SaaS Vendor Trusts HBS as Cybersecurity Guide

Growth Through Compliance

As a SaaS (Software as a Service) vendor in the healthcare space, Command Business Partners (CBP) knew its future would eventually include the HITRUST Alliance’s Common Security Framework (CSF) certification. CBP, founded in 2017, provides a Complaints, Appeals and Grievances (CAG) solution for the health insurance industry. If members or providers feel payments or services are improperly denied, these cases are handled by payer organizations using CBP’s solutions.

That means CBP constantly handles sensitive Protected Health Information (PHI). For a while, Co-Founder Daniele Chenal says, they relied on their HITRUST CSF-certified data center to satisfy clients’ privacy requirements. But it soon became clear that CBP’s path to winning more clients and working with larger providers ran through a HITRUST certification.

“It’s definitely about opening up new opportunities,” Daniele says. “But it is also critical to us that we are doing things right. Managing peoples’ health information under the rigidity of HIPAA and other standards is daunting. So, we were looking for peace of mind first and foremost.”

What is HITRUST CSF?

Like other frameworks and compliance protocols (such as SOC 2®, PCI, HIPAA, and GDPR), HITRUST CSF provides objective criteria for measuring how an organization secures data. It also carries the added weight of third-party validation at its higher levels. That’s one reason that HITRUST CSF represents a major step up from the familiar HIPAA healthcare standard, which allows organizations to attest to their own security processes.

Many organizations complete the SOC 2® audit process before pursuing HITRUST CSF certification. Some focus on both in an integrated effort. For CBP, it made the most sense to focus on HITRUST CSF, since it’s the framework expected by CBP’s target clients.

In CBP’s case, the entire process took approximately three years as they weighed the investment and then proceeded through HITRUST’s three stages:

• Performing a self-assessment to determine readiness. (Many organizations also do a mock audit when they feel they’re almost ready.)
• Hiring a third-party auditor to perform a validated assessment.
• Waiting for the HITRUST Alliance to certify the information provided by the organization and the independent assessor.

Finding a Partner

Early in CBP’s HITRUST CSF research, friends in the industry suggested that they hire a consulting team to guide them through the process. They immediately recognized that as sound advice. “We always knew we’d have someone come in and help us,” Daniele says.

After seeking vendor references, CBP learned about HBS and started with an information security risk assessment to gauge the results and relationship. Satisfied with that process, CBP moved on to using HBS for incident response planning, including leading tabletop exercises. Convinced that it was time, CBP set out on the HITRUST CSF journey.

A Team That Gets Results

During a roughly year-long prep and review process, Daniele and Matthew forged a deep partnership. At the height of the audit period, they spent 4–5 hours every day on the phone answering auditors’ questions and requests for evidence. They managed the painstaking review of language in CBP’s policies, often revising lines word-by-word to meet HITRUST CSF requirements. They collected thousands of pieces of supporting evidence required by the auditors.

The work ultimately paid off. The auditor submitted their report to HITRUST, it passed the HITRUST quality-assurance process, and CBP received its HITRUST CSF certification.

For Daniele, one of HBS’s key value-adds was managing the daunting schedule and the list of to-do items that came out of every call with the auditor. “Matthew kept us on track to meet the timeline. It sounds too low-level to say HBS helped coordinate things, because it was really awesome.”