As we mentioned just a few days ago, data security is increasingly top of mind for every business, but especially B2B SaaS companies. Data breaches are becoming more common and present an existential threat: losing control over sensitive personal information information can result in lost reputation, churn, class action lawsuits, fines from regulators, or literally closing up shop.
I’m very happy to announce that Aptible has achieved HITRUST CSF Certification for Enclave and Gridiron. This post shares a bit more about what this means and how you can think about your own path to certification.
In healthcare, HIPAA is the dominant regulatory framework, but it has two basic shortcomings:
Lack of standardization: Because HIPAA regulates a large and extremely diverse set of businesses (perhaps close to 1M covered entities and business associates nationwide), it necessarily leaves a lot of room for interpretation. As just one example of many, HIPAA doesn’t address multi-factor authentication at all, except through general requirements to appropriately safeguard data. SaaS companies are routinely asked for independent verification that they exceed HIPAA requirements and implement best practices and industry standards for security and privacy management.
Lack of independent assurance: SaaS companies are often asked for independent validation that they meet HIPAA requirements, but there is no official HIPAA certification or validation. HHS has an auditing program, but you cannot self-select into it.
Enter the HITRUST Alliance and the HITRUST Services Corp. HITRUST Alliance is a non-profit that develops a Common Security Framework (CSF) based on ISO/IEC 27001 that integrates HIPAA, HITECH, and a variety of other state, local, and industry frameworks and best practices. HITRUST Services Corporation is a for-profit that works with independent CSF assessors to validate implementation and efficacy of the CSF.
HITRUST has three levels of assurance for the CSF, each of which correspond to a report:
Self-Assessment is what it means. HITRUST will QA the report, but all of the attestations are supplied by you.
Validated Assessment is where you work with an authorized CSF Assessor following the CSF Assessment Methodology.
Validated Assessment with Certification is available when demonstrate certain levels of maturity for each in-scope control.
To earn certification, you have to demonstrate to your assessor’s satisfaction that all of your required controls have met certain maturity levels. This HITRUST CSF Certification implements this through a scoring system. The full HITRUST CSF Control Maturity Model is described starting on page 9 of HITRUST’s “Risk Analysis Guide for HITRUST Organizations”. In particular, see the scoring example starting on page 16.
I’ll summarize and provide another example here.
First, you work with your assessor to determine which controls are in scope, based on certain risk factors that HITRUST deems relevant, such as how much HIPAA PHI you process, your organization size, etc. (see “Assessment Scoping” in CSF Assessment Methodology). Controls are organized across domains such as access control, asset management, and risk management.
Each in-scope control has five maturity levels, organized progressively. You receive a score (25% intervals between 0-100%, non-compliant to fully compliant) for each maturity level based on whether you have complied with the control’s requirements for that maturity level. Your overall maturity score is the sum of the weighted scores.
I’ll use the same category of example as the HITRUST Risk Analysis Guide, device encryption, adapted slightly for startups.
Maturity LevelSummaryWeightScoring ExamplePolicyPolicies for the control are in place, managed, and communicated to those affected or responsible.25%You have an official policy that says you will encrypt all laptop and workstation filesystems with strong crypto, and enforce it with mobile device management. The policy is signed by management and has been distributed to the specific individuals you have assigned responsibility for managing security, and laptops/workstations in particular. Score: Fully Compliant, 100ProceduresProcedures for the control are in place, current, communicated to those affected or responsible, etc.25%You have internal procedures documenting how to configure JAMF Now, your MDM provider. JAMF only works with Mac devices though, and you have one old Windows server running some ancient on-prem software you really need for processing PHI. It can’t be enrolled in JAMF. Score: Mostly Compliant, 75MeasuredControl tests, self-assessments and audits are performed; metrics are collected, etc.15%You check for MDM enrollment, status sometimes, but not on a regular basis. Score: Somewhat Compliant, 25ManagedControls are adjusted and matured over time.10%Windows MDM is just something you haven’t gotten around to yet. You don’t really use any metrics from JAMF to make decisions or improve security. Score: Not Compliant, 0
In this example, you’d score:
(100 for policy)(.25)
+ (75 for procedures)(.25)
+ (75 for Implementation)(.25)
+ (25 for measurement)(.15)
+ (0 for management)(.10)
You’d then convert that maturity score to a rating scale for CSF certification (see p. 21 of the HITRUST Risk Analysis Guide). In this example, a maturity score of 66.25 would convert to a Level 3+ maturity rating.
To obtain certification, you must attain a Level 3+ or 3 with a corrective action plan for each required CSF control.
First things first, you need to have some kind of formal security management function in place, or a plan for developing one. You are going to need to designate security responsibilities, establish formal policies and do formal risk analysis, train your workforce on various security and compliance issues relevant to their roles, conduct regular security management tasks and checks, such as scanning, pen testing, etc.
Note that the rating scale is weighted so that if you hit 100%, fully compliant for policies, procedures, and implementation on a control, you will score 3+. In other words, if you nail policies, procedures, and implementation across the board, you have a path to certification and give yourself a strong foundation for improving your security posture over time by layering in more monitoring and management.
A standard certification strategy usually starts with a CSF Self-Assessment. Given that we dogfood our own Gridiron platform for HIPAA, GDPR, ISO 27001, and SOC 2 compliance, we had a major head start on the HITRUST CSF requirements.
Things to be aware of as you budget and assess whether certification is feasible:
Each HITRUST report has a fee ($3750-7500 each depending on your organization)
You must purchase a HITRUST MyCSF subscription (starts at $10k/year)
Your assessor will have their own fee schedule (likely the bulk of your cash costs - shop around as prices vary widely)
A standard assessment strategy would be to start with a facilitated self-assessment, to use as a gap analysis. You’d hire your assessor or another facilitator, purchase a subscription to MyCSF, and purchase a self-assessment report. When you are ready to proceed to a validated assessment with certification, you’d purchase another validated assessment report and work with your assessor as described in the section above.
This whole Internet/cloud/software-eating-the-world thing doesn’t work without trust. Our mission at Aptible is to help developer teams protect sensitive data. Adding HITRUST CSF Certification to our assurance programs for ISO 27001 certification, SOC 2 Type 2 auditing, HIPAA and GDPR/Privacy Shield makes Aptible Enclave one of the most heavily audited container platforms anywhere. Compliance is not security, and confusing the two is dangerous, but independent verification of security management in the form of certifications and audits does help build trust, and is increasingly a critical requirement for B2B buyers.
If you are a B2B SaaS company, using Enclave is the fastest way to fly through vendor security assessment, risk questionnaires, and other steps in the B2B sales process. Your customers will accept our certifications as evidence that your Enclave architecture is managed according to the most stringent security best practices.
If you are interested in HITRUST Inheritance for Enclave, please let us know.
Gridiron is a SaaS platform for security management. Customers use it to build and manage security programs that meet and exceed protocols like HIPAA, GDPR, SOC 2, and ISO 27001. The HITRUST CSF is separately licensed by HITRUST and is not available in Gridiron by default. Please contact us if you would like to use the HITRUST CSF in Gridiron.
You can view Aptible’s standalone HITRUST CSF certification letter for Enclave and Gridiron here.
Because the full Validated Assessment Report contains sensitive information, we cannot share it publicly. We are however excited to share it with customers and partners. If you’d like to get a copy of our report, or if you’d like to learn more about the HITRUST CSF, please let us know.