January 18, 2023
By: Michael Levin
HITRUST, the standard-setters in data security, now vouches for Ideon
By Michael W. Levin, co-founder and CEO of Ideon
At Ideon, our work is predicated on a straightforward belief: Choosing, buying, and managing health insurance and employee benefits should be no more complex than any other digital experience. And in creating the infrastructure that powers digital connectivity between carriers and technology platforms, we’ve been humbled to materially help improve the benefits experiences for countless Americans.
But even as we engineer and maintain the industry-best infrastructure that allows for free-flowing data, we are continuously ensuring that those “pipes” are not only unobstructed, but also airtight. To put it another way: We are obsessed with data security. Our APIs are the conduits for streams of personally identifiable information (PII) and protected health information (PHI)—and ensuring the safe passage of every last datum is a staggering responsibility we don’t take lightly.
Nor have we ever. From its beginnings, Ideon prioritized transparency and security, working diligently to protect the sensitive member information that carriers, InsurTechs, BenAdmin platforms, and others send through Ideon’s platform.
Because cybersecurity threats are always mutating, data protection is a journey more than a destination. Last year, I reported that Ideon had met an important milestone of that journey when our data security protocols were validated by System and Organization Controls 2 Type II (SOC 2), an examination performed by a public accounting firm with expertise in information security audits.
This year, I’m deeply proud to announce that Ideon’s Enrollment & Member Management API has earned certified status for information security from HITRUST. As detailed in a recent press release, this credential affirms that Ideon has addressed security risks through an exhaustive set of highly prescriptive controls.
This step was necessary because unlike most other regulatory standards, HIPAA legislation provides no prescriptive white paper or rules for adherence. HITRUST was created by industry players looking to define standards around health information security. Its unparalleled rigor and scope makes HITRUST the gold standard for PHI treatment and storage.
Achieving the HITRUST certification was an arduous process. After conducting a gap analysis against nearly 300 controls, we began implementing the changes necessary for HITRUST compliance. It’s hard to overstate how monumental that effort was: We took measures to ensure that every Ideon action is logged and reproducible on demand. We instituted company-wide protocols governing mobile device use. We refined role-based accesses, installed cameras, updated policies and procedures, retrained staff, and prepared mounds of evidence.
And that description only scratches the surface. (For a technical dive into Ideon’s HITRUST certification, read this blog)
The process touched everyone at Ideon, consuming significant amounts of most employees’ time last year. An IT team was substantially dedicated to this effort for the past year, led by the remarkably talented Tim Hochman, our VP of information security and IT. Tim had previously taken another healthcare organization through the HITRUST initiation process, and he’s intimately familiar with its proceedings. (And, happily for us, he’s exceptionally organized—a must for a project so labyrinthine and minutely detailed!)
All told, it was a costly undertaking for the company, and at times even a challenging and uncomfortable one.
And yet: Aligning Ideon’s operations with HITRUST’s standards was as worthwhile as it was ambitious. In earning this designation, we signal to the industry that we understand the importance of handling sensitive information with the utmost gravity. We expect that this will usher in important new customers and partnerships.
But aside from the benefits that will no doubt accrue to Ideon, we’re excited about our HITRUST certification because it represents movement in a crucial direction for our industry. As migration toward APIs and data sharing intensifies, the need for increasingly tough security heightens across the space.
Ideon has long been a pacesetter for innovation, vision, execution—and security. We’re eager to support the industry as it seeks to match progress with protection. If you have questions or want more information about Ideon’s security policies, please reach out to my team.