CHALLENGE
HealthcareData Company provides audit and research services that enable pharmacies, state agencies, and other health organizations to remain successful through proper data collection, management, and reporting. Given the nature of its business, HealthcareData Company handles millions of records containing sensitive personal information that must remain secure at all times.
HealthcareData Company often partners with clients, including healthcare plans, that require HITRUST certification.
In 2016, a key long-term client requested that HealthcareData Company obtain a third-party attestation regarding the strength of its security posture in protecting personal health information (PHI).
Knowing these requests were going to become increasingly common, Peter Ackroyd, chief information security officer for HealthcareData Company, realized the company needed to prepare if it wanted to continue providing services to the healthcare industry.
“I researched the who and the what with HITRUST,” explained Ackroyd. “Shortly after, I attended HITRUST Academy to learn more about the process. These activities began my investigation into the HTIRUST, data security, and risk management world. Once I received more knowledge about the HITRUST process, I contacted several assessor firms to get a feel for costs and services based on the size and business needs of HealthcareData Company.”
After comparing four different companies, HealthcareData Company determined Coalfire was the best fit. “We looked at a number of assessors, but Coalfire was a natural choice for several reasons,” said Ackroyd. “Coalfire has built its healthcare practice around a ‘security-first’ mindset. On top of that, Coalfire is appointed to the HITRUST Assessor Council.”
APPROACH
Coalfire started the HITRUST engagement with a pre-assessment that introduced HealthcareData Company to project timelines, resource allocation, and the HITRUST Common Security Framework (CSF) methodology, as well as characterized the PHI environment, requirements identification, and assessment configuration. Coalfire provided a comprehensive list of documentation required by the HITRUST CSF and directed the company to upload its policy and process documentation to the CoalfireOnesm portal, Coalfire’s cloud-based risk management and document-sharing platform.
During this time, Coalfire completed a HIPAA risk assessment for HealthcareData Company. Then Coalfire comprehensively reviewed the compliance documentation, performed a physical walkthrough, and conducted on-site sampling and testing on all operational and network infrastructure services and implementations within the corporate environment. After the onsite visit, Coalfire scored the implementation requirements using the MyCSF tool.
“Coalfire’s attention to service was bar none,” said Ackroyd. “My assigned HIPAA and HITRUST project assessors were very knowledgeable and professional. They were able to tell me what the requirements were looking for and how we needed to meet them.”
RESULTS
HealthcareData Company achieved its HITRUST certification in August 2017, and can now swiftly respond to client security assessment inquires. “We have significantly reduced risks as we now do various things to maintain a dynamic security environment – from technical security to physical security and monitoring systems and compliance calendars,” said Ackroyd.