Podcast

Speak with an Expert
Home » Resources » Podcast » S3 E34: A HITRUST Certification Story

S3 E34: A HITRUST Certification Story

Audio version

A HITRUST Certification Story

Transcript


Jordan Eisner  
Great. All right. Well, here we are, another episode of Compliance Pointers, joined today by a special guest and an external guest, Kelly Stevens, who’s the Executive Director of Compliance and Marketing Communications at Compu-Mail. And she is a client of CompliancePoint going on a few years now. Hey, Kelly, how are you?


Kelly Stevens  
Jordan, I’m doing well today. How are you?


Jordan Eisner  
Doing well. I’m excited to have you on.


Kelly Stevens  
Well, I’m excited and honored to be here today.


Jordan Eisner  
And I think our listeners and viewers will appreciate hearing from a source. Some of it’s actually been through HITRUST multiple times, understands this certification game, understands not only, you know, compliance and badges and being able to show to compliance.
But also the security requirements it takes to get there and the herding sheep and just what an exercise it is for an organization to become HITRUST certified or some of the other things that Compu-Mail does.
And it’s not just knowing the T’s and C’s and security controls, but it’s a lot of project management as well too. And I think that’s why they brought in you the heavy hitter initially, if memory serves me right on the HITRUST journey, right?


Kelly Stevens  
That is correct. Yes, our organization actually started the HITRUST journey before they added me on as a kind of the project manager of sorts. You’re right.


Jordan Eisner  
Yeah.
And how long have you been with Compu-Mail?


Kelly Stevens  
I just finished four years.


Jordan Eisner  
Four years. OK, Congrats. That’s good. That’s a long tenure these days.


Kelly Stevens  
It is. Although my previous employment, the tenure was even longer. I do tend to be very loyal and stick around.


Jordan Eisner  
Oh yeah, no doubt for you. I just mean people in general. You know, it seems like 4 years nowadays at a company that used to almost be standard, but now it’s a now it’s a long time and I know that Compu-Mail is lucky and happy to have you.


Kelly Stevens  
Well, thank you. I feel fortunate to be there. I work with a great group of people and all of our audits, whether it’s the HITRUST audit or a different audit, couldn’t happen unless, you know, we go back to the old saying teamwork makes the dream work. There’s no I in team. That’s absolutely one.


Jordan Eisner  
Tell us.


Kelly Stevens  
True, I couldn’t do all the things that I do for our certifications if I couldn’t trust and rely on all the people that I work with every single day.


Jordan Eisner  
Yeah, well said. And for our listeners and our viewers too, give them a quick overview of Compu-Mail, what it does.


Kelly Stevens  
Hey, so at Compu-Mail LLC, we’re located out of Grand Island, NY. We are a full service direct mail marketing company. One of our priorities is focusing on data security and to us it’s very important to have that security audited by a third party so that our clients and our prospects know we’re.
We’re not just saying we do these things. It is trusted and validated that we are doing these things to make sure that when they hand us their data, it’s safe in our hands.


Jordan Eisner  
Well said again. All right, this is going to be a good podcast. I want to just add a little bit to you. You had one of our listeners and viewers to know when talking about your title, your Executive Director of not only compliance but also marketing communications, which is an interesting one.
But I like what you put about yourself. You ensure stringent regulatory compliance and you secure key certifications, but also same size. It’s kind of a right-brain, left-brain type thing. You help craft impactful marketing strategies that effectively communicate the company’s mission.
You know, that’s unique. Before we get too into the questions, you know what, what do you think allows you to be able to do that? You know, really crack the whip on the side and being I would say very probably type A from security controls and compliance within marketing and creative strategy.
You know that’s certainly requiring a creative mindset. How do you blend those two or how do you maybe have multiple personality perform both those functions for the business?


Kelly Stevens  
Well, thank you for that, Jordan. You’re not alone in that. A lot of people, when they hear my title, they’re like, wow, marketing and compliance. Like, that’s two different sides of the coin, right? On the marketing side, I get to be my happy-go-lucky cheerleader. You know, I get to market Compu-Mail and our services, and I have a lot of fun doing it. That’s where my artsy side kind of shines.
When we learned about HITRUST and we learned about all the controls and what was needed, that’s where I knew I had to put on kind of a different hat. And in a small business, you do have to sometimes wear multiple hats now as a mom.


