have clients going through it with us today and what we do, what we're finding is now it's moving into the SAS models. So with obviously all the cloud platforms, all of now, the all the AI startups are popping up left and right and for them to show value and show value to the hospitals and value to the healthcare industry, they're becoming high trust certified to ensure they protect that data, because data goes everywhere.


So that's that's really the gold standard of Healthcare organizations that need to seek Yep. Yeah, that's the hot trust hot trust.


Yes, and here's a fun fact okay, customers, we have a lot of customers that I'm gonna just say kind of roll up Meaning. Yeah, hipaa is really a baseline.


Good place to start.


It's a federally right. You have to do it. Hipaa is that's the standard right.


You have to do the HIPAA.


But a lot of our customers roll up, and what I mean by that is they'll add on a sock too. Then they'll say, well, I'm doing international business, I'm gonna do an ISO 270001. Oh, let's make sure we do GDPR in there too. So we have a lot of customers that roll up into this. Well, interestingly enough, high trust is the top. So high trust basically is HIPAA and sock, too, rolled up into high trust.


Because, basically, what you're doing is you're marrying, like Rob said, cyber security, security data security from you know the sock to the ISO, and then you're having the heavy in health care. So you're marrying a lot of pieces here and it's rolling up into that. So high trust is big. It's a big nut. Yes, you have to be part of the alliance. You have to have a auditor. That is part of the alliance. You, as a customer, have to also be part of the alliance. It's a membership.


So, it's a very Give it part of the club.


Yeah, yeah, it is a club. So there's a lot of stuff we do the readiness, we prepare you. There's a lot of steps. So we have customers going through sock to an ISO 27,000 one and, yes, there's a lot of steps there too. But high trust is a lot more.


It is.


And it's a lot more involved, it's a lot more of cost and it's definitely you definitely have to be involved. And you definitely have to have to want it, and usually you need it, especially if you're working with big time hospitals and stuff like that.


Yeah, and there's changes too. And I'm excited. This week while I'm in Dallas, there's a couple of sessions talking about how to map your sock to controls, to high trust, because that's what we do. So we and you want to map, you don't want to have to redo it, because a lot of the efforts you put in with HIPAA, with NIST, and then you roll those into sock to and then you roll those, you kind of building the house.


Right Now you're just adding on addition, my electrical is in, my plumbing is in, my infrastructure is in. I'm just adding a room. So now you're adding the out of the high trust to that as a next piece. Yep, I'd say that's a key piece. You're right. Bring up there Dawn Dern. Are you, dern? I? Just had lunch, see, that's the way you should do it before lunch, because now my brain's like hey, let's just eat. Oh, my Lord, and it's really key about. It's not just about being compliant right, it's about building that trust and confidence in organizations cybersecurity practices.


That's crucial in healthcare. The trust, the trust, the trust. We talk about that, we talked to our clients about that. You buy into the compliance culture, so your clients trust you and then they continue to purchase your services and it is a revenue generating line item.


Oh yeah, I know people go. Oh, that's just a bunch of money.


I was like you know hey you're regulated by law to do it. Don't even think about doing business in Europe without any certifications, because they're just going to laugh at you and say no. So, yep, so some of the other what are? Uh see, let me go. I'm trying, as I'm thinking here, as I'm sitting here in Dallas, I'm like, okay, what are the other things that I want to dive into? I think a couple other things with with high trust is making sure, um, that you have a good team put together.


So let's expand on the team piece a little bit Um. What we find at Van Ryan is when you have a team that is focused on compliance or dedicated in compliance, or a couple of team members, a project manager, um. You're very successful and your organization is successful. Where we see organizations fail is when you don't have the right people there, and they're not.


They're not dialed into yeah, yeah, so you have to have the accountability, has to be there. You have to have the right team Um, this is a big one, Um. What we provide is we provide our team with the readiness, um and and work with your team, Um, so just consider us an extension of your team, Uh.


