Watch to learn how to prepare for a HITRUST Validation Assessment
In this webinar, Matt Halbleib (Director of Assessments) and Lee Pierce (Director of HITRUST Sales) will discuss:
Read our new HITRUST 101 White Paper here.
Lee: We'd like to welcome you to this webinar from SecurityMetrics. We're going to talk about HITRUST validation assessments, readiness assessments involved with HITRUST validation, and the certification process today. I have with me Matt Halbleib, who is one of our senior QSAs. By way of introduction, Matt, tell us your title and your background, how long you've been with SecurityMetrics?
Matt: Thanks, Lee. I've been here about seventeen-and-a-half years, and I enjoy it. I am a HITRUST assessor, as well as a PCI assessor, and I've been doing this 17.5 years. A long time in the space. I very much enjoy the work. I've been doing information security for over 25 years now.
Lee: And I'm Lee Pearce and I've been with SecurityMetrics just shy of 20 years, and I've been in the enterprise department, focusing on sales and development of product. Today we're going to talk about that HITRUST animal, talk about some of the particulars, laying out the whole plan here today. We want to talk about getting ready for a HITRUST assessment, things to consider when you're choosing the certification type that you're going for, elements to be kept in mind when you're going through readiness and preparing for it, some of the key points to being ready for a HITRUST validation, lining up the validation with your validation assessor. We'll also talk about how the QA process from HITRUST dovetails with the validation that we submit as a SecurityMetrics validation assessor and HITRUST. Matt, talking about all of this, there's a lot to consider. There's a lot of moving parts. I'll give a little bit of background. We've been doing HITRUST for about six years.
Matt: About that. Yep. That's right.
Lee: About three years ago, we got to a point where we realized our customers were struggling with their readiness, and it happened a little frequently.
Matt: That's a good point because here's part of the deal: as assessors, we can't grade our own work. That would be bad. "Oh I put that in place. It's great." So, we identified a need for someone who can help a client become ready to complete their HITRUST certification. Because that involves more than just, like in the PCI world, if I come in and I say, "Hey, I can't seem to find this policy," you can go, "Oh, let me correct that" and you'll fix it. As long as you fix it and everything, I go, "Okay, great." And it doesn't necessarily affect your validation data or anything else. HITRUST, on the other hand, is very specific. They have a 90 and 60 day window on any items that you've implemented. If it's a policy item, it had to have been in place for 60 days before you ask me as an assessor to look at it. All the other things, systems or procedures or whatever, had to have been in place for at least 90 days before you ask me to look at it. On the readiness side, that drove us to look for someone that we can work closely with to help our clients on the readiness side. Because that's critical. When you give it to us as the assessor, it's too late to go, if I find something's deficient, it's deficient. It may end up in a CAP, corrective action plan, from a HITRUST perspective, but it's going to be noted and it'll be in the report. And there you go. It's for all to see at that point.
Lee: So it was crucial to get everything queued up properly before the actual validation period occurred.
Matt: Absolutely.
Lee: We met Peter from Privaxi at a HIMSS conference. I will put some links in this so that you can click into Privaxi and learn more about their company. We did some pilots. We did a couple of our ongoing in-flight validation customers, and it changed everything. That's what we want to talk about today: the process of readiness, why that's so important, the process of validation, and the QA.
Regarding the readiness, first you have to decide what you want to get ready for. We thought we'd talk a little bit about types of HITRUST validation certifications you can achieve. There's the E1. The E1 has a set number of controls, 44 pre-determined by HITRUST. There's no secret about that; there's no mystery about that. It's basic hygiene; it's very simple. Sometimes that's all a company needs, depending on the complexity of their environment and depending on the demands being placed on them by their partners, the people that are asking for these assurances.
Matt: That's a critical point. I want to reiterate that. When somebody comes to us and says, "Oh, I need to be HITRUST validated," one of the things you always ask, "What exactly do you mean?" You mentioned the E1. I know we'll talk about the I1, and the R2, but what drives that for the most part is there has to be somebody who's asking them to demonstrate their compliance in some way. If they just say, "Just be HITRUST compliant," you have to pick from those three things. They need to work with whoever's asking them for their compliance to determine what exactly they're being asked to demonstrate.
