January 18, 2023
By: Tim Hochman
The details on Ideon’s HITRUST certification
By Tim Hochman, Ideon’s VP of InfoSec & IT
At Ideon, information security is at the core of everything we do. As the API platform connecting and exchanging data between insurance carriers, technology companies, and others in the benefits ecosystem, we understand the importance of ensuring the secure passage of sensitive information. It’s one reason our customers and partners continue to place their trust in us, and it’s why we’re excited to announce that Ideon’s Enrollment and Member Management API has achieved HITRUST certification, adding to the SOC 2 attestation we received in 2021.
But what does HITRUST certification really mean for Ideon and our customers? In this blog post, we’ll take a technical dive into Ideon’s HITRUST certification, explain some of the measures and controls we have in place to secure personally identifiable information (PII) and protected health information (PHI), and translate what it all means for our current and prospective customers.
For a detailed look at why Ideon took it’s data security to the next level, check out this blog post by CEO Michael Levin. For an in-depth, technical look at Ideon’s HITRUST certification, read on!
Why is HITRUST important?
Ideon’s 2 year (r2) HITRUST Certification represents the highest level commitment an organization can make to data security, the overall information security program, and associated risk management best practices. By making this investment, Ideon demonstrates not only our passion for our own security but also that of our clients and partners that use our service.
Becoming HITRUST certified was the next logical step in our security journey which began in 2021 when Ideon obtained our SOC 2 (Type 2) Attestation Report. While a SOC 2 report shows that we comply with the SOC Trust Service Criteria (Privacy, Security, Availability, Confidentiality, Processing Integrity), making the move to incorporate the HITRUST control set into every aspect of our business takes our Information Security practices to the highest level. In fact, Ideon’s enrollment and member management API is the industry’s only HITRUST-certified solution of its kind.
The basics of HITRUST
Established in 2007, HITRUST (Health Information Trust Alliance) is a privately held company that has created a cohesive standard to assist organizations with data governance, information security, risk management and compliance via their HITRUST Common Security Framework (CSF). This framework pulls together controls and best practices from many different security standards including NIST, ISO and the HITECH act of 2009.
The HITRUST CSF is widely recognized as the best in class certification across many industries due to the comprehensive nature of the control requirements, the detailed assurance process, and the multiple levels of oversights required to obtain certification. While initially developed to serve the healthcare industry, the HITRUST CSF has been adopted across many different verticals and is seen globally as the best source of guidance on reaching information security and cybersecurity maturity based on the size and complexity of the implementing organization.
The HITRUST CSF establishes certifiable assurance of an information security program’s operating effectiveness via controls pulled from 19 domains. The domains are as follows:
- Information Protection Program
- Endpoint Protection
- Portable Media Security
- Mobile Device Security
- Wireless Security
- Configuration Management
- Vulnerability Management
- Network Protection
- Transmission Protection
- Password Management
- Access Control
- Audit Logging & Monitoring
- Education, Training and Awareness
- Third Party Assurance
- Incident Management
- Business Continuity & Disaster Recovery
- Risk Management
- Physical & Environmental Security
- Data Protection & Privacy
The number of controls an organization must use within each domain are determined by a scoping process that reviews factors such as the number of held records, utilization of cloud services, accessibility from the public internet, the amount of transactions recorded per day, and the number of users who have access to the system.
Ideon’s focus areas
HITRUST’s detailed approach to security leaves no room for gaps in the areas that leave other organizations most vulnerable. Here’s a few key areas of impact:
Software Development Life Cycle
Controls include review of the commit and deployment process, review of version control, and explicit managerial approval of new releases.
All aspects of data management are reviewed: encryption status (both at rest and in transit), validation of compliance within both storage locations, and third party services and redundancy within those systems.
Highlights include: Comprehensive access control, monitoring and logging, cryptography of remote access and physical security standards for data centers, the workplace, and remote workers.
A fundamental part of any risk management practice which includes: Backup and disaster recovery, regular reviews of risk for the organization along with establishment of new practices when new risks are identified, and formal procedures to insure key business processes are maintained during any disruptive event.
In short, we’re extremely proud that our Enrollment and Member Management API has achieved HITRUST certification, building upon our previous SOC 2 attestation. This means we’ve got some serious security measures in place to protect our customers’ sensitive data, including personally identifiable information (PII) and protected health information (PHI). Keeping data safe is a high priority for us and this certification is proof we’re doing exactly that.
As Ideon’s CEO says in this blog post, “data protection is a journey more than a destination.” HITRUST is a monumental step for Ideon, but it’s not the endgame. As threats evolve, we’ll be right there with them, updating our policies and implementing new technologies to keep your information safe.