Jordan Eisner  
Yeah.


Kelly Stevens  
You know, I know what it’s like to try to have to get little ones to try to do the things that they may not necessarily always want to do. So, you know, some of that comes from that kind of skill set as well, where I have to make sure that we’re managing everything from start to finish, making sure that we’re getting it on time, making sure we’re getting what.
Our auditors need and making sure that it gets, you know, organized in a fashion that we can find it pretty easily. You’re right. I’m very type A. You’re not the first person to tell me that you won’t be the last. And I am. I’m very, very organized. Some might even call it like obsessive compulsive disorder.
You know, in terms of everything has to be in the right place, but I think that allowed us to be successful all along our journey, no matter the certification.


Jordan Eisner  
Yeah.
Sure.
All right. Well, I think that’s a good overview. I think we can segue into the questions regarding HITRUST, which is mainly what we want to talk about today. And for any listeners or viewers unfamiliar, HITRUST is an information security framework that organizations can certify against.
It really was born out of the healthcare industry or some people would label it that way, my myself being one. And it’s pretty common amongst health tech and health software organizations that aspire to work with big covered entities, whether those are healthcare service providers or maybe large insurance companies.
And so we see it a lot in that space, but it’s a very robust framework for security controls, physical policies, procedures, technical controls and has a scoring mechanism and it’s strict and it’s a.
I’ll say too big a task. You know organizations can do it, but it’s you’re not going to fall into it. You need to be organized to Kelly’s point, maybe obsessively to be able to get the controls in place and meet the mark. And so CompliancePoint is a HITRUST-validated assessor, which means we can actually perform the audits and submit those.
To the HITRUST organization and recommend organizations for certification. We also help on the readiness side too. We’ve worked with Compu-Mail in the auditor perspective for a number of years now. So some of this we already know, but we thought would be really, really good to hear for our audience, so.
You know, tell us about your history with HITRUST. You gave a little bit of a sneak peek that you were brought in to really help, I think, get it back on track within the organization and and accomplish this. But yeah, get walk us through that, your first initial days with HITRUST, maybe initial cert and and and where you.
You are now.


Kelly Stevens  
OK. So two years ago we started, maybe 2 1/2 years ago, we started our HITRUST journey and that kind of began with the initial connection to CompliancePoint. We worked with a couple of different auditors where they interviewed us to find out what are we already doing? What do we, what do we?
Not just what are we doing, but what are we already having to supply evidence for? Because we already had some other certifications underneath of our belt and that process can take anywhere between six months and six years, you know, to kind of get through everything. It all depends on.
A lot of factors. Number one, do you know what it looks like to go through a certification process? Are you working with or against your auditors? You know, our auditors audited everything we had, but they also offered us some golden nugget tidbits to say, here’s how you could bolster this, you know, and we saw that as an opportunity.
And take advantage of that because that further enhances our environment and our data security. How are you organizing all of your data? That’s really critical. And how many people can you put on this team? You know, I was a party of one.
So there wasn’t anybody else to add to the team, but I have other people that I had to gather evidence from. I had to gather evidence from my HR team, from our IT team. They took the biggest lift from a lot of our data and client services teams, from our sales teams, accounting, everybody. I don’t think there’s.
Anybody in my organization that I didn’t gather evidence from and learning who were those people and asking them for it, maybe asking them again, maybe asking them again, but making sure that you get it from them and then keeping everything organized.

Initially I started by downloading all of the controls. I wanted to understand what are each of the domains and there’s a lot. There’s 19 different domains and what is the domain cover? What are those different controls now when we did it?
HITRUST was in like version 9 point something and we had interviewed through all the nine point something and then they came out with 11.0 which was a drastic difference. So then I had to download the 11 controls and compare and contrast. Was it going to be beneficial for us to get our very first certification under?
11 or do we can do we go ahead and proceed with the nine? We decided let’s go ahead and pivot and go to the 11 because it looked like, you know, they were just going to keep building from there. So why go with the nine? We worried a little bit because we worried that that was going to delay our certification, but.


Jordan Eisner  
Sure.


Kelly Stevens  
In reviewing everything, I felt like it strategically put us in a much better place. So we went ahead and did that. We had already pulled a whole bunch of evidence for 9, some of which we need still, some of which we could, you know, kind of do away with cause those controls.
Went away. That’s kind of how we did that and we were able to achieve our first certification in less than 18 months.