Lee: That's very true. Honestly, I got an email this morning from someone that is currently working on their I1, and they emailed me this morning and said, "We need to talk about the R2. We're feeling some pressure to get the R2." I thought that was very interesting and excellent timing. Literally this morning I got that email.
Yes, the E1 can satisfy in a lot of ways. It's basic; there's not a lot of policies and procedures dealt with there. It's pretty simple. As a simple certification, you can achieve that in as little as 4 to 5 months. It's very doable to get that. Especially if you've already gone down the path of other certifications, like if you have a SOC 2 in place already, you're going to find the E1 to be super simple.
We move on to the I1. The I1 takes all 44 controls of the E1 and includes them in the total set of controls for the I1. The I1 has 182 controls, and it's on a two-year cycle.
Matt: No, the I1's a one year.
Lee: Also it has a second year. It's called rapid recertification.
Matt: Right. Yes. Oh I see, I thought you were talking like the R2 which is a two year.
Lee: So the I1 can happen if there's no significant changes to the I1 environment. In year two they have what's called the Rapid recertification, where around 40 of those 182 controls are pulled and reviewed. Which is nice because it'll help with your budget and with the lift in the second year. The I1 takes generally 7-9 months.
Matt: Obviously depends a little on how prepared you are. If you've completed other assessments of other types, maybe you could cut a little time off that. But, it is one thing HITRUST is very specific on what they're looking for. There are the control statements, but then there's the evaluative criteria that says, "Oh, to show that you're meeting this, you have to have these items in place." Some of its policy, procedure and then how it was implemented; you have to demonstrate that you've actually done it. The evaluative criteria is the items they're going to look at to see that that control's in place.
Lee: The I1 definitely ramps up on policy and procedure.
Matt: All just to the implemented level.
Lee: You start seeing a little more complexity on the readiness where without the readiness assessor helping you, you could be tripped up a little bit on your readiness.
Matt: It's not easy to pull out the “what you need to do”, the evaluative criteria of each particular control and go, "Oh," and then compare that to my policies. If you're reading your policy and thinking, "It kind of talks about that," I can tell you right now it's not going to be good enough. It needs to explicitly state certain things. It can't be inferred from policy. It has to be in the policy.
Lee: With the R2, which is the largest and the most involved, it takes all 182 controls that are rolled up from the E1 to the I1, and then adds more controls. You can have as many as 2000 controls if you go hog wild. Typically we see customers with the R2 doing anywhere from mid to high two hundreds, or sometimes into the three hundreds, occasionally above 400 controls. The reason being is that there's a lot of factors that can be pulled in. with the R2 You need to satisfy a specific statute of Texas law? Throw that in. You can throw in NIST 800-53. You can throw in an ISO, you can throw in
Matt: HIPAA.
Lee: Yeah, So it can become huge. Most people avoid doing all that complexity. One thing I also wanted to add is that HITRUST recently added the ability to pull more HIPAA specific [controls] to the E1 and I1, and that's another matter. It's probably easiest addressed if you reached out and talked to us about it, about your particular situation. But you can pull the three areas of HIPAA right into the E1, I1 as additional pieces. But with the R2, that's typically what everybody does. They pull all the HIPAA requirements into the R2 for that.
Matt: I want to mention too, that the number of controls in the R2 is dependent on the risk factors. To get going, you have to purchase a subscription to the HITRUST Portal, which is called MyCSF, directly from them.
Lee: Directly from them.
