Name: Ask an Auditor: HITRUST
Uploaded: 2025-08-14T19:17:49.571Z
Duration: 1 h 1 min 40 s
Description: Ask an Auditor: HITRUST

Transcript for "Ask an Auditor: HITRUST": Hi, everyone. We're gonna give everyone just about thirty seconds here to dial in, and then we'll go ahead and kick things off. We got an exciting agenda for y'all. So, yeah, give us a second, and then we'll, go ahead and kick things off. Hey, Ian. To fill the the the dead air, do you wanna talk to people about your beautiful tie? Yeah. Absolutely. So, you know, we're midsummer right now and wanted to to make sure that there is, some flowers to mark the occasion. In fact, I wore it specifically for you, Ryan. So I I And I appreciate that. You're such a thoughtful guide. Well, usually, when we hang out, you know, I always like to bring you flowers, but, you know, just that. Well done. Well done. Love that. I wish it was even more festive. This, black shirt doesn't do it. As you guys can tell, our speakers have some rapport and past experience working with one another, so you could expect one of the same as we're going through the the long long agenda here with, a lot of heavy hitting questions. Right? But before we jump in, wanted to just cover some housekeeping items. So, some of you may have been involved in some ask the auditor series in the past, but for those of you not familiar with this format, we hold these periodically where we join in our tried and true auditors that are in our network alongside a separate partner, of course, in this case, being HITRUST, to talk about any relevant topics that are we're consistently hearing from our customer base, our prospect base, and HITRUST is very much a hot topic across the industry right now. So, again, very excited for the for the core group here along with the, associated agenda for today. Some housekeeping items. Today's topic will be covered over an hour. If you are not familiar with the Goldcast platform, which is what we're hosting the webinar on today, we do have our q and a on the right hand side. So you can go ahead and drop questions at any point in time during today's webinar. I'll be serving as the moderator, so I'll be taking a look from time to time when those get dropped in. It makes sense to ask that at that point. I'll make sure that we answer it. If we're not able to cover everything within the hour that we have scheduled, we'll make sure that we follow-up with you separately to get that answer to your question. For those of you that haven't met before, I'm Brian Nodji. I'm the senior director of audit alliances at Drata. So what my team is responsible for is working closely with any member, audit firm member in our network to enable them, train them, and and ensure that our customers are walking away with a successful experience working with an auditor that is leaning into the platform. Now for those not familiar with Drata as well this year, first exposure to us, we are a end to end trust management platform that specializes in GRC automation. What we do is we take the tech stack that you're working with, connect to all of the relevant cloud and on prem systems, and work with you to actively, and automatically pull in that relevant evidence for the framework to ensure that you are getting from point a to the point that you're ready to get audited and then working with our trusted audit firms to get to that final report certification, whatever you're working towards. But enough about that. We have, again, three folks here, very strong heavy hitters in the space of HITRUST, joining us from both IS Partners, which is, again, a very tried and true audit firm in our network, working with many of our strategic enterprise and mid market firms across the breadth of frameworks, including HITRUST, SOC two, CMMC, just to name a few. And, of course, we have Ryan Patrick. If you're not familiar with Ryan Patrick, you're likely not on LinkedIn. He's all over there. He's, on webinars many times with HITRUST, audit firms, a number of different things. But, again, very much a heavy hitter in the space joining us from HITRUST. So, yeah, enough enough of me speaking. I'll pass it over to mister Ryan Patrick to provide an introduction, and then we'll go over to Phil and Ian to round things off, and then we'll jump into the questions. Yeah. I mean, how do I add anything based on what you've already said, Brian? So, as Brian mentioned, I I work at HITRUST as vice president of adoption. What that means, I'm still trying to figure out, I ask myself that question every single day. I do not place, you know, wanting parents with with, children. That's a question I have had in the past, but, I'm more of an educator. And when I say that, it's bidirectional. So I'm educating the market on what HITRUST is doing, but I'm also learning from the market and passing that back to really big brain folks that we keep locked in a room thinking about where HITRUST is going in the future. Prior to coming to HITRUST, I worked for several different professional service firms doing everything from HITRUST to risk assessments, tabletop exercises, penetration tests. You name it, I probably done