Jordan Eisner  
Yeah.
Yeah, and you were talking about the different domains and and I believe this is the refreshment area R2 certification, right? Or was it off?


Kelly Stevens  
We’re in R1, we’re in R1.


Jordan Eisner  
OK, I1. I1. Yeah, I1. OK, got it. OK.


Kelly Stevens  
Yeah, I1.
R2 is where we want to migrate to, but when we were first starting the journey, the E1, the I1and the R2 didn’t exist. It was, you know, there was no E1 at that point. So we started with the I-1. We do want to eventually aspire to R2, but what I wanted to do is after we got through.


Jordan Eisner  
OK.
I remember.


Kelly Stevens  
Through our initial certification and then we did a rapid recertification which was just a random sampling of controls. And then this year we are just wrapping up our full recertification. That’s what I wanted under my belt before we migrated to the R2. Now my team of auditors.


Jordan Eisner  
Yeah.


Kelly Stevens  
Auditors at CompliancePoint know that that’s kind of our vision for the future, so we’re already strategically preparing for that.


Jordan Eisner  
You’re talking about, you know, collecting all this information from the vast ends of the organization. Accounting and, you know, was one that you mentioned I thought was funny. IT, you know, bore a lot of the burden. Where were you storing all this information? Just internally in spreadsheets? Is there a tool you leveraged? How did you manage it all?


Kelly Stevens  
We used a lot of tools.


Jordan Eisner  
And now here you are on research, so obviously had to reuse it. So sorry I talked over your answer, I added to it, but what was it you said?


Kelly Stevens  
We used a lot of different tools, so when we first started we were using Microsoft’s  Planner and what I did was I organized each column to be a domain. So one column was like Domain one and then I had the first control and then I listed in there the people that I needed for that and then I.
I wrote down what I needed from each person and with that you could also tag them so it would automate an e-mail to them. If they needed support with that, I would schedule meetings with them so that they could understand what they needed to pull and what was needed. Sometimes we went back and forth quite a bit with people because it was our first time. We didn’t really always know what we needed.
Especially if it was someone who was new to the certification process. Maybe they weren’t pulled in previously to supply evidence. Those that were pulled in previously for like our SOC, for example, they knew what they had to pull because they’d had to pull similar beforehand.
I also utilized a Microsoft Excel spreadsheet, so I had every single one of the controls listed in that spreadsheet and I assigned every piece of evidence a CM unique ID number. CM stood for Compu-Mail.
So everything says like CM1 or CM2 or CM3 and everything for that Domain number is named the same number. So if I need something for let’s say Domain one, I can’t even say that it’s a control number like 1.1 because they all have very unique naming conventions with I trust.
If you start that journey, you’ll see exactly what I mean. But everything for that whole, you know, Domain and specific control is going to be for CM one. And that way I know the following year when I do recertification, this is what I pulled for this. I need to go in and grab this and it was super helpful for us to, you know.
To keep track of all of that and we kept track of every piece of evidence in our secure FTP site. So that way everything was secured. You know, we didn’t have to worry about anything leaking out.


Jordan Eisner  
OK.
Probably probably a pretty common approach where you can see how I can get quite out of order if you’re not using tools and and leverage it in a certain way. But so you didn’t use a GRC platform or or anything of that nature.
It was mainly internal tools that you already had at your disposal.


Kelly Stevens  
Yes and no. That’s what we used internally. We were in the process of vetting different options available to us to try to kind of help alleviate some of that manual burden a little bit.
And one of the options we were considering was a tool called Hyperproof. And when we did our rapid recertification, we piloted that with CompliancePoint. We have some features about it we really liked and some features about it that were pain points. This year as we’re doing the full recertification.


Jordan Eisner  
Noon.


Kelly Stevens  
And utilizing an application called Field Guide. Just like Hyperproof, this has things that we really like about it and some things that are are painful means.


Jordan Eisner  
OK. Yeah. And that’s through us, right? If you’re got there, yeah, they’re. But still in terms of how you’re maintaining your audit package or how you’re retaining all the.


Kelly Stevens  
Yes, both of them were through compliance.