Matt: It doesn't matter what assessor you go with, you're going to have to buy an assessment object from HITRUST themselves and the portal is called MyCSF. In there the very first thing you have to do is fill out a bunch of risk factors. “How many records you're dealing with?” “are you on the internet?” are you in the cloud?” They ask a series of questions and depending on how you answer those, and which other factors, like you've already mentioned, CCPA is one of my laws or GDPR or Texas or whatever. As you click those, then it adds more information into that assessment object and more controls. That's why it's hard to give an exact number. We've seen as low as in the 250s and seen some of them in five, six, 700, even. It can go beyond that if you select all of it.
Lee: For sure. And the timing on a HITRUST R2 validation, as you can imagine, is going to have a greater range of months.
Matt: Exactly. It's not unusual to be a year, maybe a little less. But remember you've got to have things in place for 60 to 90 days. When I say things, I mean whatever the last item you get in place, that has to have been in place for that 60 or 90 days before you hand it to me as an assessor. Then there's a 90 day window for you and me, to complete the assessment. at a very high level, you do the readiness, you get all your policies implemented, you get any procedures in place, you get systems added, whatever you have to do, you get all that done, you've got your incubation period that you've finished. at that point you actually go into the MyCSF object that we talked about. In each of those controls, you'll start uploading information and you'll grade yourself. The entity desiring to be HITRUST certified has to grade themselves. Once you're done adding all your stuff into there, you actually submit it to the assessor. I have to go in and look at all the evidence and grade that as well. The way we do it, working closely with a readiness assessor, if they have questions for us of how we might interpret something, they can reach out and ask us and we can answer that. That's not us grading our own work. That's just saying, here's how we look at that. That helps then, in the preparation phase, because we're working closely with the person that you might be working with to try and get all your process and procedures and everything else in place. Having the ability to talk to us directly and go, "How would you look at this?" is very helpful because then you know when you get to that point of submitting the controls over to the assessor to grade them, you should know at that point that it's going to be sufficient because we've talked to him and we know what he's looking for. Yes, we put that in place. Anyways, that's helpful.
Lee: You could say in one sense that the readiness assessor is an advocate for the client helping them prepare, even helping pull the evidence if they want. Some of our customers will give the readiness assessor read-only access to help them identify the specific evidence that needs to be pulled.
Matt: Absolutely. I should say there's readiness assessors and there's HITRUST assessors that we've been talking about. The readiness assessors have to go through all the training and everything that the HITRUST assessors do as well. It's just one of them is on the side of grading the assessment, and one of them is on the side of getting people ready, helping them. So, it's not like they don't know what they're doing and rely on us. But obviously sometimes, when you're working with an assessor, you want to know, "How would you look at this particular object or this item? Do you think this is in place or not?" Whatever it is–your password control–it doesn't matter. But having a relationship with the assessor and the readiness assessor is helpful.
Lee: Let's talk for a minute about the crucial element of reserving a spot in the future for both the validation and for the submission for QA with the HITRUST Alliance. Because having somebody help you gauge when you're ready is crucial. Also, we've discussed this before, without a real end goal in mind, you can't rally the troops to get things done. The last minute's great because that's when we get everything done. from the good old saying "if it weren't for the last minute." Let's talk about that a little bit. And some of the things that can trip up a client of ours if they're not properly advised, and if they don't heed these guiding principles.
Matt: I appreciate you bringing that up, because that's important for the client and the readiness assessor and the assessor. We wouldn't want to pick Christmas week when a lot of people in all parties are going to be gone and go, "Oh, sure, it's easy to get a reservation with HITRUST for your QA." to have them take a look at your assessment. But your own people might not be in town. I'll back up slightly and just say, as you start the process and you're working with your readiness assessor and you start identifying gaps, you should know…and the way we have asked the readiness assessor to work with people is we know there are certain things that are big–We call them rocks–bigger things that are harder to work on. If you needed to implement a particular system, an IDS, IPS, a firewall or whatever, you need to upgrade your firewalls because they're no longer supported.
Lee: Or maybe migrate something to the cloud.
