COVID business shifts change but don’t stop robust HITRUST evaluations

When the COVID-19 pandemic took hold in March 2020, many organizations by necessity moved to a work-from-home arrangement for most employees. However, this workplace shift did not change the need for organizations to go through the HITRUST evaluation process.

Speaking at a recent webinar sponsored by Baker Tilly, Ryan Misek, security compliance manager with WEX Health, Inc., noted that the shift to virtual HITRUST walkthrough meetings, while not seamless, was made easier because WEX already had “a pervasive deployment of tools and the ability to collaborate remotely.” The shift to remote work also created more flexibility related to scheduling HITRUST walkthrough meetings – instead of flying everyone to one location for a few days of intense in-person work, scheduling became more flexible.

His biggest concern related to virtual meetings was that some of the important human aspects of in-person meetings would be lost. “There's a team building type of opportunity with face-to-face meetings that is lost when we meet virtually. You miss nonverbal cues, reading the room, seeing if everybody understands the process or we if we need to go into more detail on different topics.”

Michael Effner, chief information security officer with Data Dimensions, noted that the transition to virtual was tough because the culture of his company was “so in-person and relationship-based.” He noted the company had “technology challenges, so when we dispersed our workforce, not everybody had sufficient bandwidth to deal with video conferencing.” Because of the challenges “it took a significantly larger amount of planning and structure as we started rolling into preparation for the HITRUST assessment.”

He added, “Our artifacts were broadly dispersed, and getting them pulled in to where we could get a common library to store and research was difficult. When we went to the physical validation components of our facilities, our FaceTime virtual tours were a unique challenge as we tried to demonstrate some of our physical controls.” Having worked through these challenges successfully, Effner said he doesn’t envision a time when Data Dimensions will ever fall back into a 100% in-person type of assessment. “Our ability to reduce travel costs and to reduce on-site impact to our staff, has been a real value to the company.”

HITRUST on-site requirements

Michael Parisi, HITRUST’s vice president of adoption, noted that the relaxed requirements and expectations related to HITRUST validated assessments put in place during the pandemic will continue to stay in place until further notice. He said one positive aspect of COVID-19 is that it forced HITRUST to think outside of the box when it came to validated assessments. “There is not going to be a requirement for on-site validation anytime soon,” he said. That being said, if certain entities and assessors want to move back to an on-site validation, which can be more efficient in terms of getting evidence and building relationships, HITRUST will support that.

Parisi also noted that some of the HITRUST adaptations, because of the pandemic, such as a Bridge Certificate, can be leveraged by organizations in the event there are unpredictable, COVID-like events in the future.

Combating resource shortages

Effner noted that the pandemic gave Data Dimensions its first chance to demonstrate that it truly could move its workforce remotely. They did it in stages, starting with its professional staff and then its production operations. Based on what they have learned, he said that they have no intention of ever bringing back their IT staff full time on-site. By segregating certain duties between on-site and remote, it will make it easier for them to address resource shortages because they will be able to hire for remote positions from anywhere in the country.

In addition to remote work opening up opportunities to hire new people, Misek added that creating a welcoming environment for staff helps with retention. Embracing work situations where it’s acceptable for pets and children to appear in meetings, as one small example, demonstrates a sincere effort by a company to support a healthy work-life balance.

Business continuity

Effner said that Data Dimensions significantly expanded its Citrix footprint to accommodate two to three times the number of remote workers compared to before the pandemic. It also expanded use of Microsoft Teams, in particular a Teams group specifically devoted to HITRUST work. Finally, Data Dimensions moved its back-office business systems into the cloud, so it no longer manages its HRIS system, email, financials or communication system on premises. “By putting all of our business management systems out into the cloud,” Effner said, “I've been able to reduce the amount of my workforce that I have to bring in via either Citrix or a VPN connection, which has significantly expanded the flexibility of managing our business as well as reducing the impact of variable employee internet speeds.”

Misek added that while WEX Health had already outfitted most of its staff with laptops before the pandemic set in, the shift to almost all remote work made the company focus on the human aspect of work-from-home, like investing in better monitors and ergonomic enhancements to help create a healthier work environment at home.

Misek noted that just by chance, WEX Health had a “loss of facility” exercise planned for the end of March 2020. Instead of an exercise, they had to put the plan into action. “We got to really find the rough edges in some of our technology,” he said. Since WEX Health is a service provider that uses third parties downstream to deliver services upstream, they were immediately hit with a lot of inbound questions from customers on how they would maintain service, while at the same time engaging its downstream suppliers to ensure their services continued to be delivered.

New IT risk areas

Parisi noted that one of the biggest risks related to a shift to remote work relates to third-party dependencies. This includes both risks related to their existing third-party partners, as well as the ability to quickly onboard new vendors or service providers that can safely and efficiently support a remote workforce. One practical example Parisi highlighted – a hospital that had to, within days, onboard a vendor to set up tents in the parking lot of the hospital so care could be delivered.

Knowing that the traditional vendor assessment process typically takes three months, organizations realized that their programs around third-party risk management needed to become more efficient and effective. “What really concerns me,” Parisi said, “is that most organizations said, ‘we have to address this now and we'll go back and assess the vendor later.’ But they haven’t necessarily done that yet. I'm more concerned about what will happen six, eight, or 12 months from now with some of these vendor relationships.”

HITRUST Third-party Risk Management (TPRM) Methodology

Parisi noted that organizations that have had a strong and mature third-party risk management program in place for a number of years were not as negatively impacted by the need to move to a remote workforce or onboard a new third-party. HITRUST is challenging organizations to consider the inputs and equations when it considers a third-party vendor high risk or low risk. “How much money an organization spends with a vendor is not a good indicator of inherent risk.” Parisi said. He added that just because an organization has a HITRUST certification or a System and Organization Controls (SOC) report, it doesn't mean that the inherent risk associated with that relationship is lower. The HITRUST’ Third-party Risk Management Qualification Methodology is a risk triage model across an organization’s entire business relationship population to better drive decisions relative to where inherent risk exists.

Organizations have limited resources, but their outside business relationships are growing at a rate that's larger than the rates of growth for the people, time and money necessary to do effective third-party risk management. The HITRUST TPRM methodology helps organizations appropriately qualify a particular relationship by looking at multiple inherent risk factors and getting the right level of assurance from that business partner.

Effner noted that Data Dimensions is reliant on 1,400 resources in India, over three different vendors, so a framework like HITRUST will help them be more proactive in engaging with third-party vendors.