it. I may may not have been good at it, but I did it. So that's me in a nutshell. Thanks. And my name is Ian Terry. I'm the senior director of cybersecurity services here at IS Partners. As Brian had mentioned, IS Partners is a audit compliance firm specializing in a number of frameworks. Of course, HITRUST being one of our premier offerings as HITRUST assessors. My background is certainly in audit and compliance and HITRUST as well. Ultimately, we aspire to provide solutions enabled audit and compliance services to help enterprise, medium sized businesses and really any industry to achieve their cybersecurity compliance goals. I'm Phil Bleronka, also at IS Partners and director of the health care services practice here. I've been doing audits for ten years, SOC two, ISO 27,001, HIPAA, and HITRUST. I'm also a CISO and a CRIS, and I also serve on the board of the ISACA Philadelphia chapter. I have the pleasure of working with Ian, on the daily, and I'm thrilled to be able to share the stage with Brian and Ryan today. Beautiful. Thank you all. So for those of you that are less familiar with HITRUST, we figured it might make sense to give a brief overview before we get into the specific details and questions. So I'll pass it over to Ryan to give us an overview of HITRUST, and then we'll jump into, again, the questions. Yeah. Thanks, Brian. So HITRUST, we're about 18 or so years old at this point, founded in 02/2007. And what I like to tell folks is that HITRUST was designed and founded to solve, quote, unquote, the HIPAA problem. So for those of you who have worked in the health care industry in the past, when HIPAA was signed into law and then eventually enacted, it left health care organizations of varying shapes and sizes and and responsibilities with more questions than they had answers. It's pretty subjective. It's pretty big. So our CEO, along with several other industry stakeholders came together to write the CSF, the HITRUST CSF. And it was designed, as I mentioned, to help organizations operationalize HIPAA, but we've grown from there. So around 2018, we actually made the framework industry agnostic. So the core controls within the framework, you won't see any references to any HIPAA related terms like PHI, covered entity, business associate, things of that nature. The the framework actually applies to all industries at this point, and we're continuing to evolve. We're we're looking to, not only get ahead of threat actors as much as possible, but we're also looking to continue to innovate to make the process of providing trust, if you will, or a report to share between organizations that much more efficient and less costly and less painful. So, we're committed to, you know, continuing to evolve. Our framework is updated at minimum twice a year. If you compare that to what's going on with the trust services criteria for the AICPA, it's not updated nearly as frequently. Same thing with all the flavors of NIST included in ISO. So we're looking at how do we stay ahead of not only the threat actors, but also technology changes. But on top of that, we're actually ingesting threat intelligence on a monthly basis and doing quarterly analysis of what's happening in the threat landscape today and bouncing that off the MITRE ATT and CK framework and comparing it to the controls that MITRE recommends be in place to mitigate those risks. And if we identify either a flat out control gap or one of our existing controls needs to be tweaked to better protect, we're doing that on a quarterly basis. So the relevancy of our controls is arguably as old as ninety days ago. So when you think about how technology evolves versus how the threat landscape evolves, we're trying to stay in as near real time as possible to do that. So we can go to the next slide, Brian. I'm gonna cover this slide really quick really, really quickly. So we have the CSF, the HydraCSF, the framework itself kind of at the the foundation. But in my mind, our secret sauce, what makes us special is actually the control selection we've built based on that threat intelligence, and we have three security certifications today. The e one being the smallest kinda designed to get folks started, but also low risk organizations. The I one, which is mid tier moderate risk organizations, and then the r two, which is the assessment we're we're historically known for. I call it a significant emotional event. It is not for the faint of heart. It takes time. It takes effort because it is so, prescriptive that is designed for the most critical risk organizations. So last year in December, we released a new AI security certification, first to release a security control specific certification or assessment or standard. If you think about ISO 42,001, it's more on risk management of AI systems or management systems of AI. Same thing with the NIST AI RMF. It's more about risk management. So it's higher level versus what HITRUST has built, which is, you know, hard nosed security controls that are prescriptive. So I'll pause there. I'm sure there's gonna be a whole host of questions that will help fill in some of the gaps. So looks like we brought our