Matt: Right. Migrate it to the cloud. Whatever it is, if you know you're going to have to make those changes, they're not trivial changes. You want to make sure and get whatever device is really going to work in your environment. If it's your IDS, IPS, you have to get it in there. You have to get it configured. Well, you have to find out which one will work in your environment. "Oh we're a Linux shop or we're a Windows" or whatever it is. You have to find the right software that'll work or the right device and you have to get it configured. If it's an IPS it's probably in blocking mode or should be. So it's not enough if I come in and go, "Oh you got it. It's there but it's not doing anything." That's not enough.
Lee: "Oh it's plugged in."
Matt: Exactly. We have shown up and people go "Oh it's over there. It's in the box." It's like, "Oh, it's not even plugged in." So it has to be in, it has to be functional. It has to be doing its intended purpose. That means it's logging. It's sending alerts, all those things. That's not something that you can do on a weekend.
Lee: Another element is why the readiness assessor is there to help you go through those unknowns.
Matt: To identify. "Oh, I'm going to need some of this." And knowing your own purchasing process or whatever, you know approximately how long it can take you to get some of these things done and then working with your own teams, whether it's development to integrate it into some other product you have, whatever it is, you can start to make your own timelines of how long that's going to take. That all factors into the idea, as you said at the first, "When do I need my QA reservation for my assessment?" You can start adding those up and then go, "Okay, we think it'll take us this long to close all our gaps. Everything has to be in place for 60 to 90 days. That means that potentially by this date, we could be ready to submit to the assessor." Then we get a 90 day window to actually complete the assessment and have our QA reservation. Start doing some math on the calendar there. You look at how many gaps you have with your readiness assessor. How long do you think it'll take to get them done? Like our readiness assessor that we work with, they're awesome. They can go in. Do you need help installing a machine? They can do that for you. You need help migrating to a cloud? They can help you with those kinds of things. But knowing those gaps and stuff starts to give you a timeline. This is why earlier I asked how long for an R2. I said, "It can be up to a year because some of these things are not trivial."
Lee: Exactly. What we do when we contract with our clients is we have the outsourced agreement for the readiness assessor so that all of the paperwork goes through SecurityMetrics. You mentioned some additional technology implementation or rollout or migration. We leave that to you and the readiness assessor in a separate agreement. But the technology advisory on all of this is all included in what we do. So when the date for the QA is determined, and desired, then what will happen?
Matt: They need to talk. They need to work with... So a couple of things because I don't want to skip past this. You have to reserve a spot with HITRUST for when you think you're going to be ready for their QA. If you target a date and go, "Oh, it's going to be June," you need to go talk to us, your assessor and your own people and your readiness assessor and make sure that you have people ready for that QA date. Because, once we all have completed, you completed all the readiness, we've completed all our validation in our 90 day window. We've gone through, looked at all your evidence, and we've graded everything. Okay. Now we're at the QA period. I submit everything to HITRUST. It's not over. HITRUST first does a little automated review to make sure everything's in place. Looks like everything got answered. They do some automated review of some of your policies and things. But you’re far from crossing the finish line, this is more like coming in the home straight and putting in the kick. You got to finish it off. So, you submit to HITRUST. They do their automated review. If all that looks good–they usually have a handful of questions during that. Once that's done it gets passed to an actual HITRUST individual who then selects a certain number of controls and asks about the evidence and goes through and looks at them in depth and goes, "Oh, I think that's good or not." Sometimes they turn things back to either the entity or the assessor to answer questions about the evidence that was uploaded.
Lee: So they haven't crossed the finish line when it goes submitted to QA.
Matt: Nope. You have to have people available. HITRUST stresses this in their training too. Once you submit to them, you better have people on deck to answer the questions within, I think it's like ten days or so. They have a very limited time frame. Not to say you have to finish everything, but you at least have to respond. Like I say, you're really just in the home stretch. You haven't got across the finish line yet. That will come later. At which point then HITRUST, they're the ones who issue the report.
Lee: Okay. Had another question for you about the reporting. What can the client expect when they get the certification? Is it like free and clear, you passed and that's it? Or are there caveats that can come into play?