Jordan Eisner  
Different evidence that you’re gonna supply at a research your internal spreadsheets, Microsoft Planner, what you got? Yeah, yeah, good.


Kelly Stevens  
Everything is internal. Yeah, everything’s internal on that spreadsheet. You know, I keep track of everything on that micro.
And you know, we review everything annually. We strategically aligned everything so that our HITRUST recertification comes first because we have a whole lot of stuff to pull for that. And then following that we redo our SOC certification because a lot of the same evidence is needed.
But then SOC is gonna wanna pull something different. So setting that up, yeah, really set us up for success.


Jordan Eisner  
Marks.
Yeah. OK. So let’s talk about some of the challenges you face then you know that you encounter through the process and how you address those. One sounds like you know multiple follow up with people, but what other challenges did you did you come across an initial search?
Maybe even with research and how did you work around them or through them?


Kelly Stevens  
It’s so one of our challenges I spoke about was in the middle of our interviewing. Our initial certification was the pivot from version 9 point something to version 11. That was a pretty big challenge for us because we had to not need a lot of the evidence we already pulled.


Jordan Eisner  
Sure.


Kelly Stevens  
But then there were some new controls that we now had to go and gather evidence for. One of our other kind of like drawbacks during the time we were working with a couple of different auditors from CompliancePoint. We didn’t have one dedicated one at that point.
Our account manager recognized that maybe it would be more beneficial if we had a dedicated account Rep with some other supporting reps. Once that changed, that really kind of maximized everything pretty quickly and we developed a great relationship with our auditor. You know, we we even though he moved on to vigor and better things. You know, of course we desperately miss him and we wish him nothing but the best. We miss him every day and we love our new team, but he was really great. You know, I mean, I can’t say any of our team has ever been awful. I mean, they’ve all been absolutely fabulous people to work with and they all have their.
Unique skill sets and areas of expertise that has greatly benefited us.


Jordan Eisner  
Yeah, that’s good to hear. OK. So you know, maybe having to work with multiple auditors once was a little bit of an issue changing, not necessarily middle of the audit, but at least in the early stages. But you had done some work towards 9 and then you had to move to version 11. OK.


Kelly Stevens  
Yeah.


Jordan Eisner  
Anything else ring a bell or you’re just so organized that after that it was smooth sailing for you?


Kelly Stevens  
I wouldn’t say that. I mean, it’s a big-time commitment. Whether you’re going through the initial certification or the recertification, it’s a big time commitment. The organization of, you know, all of our pieces of evidence really did save us quite a bit of time.


Jordan Eisner  
Yeah.


Kelly Stevens  
You know, as we’re going through our recertification, I’m very easily, you know, able to pull up this is what we pulled last year or this is what we pulled the year before. You know, I need to reach out to this person to make sure that I secure it once again. So not only do I know what I need, but who I need it from.


Jordan Eisner  
You know, an unintended consequence, not necessarily negative, but maybe positive. I don’t know. We’ll see of this podcast. If too many people hear about how you’ve been able to organize it just using internal tools, they’re they’re going to want to know a little bit more about that because you know a lot of.
Companies are using GRC tools, something internally as a repository for the policies, for the procedures, for the evidence of the controls to go about it. But doesn’t seem like there’s really a need here as long as they’ve got you and you’ve got your systems.


Kelly Stevens  
Now, Jordan, I have been trying to get one. You’re going to put this down for now. It would be, it would, it would help alleviate some of the manual labor that we have to do, right? Right. Absolutely. If you know, because I have to physically go into those controls and say, OK, here’s the.


Jordan Eisner  
And your uh.
Oh no.
So time again, right? Could reduce time, yeah.


Kelly Stevens  
Piece of evidence I need, and here’s who I need it from. I would love if I emailed everybody in my organization the first time I asked for something and they supply it to me right away. That is often not the case because they’re juggling other things that are priority on their plate, and they may mean to get back to it, and they may not.


Jordan Eisner  
Yeah.


Kelly Stevens  
And that’s why sometimes I may have to reach out to them a second, a third, a 10th time, you know, at times to get things. That’s a lot of manual time and follow up. If I had some kind of tool that could automate some of that, that would, you know alleviate a lot for me. We also have more certifications than just HITRUST. HITRUST is just the next one in our lineup. It would be nice if we had a tool that said, you know, here’s all the different controls and here’s all the evidence that aligns with it. That would make things a little bit easier.


