Protecting the House: Why Asset Management and "Storytelling" are Keys to HITRUST (ep.5)

Show Notes

Episode Summary In this episode of Practical Cybersecurity, we dive into the complex world of HITRUST certification. Often called the "gold standard" for healthcare security, HITRUST can be a daunting mountain to climb for small and large organizations alike. Jen Stone and experts Peter Briel (Privaxi) and Lee Pierce (SecurityMetrics) break down why scoping is your best friend, why screenshots aren't enough, and why you should never try to "button things down" before talking to an expert.

Key Discussion Points:

• What is HITRUST? Unlike HIPAA, which lacks a formal certification, HITRUST integrates multiple standards (NIST, ISO, etc.) into a "beefy" framework. It provides a definitive answer to security and compliance inquiries in the healthcare space.
• The Three Levels of HITRUST:
  • E1: The entry-level, static 44-control assessment.
  • I1: The "leading practices" assessment with roughly 180+ controls.
  • R2: The risk-based, "gold standard" that requires heavy factoring and scoping.
• The "House Alarm" Analogy: You can't protect a house if you don't know how many windows and doors it has. Asset management is the foundation of security; if you don't know what hardware and software you have, you can't secure the perimeter.
• Common Pitfalls in Certification:
  • Overscoping: Fear often leads companies to include too much in their audit, driving up costs and timelines unnecessarily.
  • Weak Evidence: Assessors need a "story," not just a screenshot. Evidence must be consistent, repeatable, and include clear date/time stamps.
  • The "Never Happened" Trap: Even if you haven't fired anyone or had a breach in years, you must have a documented, tested process for how you would handle those events.
• The Importance of Readiness: The "separation of duties" means your auditor can’t also be your consultant. Engaging a readiness team early helps you build the foundation correctly the first time, rather than tearing down finished work to meet compliance standards later.

Expert Tips for Success

"Don't build it and then do readiness afterwards." — Lee Pierce Start the conversation while you are still building your solutions or migrating to the cloud to ensure encryption and segmentation meet the standard from day one.

"Don't rush... it’s not a check-the-box exercise." — Peter Briel  Focus on building a solid foundation. HITRUST isn't just about the certificate; it's about actually protecting the environment.

Resources Mentioned

• Security Metrics Website: Visit for a quick HITRUST cost assessment and to connect with the readiness and audit teams. https://www.securitymetrics.com/hitrust
• Factoring Tools: Resources to help determine whether you need an E1, I1, or R2 assessment.

A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club.

If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place 

But if you just want to learn how to protect yourself for free, start here:  https://academy.securitymetrics.com/ 

Chapters

• 0:00: Introduction to HITRUST Certification
• 1:08: Understanding HITRUST Levels
• 1:59: The Importance of Team Support
• 2:43: First Steps in the Assessment Process
• 3:17: Scoping and Asset Management Challenges
• 5:15: Logging and Monitoring Challenges
• 5:49: Telling a Story With Evidence
• 7:25: How to Audit Rare Security Events
• 8:20: Maintaining Compliance After HITRUST Certification
• 8:49: Final Advice for Your Journey
• 10:49: Get In Touch