HITRUST & Data Security | Part 3 of 3
This is the third blog in a three-part series (Part 1, Part 2) discussing the Health Information Trust Alliance (HITRUST) certification, why it is essential for any business that stores and processes personal health information, and how a cloud-native data security solution is vital to achieving and maintaining certification. The first blog provided an overview of HITRUST certification and explained how a data security platform supports the process. The second blog discussed why HITRUST certification substantially reduces the risk to those acquiring healthcare and healthcare tech companies. This blog stresses the need for having a deep understanding of your data before starting the certification process and how a data security platform can help.
Unknown and Undocumented Environments
You must have a deep understanding of your environment before starting the HITRUST certification process. I can't stress this point enough. While gathering this information - provisioned services, who has access, backup status, etc. - may seem like basic IT hygiene, but several challenges exist. Poor documentation is typically the biggest problem. As discussed in Part 2, environments acquired through M&A require significant due diligence even to begin the information-gathering process. Security and compliance leaders often discover significant documentation gaps when stepping into new organizations. Finally, the Great Resignation left knowledge gaps in many organizations. Technologists who once fully understood an environment may have left for other opportunities taking that knowledge with them. Data dumps or knowledge transfers from departing personnel are often incomplete and insufficient for the remaining team to understand the environment fully.
Having unknown systems creates a security blind spot that can become an issue in the HITRUST certification process and a blind spot that threat actors could exploit. Mapping these environments is a costly and time-consuming exercise that usually does not occur unless driven by external pressure like an audit, certification, acquisition, or worse, a security breach.
Deluge of Data
Data takes time to map and document, but more importantly, understand. Years ago, data was housed internally, in company-controlled data centers, and easily located. The ubiquity of IaaS/Paas/SaaS, cloud sprawl, often with little to no documentation, shadow environments created outside the purview of the IT team, and mergers and acquisitions produced a deluge of data. Security and compliance teams often lack sufficient visibility into data locations, types, and security posture. This lack of visibility is a huge challenge for security and compliance leaders pursuing HITRUST certification.
Why a Data Security Platform is Essential for HITRUST Certification
With every project, one learns what to do differently the next time a similar project occurs. This ultimately leads IT and security leaders to create their best practices. If I had to start HITRUST certification again, I would ensure I had a data security platform before starting the certification process. A data security platform saves countless hours in gathering environment details and quickly provides insights as required during the audit and subsequent annual audit periods. Data security platforms help quickly map environments, show sensitive data locations, and provide auditable proof of changes and access rights. One may find that the overall cost of a data security platform is greatly offset due to the time and effort saved in the HITRUST certification process.