Matt: If somehow you did all the readiness, you submit everything to the assessor. At that point, the assessor can't go back to you and go, "You missed something. You better put this in place" because, remember, there's a 60 to 90 day incubation period for things. Once you've submitted to the assessor, it needs to be in place. It's at that point the assessor goes through and grades everything. If there is an item that happens to be deficient in some way, it's not necessarily fatal to still being HITRUST compliant. You can do a corrective action plan (CAP), which has to answer all the evaluative elements of that control. Basically, you write up a corrective action plan. How am I going to address this? What am I missing? What do I’ve got in place? Is it in process? Is it at risk? Is it complete on certain elements of the evaluative controls, but others are still in process? You have to build this corrective action plan that gets built into the MyCSF tool. You upload some evidence and things, but you build that into the MyCSF tool and it will be included in the final report, which people don't like having CAPs. That's airing your dirty laundry for everybody because it goes into the report and people can see that. So we try to avoid them.
Lee: Some CAPs are fairly easy to explain. And everybody goes on. "Of course that's technicality" and others might be hard to explain. I think this also leads people back to the understanding that you have to have a really good partner going in with your readiness assessor for that assistance prior to the formal validation performed by SecurityMetrics. We wouldn't do it without a readiness assessor assisting.
Matt: Exactly. We tried that once and it didn't work so well.
Lee: For sure. Also wanted to mention that there is a fee involved with the QA slot reservation, so there are two fees.
Matt: And these are not set by us.
Lee: No, these are all HITRUST Alliance set fees. You'll want to talk to them about it. There's the MyCSF subscription for the year and then there's reserving the QA slot. I wanted to also mention, I hope I'm not mistaken, but in year two, for both the I1 and the R2, there is no QA fee for what they do. That was my understanding last time I heard. But I wanted to say that there are budgeting things you'll want to keep in mind.
Matt: But you will have to pay an assessor in year two to assist with the R2… they call it the interim assessment as opposed to the rapid readiness. So that interim you will have to pay an assessor to go through and help you submit things and grade things. It's just very reduced...
Lee: Oh yeah.
Matt: Severely reduced version. They basically ask, pick a certain number of controls across all of them that you're subject to and go, "Okay, show me that you've still been doing this." Which I should point out is one of the harder things sometimes if you're new to a particular compliance framework, like HITRUST, you implement a bunch of policies, procedures, changes in your environment. Because they're brand new, when you first do them, it's like, "No problems. Check. Oh I remember I got to do it like this now" and that's good. But you have to maintain that for the next year and two years because at year two they're going to ask you about a certain number of those controls. You have to be able to demonstrate that, "Yes, I'm on top of it. I've been doing all those things. I put them in place here. They were new to me. I knew them then, but I didn't forget them over the course of the next year." Sometimes that's hard for clients. They just… new processes. "Oh, we finally made it over the finish line" and they forget about them because the focus isn't on that so much anymore.
Lee: And even during the assessment, people will be highly sensitive to how many cycles of their existing staff need to be pulled into HITRUST. How much work is involved? Do they have to write the policies and procedures? That's another great argument for a great readiness assessor is that Privaxi will write your policies with you. They will craft them and write them for you. What I'm seeing in the readiness piece of this over the months of readiness preparation, the client is spending one, maybe two, occasionally three hours a week in conjunction with working with Privaxi on the readiness piece. Then Privaxi goes to work on that. That's important to remember. Then what you said about after the fact, once the certification has been provided they have to keep it up. That's what the next year is all about, is measuring. Did you?
Matt: Exactly.
Lee: I mentioned that Privaxi has a plan that a lot of our customers go to, which is just a monthly assistance, they call it Continuous Assurance Management Program (CAMP). For a small number of hours every month. They keep things in line. They make sure patches are up to date. Vulnerability assessment is resolved.
Matt: Things are being recorded.