Jordan Eisner  
There we go.
Sure.
Yeah.


Kelly Stevens  
So I would love one of those, but I don’t have one of those. You know, that’s on my wish list. But for now I do the best with what I the tools that I do have and I make, you know, use of what I can have, so.


Jordan Eisner  
Yeah.
Sure. Yeah. OK. Well put.


Kelly Stevens  
But I have all those companies reaching out to me often saying I see you’re HITRUST certified, let me show you what we can do. And they’re all great, but not something that we want to move forward with at this time.


Jordan Eisner  
Yeah.
Gotcha. Understood. OK.
You know, we had some other questions lined up to go through and you’ve answered some of these in part, but maybe I’ll ask them again and maybe something else will come to mind. You know, the next thing we had talked about was what are procedures or strategies that you found to be effective. We talked about some of the pain points and things we struggled with. We talked about some of the internal tools and.
Systems that you leveraged. Um.
What else maybe comes to mind from a procedural or a strategy standpoint that you think really helped Compu-Mail and yourself and the team be effective in achieving hydro certification, the timeline that that you talked about earlier, I think less than 18 months and.
Going through rapid recertification and now going through your i1 research, what comes to mind?


Kelly Stevens  
So what comes to mind is something that people don’t often consider is the most valuable thing that you’ve got in your pocket, and that’s time. You know, looking at your, let’s say maybe you use Microsoft Outlook for your e-mail, looking at your calendar.
You know, people will schedule time with you, whether it be an internal or an external representative block time on your calendar to perform some of this work. You know, you may see on my calendar Microsoft has this great feature called a focus feature. I think it’s under like Viv VIVE.
Or I might be saying it wrong by. It’ll automatically look at your calendar in a week ahead of time, find a one or two hour block of time where you can focus on different tasks. It might be a variety of things, or you know, I might strategically go into my calendar and say from this time to this time.
I need to work on sending out HITRUST emails. I need to work on gathering this evidence. I also will use that to schedule time with different people and say, you know, Jordan, I need to supply some evidence from you. So let’s schedule this one-hour chunk of time. And during this one-hour chunk of time, we are focused and dedicated to gathering and supplying.
That evidence and I make sure that I get what I need, when I need. Now there are times I don’t use that whole chunk of time that I have, you know, hoped for initially. And I love giving time back to people’s day as well. That way they can get other things done. That has been super helpful.


Jordan Eisner  
OK, calendar blocking. Got it. I’m a big proponent of calendar blocking because especially in today’s world where you’re getting text messages, you’re getting teams or Slack messages, you’re getting emails.


Kelly Stevens  
Yep.


Jordan Eisner  
Phone calls and if you don’t designate some time to really focus on the strategic initiatives, your day will get away from me. You know, we’re on this podcast, I’m looking, I’ve got, you know, a teams message, I got an e-mail unread, you know, and and.


Kelly Stevens  
That’s right.


Jordan Eisner  
Obviously I need focus and unbodied attention on this is very important. But you know, if I was trying to work on something strategic and I can’t resist the urge to go check those and then you got to recalibrate back to what you’re working on, it can really, really.
Decrease, I think, productivity. So I think that’s a great point. Calendar blocking and not just for high-show certifications, for everything. Some focus time. Yeah, yeah.


Kelly Stevens  
That’s right, anything.
Yeah, and actually while you said that, I looked down at my computer and since the time we started this call to now, I have 9 teams messages and 15 emails and one phone call that I missed. But I scheduled this and I scheduled it to also make sure that I received no external, you know, notifications.

Jordan Eisner  
Oh, yeah.


Kelly Stevens  
I think I read an article not too long ago and I wouldn’t quote me on this and you know exactly, but I think the premise you could, you know, get get the gist of it. The American Psychiatric Dissociation said that it takes the average person 17 minutes once you’re distracted from something to get back in the same level of focus.
That you were at. Now that’s the average person. You know, if you’re someone that may be sitting in a computer all day is a struggle for you or, you know, keeping that focus or like me working with numbers, like numbers makes my brain want to throw up. You know, I like, you know, the words because words to.
Me are like my artsy side of my marketing hat. You know, I like artwork, I like colors, things like that. Those are things that excite me. Having to work with those numbers and that data, it’s part of my day and it’s part of what I do.
You know, and I’m good at it, but I need to focus on it. I can’t have all those distractions. And turning on that focus time turns off those distractions. You know, I’m not getting the pings from all those other things so that I can get what I need done.


