Healthtech companies thrive on trust. Healthcare providers want to work with companies that provide cutting-edge software and helpful customer service, but just as important, they need to trust that tech vendors will protect sensitive patient data.
One way to solidify customer trust is through cybersecurity compliance. As a growing healthtech company that helps healthcare organizations manage payments and revenue, Trend Health Partners has been laser-focused on HITRUST (Health Information Trust Alliance). This widely adopted security framework combines industry standards including HIPAA (Health Insurance Portability and Accountability Act), PCI-DSS (Payment Card Industry Data Security Standard), and ISO/IEC 27001 (International Organization for Standardization).
HITRUST certification is a stamp of approval in healthcare that a company takes data security seriously, and Trend Health Partners is vigilant about staying current with HITRUST CSF (Common Security Framework).
In 2023, Trend underwent a HITRUST r2 assessment, a two-year risk-based assessment considered the most rigorous type of HITRUST certification.
“The release of the latest version of the HITRUST CSF [version 11] was a unique opportunity to be among the first to adopt the new framework,” says Genevieve Emory, Director of Privacy and Compliance at Trend Health Partners.
“We saw it as a chance to not only meet industry expectations but exceed them by staying ahead of emerging threats.”
Certification as a worthy challenge
HITRUST is one of the most thorough assessments Trend Health Partners participates in each year to evaluate whether the company’s security controls comply with regulations.
Trend’s team knew that, despite the challenges of a new HITRUST version, getting v11 certification would establish a comprehensive, scalable, and secure foundation on which to grow the company’s business (Trend Health Partners is still a young company, founded in 2018, with 200 employees as of September 2024).
“The challenges we anticipated included navigating the complexities of a brand-new framework and ensuring our existing controls aligned with the updates,” says Emory. “We prioritized risks that could directly impact our clients’ sensitive data, focusing on data encryption, access management, and continuous monitoring.”
Improving the entire security posture
According to Emory, Trend’s preparation was grounded in a continuous improvement mindset, diligent internal preparation, and collaboration with Coalfire, a third-party compliance assessment firm.
Trend did not reinvent its security controls for the HITRUST assessment, Emory says, but it did make adjustments that allowed the company to respond quickly to any gaps or potential risks discovered during the process.
“We deployed advanced security automation and monitoring tools, which enhanced our ability to detect and respond to threats in real-time,” says Emory. “This improved our overall security posture and audit readiness, minimized disruption, and ultimately allowed us to become HITRUST certified.”
Trend not only obtained HITRUST r2 v11 certification, but did it with so few gaps that HITRUST did not require corrective action plans (CAPs). CAPs are formal actions an organization must take to fix deficiencies discovered during assessments.
According to Michael Johnson, CISO at Trend Health Partners, the HITRUST project has bolstered the company’s overall security posture in the following ways:
Client assurance and internal confidence
HITRUST certification is an industry-recognized green light to healthcare providers that a company is following the law and safeguarding patient privacy.
“Implementing the latest HITRUST framework validates that Trend has strong security and privacy programs in place,” says Johnson. “This has helped build the trust and confidence of both our internal stakeholders and our clients.”
Stronger access management controls
For the HITRUST assessment, Trend introduced more specific role-based access controls, which allowed the company to adjust a person’s access to sensitive data based on their job.
“Personnel no longer have access to sensitive healthcare data unless specifically required for their role and region,” says Johnson.
This new control decreased the number of people who can access high-risk data, reducing insider threats and improving overall data security.
Improved data protection and encryption protocols
As part of the HITRUST certification, Trend reviewed its encryption standards for data at rest and in transit. The review helped to improve encryption protocols to ensure sensitive patient data is protected.
Johnson says these enhancements have led to better compliance with HIPAA and HITECH regulations and have also lessened the risk of data breaches.
Increased staff preparedness
The process of going through the HITRUST r2 assessment amplified the Trend team’s awareness and preparedness, ensuring that employees understand their responsibilities in maintaining security.
“All the improvements that resulted from preparing for [the assessment] underscore Trend’s commitment to maintaining proactive and resilient cybersecurity,” says Johnson.
For its work becoming one of the first adopters of the HITRUST v11, Trend Health Partners earned a 2024 CSO Award, which honors security projects that demonstrate outstanding thought leadership and business value.
Lessons learned from HITRUST success
Trend Health Partners plans to build on what it learned from the assessments by continuing to align its security management program with constantly evolving industry standards and cybersecurity threats.
As healthcare cybersecurity progresses and evolves, Trend Health Partners CTO Mihai Fonoage says the company will prioritize continuous improvement of security controls; early adoption of emerging technologies like artificial intelligence and machine learning; and education programs to keep employees informed about security best practices.
“We’re excited to build the spirit of HITRUST into our company culture to maintain our high level of security and trust while adapting to the cybersecurity landscape,” says Fonoage.
Register now for our upcoming security event, the IT Governance, Risk & Compliance Virtual Summit on March 6. Learn more here.