first question. So since becoming industry agnostic, which industry is adopting HITRUST the fastest, and what is the business reason behind that? Oh, that's a good question. So we're seeing traction in financial services. They're probably I think they're number three outside of, the tech industry. We also see retail, we're seeing higher ed, and manufacturing. In fact, we just had a transportation company. So think about 18 wheelers on the interstate transportation company, look to pursue HITRUST certification. The the business drivers really vary. So financial services, it's probably, pretty obvious why they would. There's lots of sensitive data within a financial services, organization. And what they're becoming to they're starting to realize based on the fact that we are able to actually publish, results and and quantify the value both from an ROI perspective, but also risk management perspective in pursuing HITRUST. So for those of you who don't know, in our most recent trust report, which was released back in February, in 2024, point 59%, so less than 1% of HITRUST certified environments experienced a breach. So when you look at the industry average on breach rates, it varies depending on what statistics you're looking at, but let's say somewhere between 4060% were dramatically lower. And I could bore you probably for an hour on on why that is, but I'll summarize it as quickly as possible. We we based the control selection not on what we think is the right answer, but what the malicious actors are doing. How do you protect against people or malicious actors? Figure out what they're doing and then close the gap. Secondly, we have a really, really robust assurance program. So the way that the assessments are conducted in both Phil and Ian to bore you with the level of quality assurance that goes into every single HITRUST assessment, it's really, really difficult to gain the system or not do full due diligence on the in scope systems for that assessment. So I think that's reason why financial services really gravitating towards us, and I think that holds true for some of the other industries. Awesome. Well, I guess, and I apologize. I jumped right into that question. First off, Ryan, appreciate you giving us that overview of HITRUST. Very helpful. Certainly, it's that same that we're seeing on our end. As since we've launched HITRUST as a native framework, we've certainly seen an uptick, and it's a wide variety of different industries coming across that are adopting the platform. As HITRUST is becoming more and more of that gold standard across the industry and the word's getting out in terms of the capabilities since they've launched the e one, the I one, or is it about two years ago now? Yep. It's become the the point of entry, the barrier of entry for that framework has become a lot easier for customers, and that's where you start to see some of the smaller set customers that used to see it as a larger investment, both from a monetary and time perspective, started to explore that because, you know, they're getting a request from a UnitedHealthcare or Blue Shield Blue Cross or some of those larger health groups that have adopted HITRUST many years ago, and it's just a matter of now requiring it from their vendors. So, yeah, for those of you not familiar with this format, again, this is your first ask an auditor. We have a number of questions that we've preceded from, both an initial survey that we sent out to attendees that registered alongside a number of prospects and customer conversations that we've had, day in, day out. So we're gonna be, of course, fielding them as they come in to the q and a. But if there's nothing in the q and a, as we continue, we have a wide variety of different questions that I'm sure many of you have. And then, again, feel free to drop them if if they come up. So we did have another question that popped up into the the chat here. So I'm evaluating HITRUST for a policyholder portal for long term care. What part of HITRUST would apply to me? So I I can definitely answer this question, but I don't know if Ian or Phil wanted to jump in because this is probably a question that they get asked every single day. Absolutely, man. I mean, I could definitely jump in here. There's probably no better guy in the chat to answer it than than you, Ryan. Doug, I think, Michael, as far as parts of HITRUST, I think, HITRUST, you know, it's a comprehensive security, assessment, and it actually offers three tiers. So there is the e one, the I one, and the r two. That e one is the easiest way to get in. It's referred to a lot a lot of times as cybersecurity essentials. It's basically 44 controls that every firm should have, and it's a great starting place, for any firm. Depending on how mature your information security program is, you know, depending on what controls you have, if you have any, current assessments or ASOC two reports, You could look at the I one, which is around a 180 controls. You could also work, you know, with an external accessory like IS partners to figure out, you know, what level you should jump in. And then there's that r two, which normally, you