The client is a renowned health intelligence organization working on data-driven insights with an aim to provide patients a complete understanding of disease and wellness along with offering science-based solutions to medical needs.
The challenges faced by the Client included-
- To become HITRUST Certified, compliance requirements are very stringent. It demands 19 domains and 1800 controls to be looked into depending upon the business sizes and activities. Organizations must comply with the scope of domains and controls accordingly.
- For this certification process, policies and procedures for these domains and controls need to be very well defined. Subsequently required evidence needs to be generated from different infrastructures, tools, etc. in line with the scope of the requirements.
- These are time-bound activities and sometimes become a constraint. Thus, it is very important to have these processes well-structured and streamlined to adhere to the timelines. Additionally, it is very important to get these processes automated to reduce manual efforts for both Certifications, Re-Certifications, and Interim Assessments.
As information security, specifically Personal Information (PII data) is Extremely Critical in the US, there are various certifications that healthcare providers must comply with to ensure the privacy of individuals. One of them is HITRUST, which is becoming a de-facto certification for all healthcare organizations in the country. This includes HIPAA SOC 1, and SOC 2. Thus, the client had to fulfill the required mandate of becoming HITRUST certified and secured.
During the Certification Process, we worked closely with the Client to capture all the information, and evidence to prepare the Policies and Procedures to meet the deadline of making the organization HITRUST certified. The re-certification is required every 2 years and every year the company must go through Interim Assessments of the entire process to demonstrate Continuous Compliance is maintained.
JK Tech supported the client in the certification journey from capturing evidences, going through the automation, and getting them HITRUST Certified. As the scope of the certification is complex and defined by an External Certified Authority, we identified the automation areas to reduce the manual effort.
As the generated evidence needs to be uploaded to the HITRUST domain- My CSF which is the repository of HITRUST, we facilitated the process on behalf of the client. We also fine-tuned the Policies and Procedures, defined end-to-end processes for generating all evidences, traceability matrix, and captured additional details surrounding the evidences to make sure it is complying with HITRUST. Additionally, the tools and technologies were identified that are involved in the internal processes and comprehended how they can be automated. Along with this, we made the process seamless so that it can be replicated to other systems as well.
Streamlined the processes
Reduced manual effort by 40%
Further targeting to reduce 25-30% manual effort through automation
Automation, being developed is replicable, scalable which can be implemented for other clients