And then we also engage that external auditor, where we've built relationships with a few external auditors, and and that way then we we can bring everyone together and that way then, to be successful, you have to know what to expect and that's where all all there's a lot of moving pieces, but that's where we, we manage this program, if you will, for you and process with you not really for you, but with you, because it has to be a buy in from, from not only our team, which, yeah, we're here, but your team and who, you, who, who on your team, you choose to be a part as a part of this, and who has the uh, the skill set, uh, the experience and who's going to manage and implement, so really important, uh, a lot of accountability with high trust. Um, that you know, and it's that certification is. It costs a lot and it's worth a lot. Once you have that, with each certification, you should market, market yourself. I have this, I have this, I have this because, it is revenue generating yeah.


The certifications and you definitely want high trust to be, because it is. It is an expense upfront. Um, because it's a lot there. There was talking a lot of different controls, um, and I don't, I, I you know, next time we kind of dig into. When you get back more specifics we could probably dig into. You know the number of controls, um, because there's certain number controls for sock and you know we can, we can dig into a little bit more. There's three different types of high trust, three different levels.


Um you know we don't have to get into the weeds with that right now. Um, I think next week it'll be their next pod, rather.

Speaker 3:

The pod.


It'll be, uh, um, we'll be curious, myself and the listeners, is the new nuggets of what's new, what's going on, what's you know what's relevant now with, with everything, so, um, and they haven't had a conference in a couple years.


I think it was in a couple years. I think it was in a couple years. So now they're finally in person. They're a year behind the rest of the world. But here we are.

Speaker 3:



And there are, you know they. You mentioned the cost, so you know the cost is about 60 grand plus. Let's start there. It's about 60 K to start. That's internal and external audit. So they do the same framework as sock to you and ISO. You have internal and external.


We do the internal.


We have partners that do the external. So, um, they have a I think it's, I, ie, I one. That's the new one I'm going to remember. I will know, this week there's a new one that rolled out that is a smaller scope and a a less price to get you started.


Lower, very low, very, very entry, and then you can you can roll up to the larger larger certifications.


But you know, one thing I wanted to kind of talk about is why don't we kind of go through, don, some of the steps of how to implement? You know high trust in the organization, because I'm going to go ahead and dive into kind of more of the nuggets that I learned from the conference, and we always start with assessment. So, assessments always the first one.


So we have to start with the audit, we have to go through the assessing. So, just like we do with HIPAA, it's like we do with sock to your ISO, we're going to start with the assessment and go through there, and then next up is the framework mapping. That's the big one.

Speaker 3:



So the framework mapping, don, why don't you talk about that? Because you're the puzzle person. Actually, majority of our team are the puzzle people and I'm not the control mapping and the framework mapping what's that step about in iTrustWorld?


Thank you for asking that's good. So, really, what this is is oh, I got clapping this it's really what controls policy procedures, controls that are already in place which need to be implemented or enhanced. So you know, if you're coming from a SOC2, then you're gonna have some things implemented and controlled, and that's why the important thing is mapping, because you don't wanna double-do stuff that you don't need to do.


If you already have a certain security control implemented with a policy, you don't need to do it again. You just need to identify it, map it over and to provide that evidence with the iTrust assessor as well. So, yeah, yeah.


Yeah, control is big and so we blend our niches. We're not the traditional compliance auditing firm, we're not just a platform, but we have a platform and we marry that to our white glove concierge service.


That's what we do so we fit that middle there and the platform does the control mapping because we have done a lot on spreadsheets and I do not like Excel, but we do a lot. We've done this before we have mapped, we have macroed, we have done all this, we've did some web and now we're using AI and other tools to map it and it's doing very good.


So let me back up a second Since we are exactly. I heard that a lot this morning because it was trashy, it was garbage-deling. Since we're kind of diving in a little bit, let me just describe the three types of high trust.

Speaker 3:

Oh, okay, so let's step back to go forward, just do it.


So the new one this year is the high trust essentials and what that is it's a one year and it's called E small E one number one. That's yeah, so that's what it's called high trust essentials. Then next you've got high trust implemented. This is one year as well, and it's a small I one. And then you've got high trust risk-based it's a two year and that's small R number two.


The very specific on the capitalization or non-capitalization, very specific.