Jordan Eisner  
Yeah.
Yep.


Kelly Stevens  
Done.


Jordan Eisner  
Yep, Yep, I got it. You gotta block it out. You gotta clear the time so you can focus. You’re not constantly having to recalibrate.


Kelly Stevens  
Yeah, yeah.


Jordan Eisner  
So I have a closing question which is going to be what advice you would give other businesses, other persons going through certification with HITRUST really, but maybe others or recertification. But before I ask that we get to a closing point, is there anything?
I haven’t asked from a HITRUST standpoint that you know you’ve thought about or you would you would comment before that question.


Kelly Stevens  
I don’t think anything pertaining to HITRUST, no.


Jordan Eisner  
OK, well, let’s dive into that question then. So what?
You know, I’m reaching out to you, Kelly, or I’ve been introduced to you somehow as somebody that’s gone through not only one cert, but two certs and rapid recertification and SOC 2. Um, you’re very on top of it. You kept organized with it and I’m thinking about going on HITRUST and.
I’m going to have to start down this journey of preparing and you’re talking about an 18-month window or even a 12 month window. When you really think about that and you think that you’re going to be working on a project for that long to be a company, that’s intimidating.
Uh, what advice? What advice would you give?


Kelly Stevens  
It can be.
So there’s actually several things that I would give. Number one, do the research, like download all of those controls, get an understanding of what that’s going to look like ahead of time. Don’t try to do it yourself. I know there’s companies out there that try to do it themselves. I don’t know how successful they are. I I personally have not spoke.
Someone who did it themselves, by themselves. Really leverage the expertise of an external auditor. Find one you trust. I trust CompliancePoint. I’m always referring my team with CompliancePoint to other people and I will continue to do that. We’re very happy with CompliancePoint.
Point I continue to get all kinds of emails. I’m not going anywhere. You know, we’re very happy with the service that we have and we leverage the expertise that they give us so that we can better ourselves for all of our clients. I would also say define a project manager that may not be their type.

You know, it’s it’s not my title. My title when I first joined Compu-Mail was just marketing and that’s all I did. But my boss, you mentioned Jordan herding the sheep. My boss, Anthony Marchione, who’s our president, said Kelly, you do such a great job of herding cats, which you know.
Cats are very independent. They do kind of do their own thing. And he was like, I don’t think we have anybody else with your skill set. Could you take this on? Well, me being me, I’m like, sure, my boss asked me to do something, you know, I will absolutely do what I can.
Not knowing the full wealth of all of this, and I had to do the research. So I met with my account representative, got a little bit more understanding, did the research myself, started to put together a plan, then started to put together the interviews, added the people that I needed to add, I think.
You mentioned earlier on having that marketing and compliant hat to my role. I think having that marketing hat was really helpful because I have to market what is the importance of having this HITRUST certification, not just to our external stakeholders, but to our internal.


Jordan Eisner  
Mm-hmm.


Kelly Stevens  
Stakeholders. Whereas if I was only in marketing, I’m not going to know all that because I wouldn’t be involved with any of this recertification effort. I would be relying on what somebody else could supply to me. And I work with my IT staff every single day. I do not have a degree in cybersecurity.
Or information technology. I will fully disclose that. And there’s a lot of what they say and what they have to supply to me for all of our certifications that you might as well be speaking Greek because I have no idea what they’re supplying me. I’m entrusting in my experts.
You know, to give me what’s needed. If it’s not what’s needed, our external auditors say, you know, this is great, but we need this or we need you to dig a little bit deeper for this. So I really need both of those hats to be successful at both, if that makes sense.


Jordan Eisner  
Yeah, yeah. No, I mean, just like the rest of your answers in this podcast, very, very well put. I think this is going to be a wealth of information for anybody looking to go through a HITRUST or even similar and it’s starting out on the journey. So Kelly, thank you for your time.

Let us help you identify any information security risks or compliance gaps that may be threatening your business or its valued data assets. Businesses in every industry face scrutiny for how they handle sensitive data including customer and prospect information.

Get a Quote