Q&A with Cureatr Chief Financial Officer Rob Dilling
Cureatr recently announced it achieved HITRUST risk-based, two-year certification. In the following Q&A, Rob Dilling, Cureatr's Chief Financial Officer, discusses the importance of and process for achieving the certification, why Cureatr elected to pursue HITRUST, and why the certification should provide clients with even greater confidence in Cureatr as a trusted partner.
Q: For those unfamiliar with HITRUST, what's the significance of this certification?
Rob Dilling: In simple terms, HITRUST certification means the processes, procedures, and security controls we at Cureatr have implemented to protect data and comply with HIPAA regulations were validated by an external auditor to meet HITRUST's exacting standards.
Q: Why did Cureatr pursue HITRUST certification?
RD: There are a few reasons. We are constantly evaluating and working to elevate our information security, data protection, and compliance processes. By having our processes externally audited through HITRUST, this provides the opportunity to further compare ourselves to best practices across multiple security domains that are valued by our customer base. This HITRUST certification checks all those boxes and attests to the high quality of our risk management and compliance program. Receiving certification is not all that different from our healthcare provider clients becoming accredited by an organization like The Joint Commission to demonstrate their commitment to safer, high-reliability care.
There's also an increased expectation that healthcare companies like ours will achieve some form of security certification. From a security perspective, most companies choose either HITRUST or ISO. ISO essentially leaves it up to a company to decide what security policies, procedures, and implementations work for it whereas HITRUST identifies absolute minimum standards in these areas that a company must meet. Frankly, HITRUST standards are not very minimum, which is great from a security perspective.
Q: What went into achieving HITRUST certification?
RD: A lot of hard work. We first needed to go through all our policies and procedures to map them to the HITRUST control schema. That forced us to methodically go through hundreds of controls across 19 separate security and privacy domains and ask ourselves questions like, "Are we doing what's necessary?" and "Where can we improve?" When the opportunity presented itself, we revised and improved our processes and procedures.
Once we completed these steps, an external auditor came in, collected evidence on the implementation of each control, and validated the implementation of the controls. The auditor then went through a separate quality assurance (QA) process. This was run by HITRUST and designed to ensure the auditor completed their job to exacting standards. The auditor needed to put in a lot of work during the QA process, which further speaks to HITRUST's very high standards.
Q: What should current and future clients understand about this certification and what it says about Cureatr?
RD: Cureatr takes privacy, security, and compliance seriously. We are committed to protecting the privacy and security of data, including the protected health information (PHI) that's entrusted to us by our clients.
Even though we're now certified, our work around HITRUST doesn't stop. We have repetitive processes that allow us to continually evaluate and strengthen our security posture. From my perspective, there's no other way you can stay HITRUST certified unless you're performing that ongoing evaluation, which is one of the great values of HITRUST. From a customer perspective, this requirement should make it even clearer that Cureatr is a good partner they can trust with their sensitive data.