Lee: Policies, anything changing, the logs are being done. It's a great assurance especially to smaller companies that don't have that kind of staff. We had a callerl yesterday calling in saying "We need an audit, but we cannot handle all the demands of this. We need somebody to help us get ready for that." By the way, that was a PCI. So it's not exclusive to HITRUST.
Matt: Oh no.
Lee: It's a lot of companies. They can choose to hire somebody for $80,000-$120,000 and then hope that person stays with them. Lots of times what happens is these guys, they get their chops better and they've honed their skills and they're moving on to a bigger, better job.
Matt: After some time and experience.
Lee: They lose that staffing. We're finding that a lot of companies are choosing to go with outside readiness help. They don't have to worry about that worry and that extra expense.
Matt: It's CapEx as well as opposed to actual hiring ahead and all the overhead that goes with it. Maybe your insurance, just all the overhead associated with having another employee, sometimes it is cheaper to rely on somebody who that’s their job and they're going to check up on you. They may ask you some tough questions about, "Hey, it looks like you missed this." But at the same time, sometimes that's nicer to have somebody outside asking you that. It's a little easier to answer that, as opposed to hiring your own person.
Lee: I also wanted to mention one other thing. All of our outsourced resources are USA based. They're all domestic.
So, let's wrap this up. I think we've covered a lot of things. We have questions that people ask on a regular basis. One of, I think I've answered, but I want to touch on it again, is what kind of time commitment would we expect to be having to put in? I want to state that again. If you go with our solution that includes the outsourced readiness assessor, you're looking at 1 to 3 hours a week. You're looking at somebody helping you with your policies and procedures, writing them. You're looking at somebody advising you on your technology so that you don't have to wonder if it's correct. You also have somebody that, if you wish, and your own internal policies allow, they will allow this readiness assessor to go in and do the collection of evidence through read-only access. So not as much of a time commitment as you would imagine.
The next one is, that we get asked a lot, I think we've addressed, but I'm going to reiterate, when can I assume that I'm going to get this certification? That is crucial to keep in mind. I'll reiterate. E1 is the simplest one, three and a half to five months if you are working regularly with the assessor.
Matt: Can't put it off.
Lee: Nothing magic happens if you're not responsive.
Matt: Exactly.
Lee: Things will be on hold until you can be responsive enough to address the questions and the requests made.
Matt: I want to jump in real quickly because this is critical. I found this across every assessment I've ever worked with. In reality, you have to have senior management buy-in. If senior management at a company is not interested in being HITRUST validated or PCI or whatever it is, your firewall admin and your server admin–people, they can't go in there and make changes that impact the entire operation. Sometimes, you were mentioning, sometimes it needs policy changes and things. That policy change has to ripple across the organization. If people aren't buying into the fact that this is necessary and this policy has to be updated, it becomes very difficult for one group or one individual, even if they're a little higher up in the organization, but they don't have the juice to say to people, "Look, we got to do this for our company's sake." We've got somebody driving us to become HITRUST validated. If they can't push that message out and go, "Look, you're going to have to make the change. I know you don't like it, but you're going to have to do it." Then it becomes challenging for any one group or individual in a company to actually become compliant to any security framework, regardless of what it is.
Lee: One thing that you might want to do if you're in the middle and you're trying to get your superiors to approve, you might pull down the 2024 trust report from HITRUST Alliance. They have some great information in there, and it can help you state the evidence as to why you think it would be good to pursue that HITRUST [certification]. There's some great statistics out there. One other thing that you can do to help get buy-in is look at your competition. What is your competition doing? You can go to their websites if they're saying, "We are HITRUST R2 certified" and they are one of your direct competitors, that's a great way to get buy-in from senior management.
Matt: For positioning in the market. We have to show we're on par with these other competitors.
Lee: That's right. That kind of support is crucial. Let's see some other questions. What are some other questions you can think of, Matt?
Matt: I go back to your thing about the timelines . Somebody came to us on the PCI side and they're facing fines every month from their acquirer at the moment. The assessor asked them, "When did you get notification on this?" And they're like, "Three years ago we were given a year to become compliant." And then the fines started. Of course, then when the fines start, then everybody starts going, "I guess we ought to do something about this."