Punctuation yes, so not to get. Not gonna go into the specific.


We'll dive into those later.


Yes, that is just we've got just E1, i1, r2. And as a customer, really you're not gonna be like how I need that. Basically, we're gonna present the solution that's appropriate for your organization, whichever one of those three it may be. Okay so yeah, so I just wanted to just to state that real quick. Okay, I'm glad you went back to that. So yeah, all right.


Now for control mapping and now for each of those with a little E's and little R's is the documentation. That is huge. So, document, document, document. Everybody knows that People don't do it. So what we've done in the platform is we have the documents, we have the frameworks, but we have to customize them. You don't leave them templated people. You've got to customize those. So, instead of saying the company will restore data from Cloud Source, the company name will restore data from which Cloud Source. It'll be very specific.


Because, the best DR plans I've ever seen or created is you should be able to hand that over to anybody anybody on? The street, and they should be able to know how to access the data securely and restore it properly.

Speaker 3:

Right Yep.


Right. What about training? You love the training and awareness.


Oh yeah, training. So this is so training. If you're one of our HIPAA customers, you're like oh, I know HIPAA training you. You watch this HIPAA fundamental video, blah, blah, blah. You know what do I have to know? What's PHI? What's he PHI? This is a little bit different. So for.


SOC2, for ISO and for high trust. The training is not only that. Yes, you need you still need to know HIPAA. You still need to know those regulations. You know cybersecurity. So we have great cybersecurity training that basically leaves you an overview of kind of what, what, what to look out, cyber threats, ransomware, all that kind of stuff Also. But what is extremely important with these higher end certifications, including high trust, is you have to foster the culture of this awareness in your organization.


So, by doing that, you actually will train your employees on the policies and procedures that are pertinent to them.

Speaker 3:



Do they need to know all 200 or whatever you know number of policies? There is no, but there are certain ones and we help you with that. There are certain policies and procedures that your staff will need to know and it will have. They will actually. The assessor will will actually ask you for evidence that you have trained they. Usually we create like an attestation, like the the staff has seen these policy procedures, they understand them and they've they've they've seen them, they know where they are and they have access to them, so on and so forth. So that is big with with these higher end certifications, is the, the awareness of those policy procedures.


Yep. So yeah, that is that is very important. So you got to make sure they're aware, and you know we're big about, yes, we do the training, but also it's up to the teams to get together and say how does this, how does this pertain to my job, how does this pertain to my role of doing this? Those are very key. Make it, make it transitional and relational, and then we prep for certification and then move to the audit. So prep, prep, prep, prep, prep, prep, and then you prep again, and then you, you, you, prep again.


Yep, yep, and along this way too, let let's not skip over the, the testing and validation. This is penetration testing, vulnerability scanning. We have two great folks we work with that do this, that perform this. They're all different levels of this. External, internal, ips, you know network scanning. You know all sorts of stuff, depending on what level of certification you're getting in high trust sock. So that depends on if you need monthly vulnerability scanning. You need yearly penetration tests. You need all of it.


You get all that kind of stuff so again, but it is very important, very important as part of the auditing process is that testing, yep, yep.


It's very important, and so we provide that readiness we put it all together we get things set. We actually pre test you, if you will, before you go for the large test or the external tests. So the external audit comes through and then the external auditor will present the findings, his or her findings, to the board to the to the actual accreditation board.


So this is why it is expensive and this is why there's multiple steps and it is worth the money and it's high value is you do the readiness internally, then that gets sent to external and then the external presents to the alliance and then they approve or I rarely see him deny these. You can go back to say here complete these steps, verify this, show me more evidence of this, because they also want to get it out the door as well.

Speaker 3:

So those are the key pieces, so.


I'm excited because I'm going to have a lot more information when I return from the collaboration conference here in Dallas.


Yes, so look for more of that. That's it. We'll put it all together next week.


Well, I think it's the pod.

Speaker 3:



Are we done?

Speaker 3:

I think we're done. I think we're done. We did a lot. We did a lot. I trust it's a big nugget, I know.


All right. Well, that's pod Out. See you later. Bye-bye.


Or maybe later.