Lee: There’s a problem when you start budgeting for fines
Matt: Yeah, My point of this is don't put it off if you know you have to be HITRUST validated. Don't put it off. Start dealing with it. Come talk to us. We'll help you better understand. Maybe it'll be simpler than you think it is. We can go in and give you an idea of. "Okay, let's talk about the scope of what needs to be HITRUST validated," just like in other standards there's scoping, which is these are the systems I'm going to apply all these controls to. HITRUST has the same thing. I've got the scope of the HITRUST validated item or object. Come talk to us about that. Maybe you can make some changes to the environment, or your business processes a little bit to make it a more manageable, smaller elephant, a baby elephant, as opposed to the big elephant. I don’t know... “eating an elephant”.
Make it more manageable and then just get working on it. Please don't put it off. Don't come to us at the last minute. It's very challenging to do that. As everybody can imagine, we're all trying to schedule our time to do a million different things. Coming to us and going, "Oh we need it by next month,". We’re going to tell you "Sorry, it's not going to happen." There's no HITRUST assessor that's going to tell you you can be HITRUST certified in a month. If they do that…
Lee: If they do that, Run.
Matt: Run away. Exactly. If you know you have to do it, first come talk to us to try and get a better idea of what you have to do. We should be able to help you better understand what's required. At the same time, then, give some suggestions of what you could do to maybe minimize the impact or burden of it. Then just start working forward with our readiness assessor to get it in place. Don't delay.
Lee: Another option, if you're dipping your toe in this and trying to decide if this is right for you, we have limited consulting engagements that can help you determine some good information as to the direction you need to go. In fact, I mentioned earlier that sometimes people will do even more hands-on work. There will be a contract outside of this, such as implementation of firewalls or migrating to the cloud. We have a customer right now that is getting ready to be queued up for a HITRUST validation. But first, they engaged our readiness assessor separately to help them migrate, to help them get ready so that they don't get into the assessment. And they say, "This is going to be good now, but we have a plan to change this next year." We can help with all of that so that you don't have to go down one road and then realize you want to turn around, come back and go another route, which will save you a lot of money if you get this taken care of the right way.
Matt: If you've had everything on prem for a long time and you heard about the cloud and been talking about the cloud and thinking, maybe it's people in your organization saying, "We think we could save some money with the move to the cloud or whatever."
Lee: Not to mention inheritances from the cloud providers themselves.
Matt: Right. There is the inheritance factor in HITRUST as well as others. Physical security is being handled by the data center. I don't need to answer that in my assessment. But that third-party also needs to be HITRUST validated. So the big cloud providers have all gone through that process. There's a well defined inheritance matrix and everything. Just like PCI requires your responsibility matrix, it's a similar kind of idea if people are from that area. The point being, if you've been thinking about those things and you know you need to be HITRUST validated, that might be the time to work with our readiness assessor, because they can help you make that migration to the cloud and architect for the future a little more. Like I say, you're all on prem with your own servers and everything, and let's go to the cloud. It's a lot more flexible in a lot of ways, and can be just as secure.
Lee: Let's wrap up. I think a great summary would be if you're feeling a little daunted by this effort, talk to us, because there's a lot of great solutions we have for you, even if you have very limited staff, limited cycles. We can help you get this done.
Furthermore, we're quite open to just questions you have. We offer time. We'll talk with you over the phone. You don't have to have a contract with us to talk. We'll help you decide what's best for you. Who knows? Maybe you want to go for a SOC 2 assessment. We're not going to lie to you. We'll tell you, you tell us what you need. We can help you determine what you need. Maybe we'll be pointing you in some other direction, but we want to help you first. That's our policy. That's why Matt and I have been here for so long. Because we like to take care of the customer.
Matt: Absolutely.
Lee: Thank you for joining us today. We appreciate it. Please click into the links that we will provide. Contact us. We're ready to help you.
.svg)