know, it gets above 200 controls anywhere to 2,000 controls. We would we would suggest stepping in at the I one level and then working your way up to the r two. But with that being said, let me pass it to Ryan. We can talk more about those nested engagements. Yeah. So when I when I was cool, before coming to HITRUST, like Ian and Phil, I would get asked this question all the time. And the I would actually return the question with a question and ask my customers, well, why are you considering HITRUST? Right? Because there are a number of different reasons, primarily three reasons why an organization would pursue HITRUST, which will definitely kind of dictate where you should start. The first is you wanna differentiate yourself in the market. If you wanna differentiate yourself in the market, but you don't feel like you're a really strong program, then e one might be a good start for you. Same thing for, just general security practices. HITRUST is its own world, its own language, its own lexicon. So using the e one kind of as a starting point or even the I one for that matter, it probably makes the most sense for an organization that, is looking to improve their security program because HITRUST is a forcing function. You can't achieve certification without closing gaps. The third bucket, which is the overwhelming majority of folks who come and pursue HITRUST, is they've been asked or they perceive an ask as coming from one of their customers. In that case, that customer should guide you on what is appropriate because what they've probably done is some kind of risk triage on you. And depending on whether you're low, medium, or risk to high risk to them, they may ask you to get an e one, I one, or an r two. Now with all that said, which Phil alluded to, the three assessments are they're nested. Right? So the 44 controls of the e one are at the core of the 182 controls in the I one, and the 182 of the I one are at the core of the r two. So if you start with an e one, you're not losing any work as you continue to mature your program. So we've we've built this on ramp to make it, again, that much more efficient. I don't wanna say easier, more efficient for organizations to achieve certification. So I'm happy to connect with you all, and and, you know, go through some very specific details about your situation. I'm sure Phil and Ian, and Brian are happy to do the same, but it it's it's very unique. If nobody's asking you, the e one might be a good starting point. Yeah. No. That's great. And I think, this is a question that I get a lot too when it comes to this because many times customers are being requested to jump straight into the r two from their customer, but, obviously, that's a longer wind engagement. Maybe, Ian, a question for you. Like, is there the, like, does an e one certification serve its purpose when it comes to a customer that is requesting an r two at least as a stopgap or a stepping stone that shows them they're making progress towards that r two to maintain the customer or at least show them that they're making that progress if they're an active prospect. Yes. In in short, yes. Absolutely. And we tend to find that entities that may look to impose HITRUST as their own requirement on things like their vendors or their partners, service providers, etcetera, that they realize that, jumping right into an r two can be very challenging and may not have the best outcome. Right? If if you're if you're going kind of from zero to 100, to put a colloquially there. But however and they're aware of that. So as part of when they communicate any kind of contractual obligations or expectations to those vendors, they will usually set, you know, a pathway to that r two. They'll say, okay. You know, we appreciate that you show that initial due care and that due diligence by starting with the e one for year one of our relationship, then maybe mature into I I, you know, return to the I and then and then eventually maybe three years down the line, that's when our expectation for your HITRUST level will will mature to that of an r two. Right? So they're definitely cognizant that jumping right into r two is generally not the always the best idea and and creating that kind of progressive milestone building upon what you, you know, most recently achieved is really the optimized path. Awesome. No. Love that. Appreciate that. So, another question that we have here and love all the questions that are coming through the q and a. Keep them coming. We certainly have some time to answer most, if not all of them. And, again, if not, we'll make sure that we respond to you separately. So, I guess, to put it very directly, why does HITRUST cost money? What is the ROI behind it? How much does it cost? Like, all these costs, we get these a lot. Right? So maybe a question for you, Ryan. Like, what is the ultimate ROI behind purchasing a HITRUST myCSF subscription, alongside maybe a GRC platform or other avenues and working with an assessor, why does it cost money? What a great question. Oh, yeah. So you have to realize that HITRUST is not like other standards, and I use that term loosely. If you think about different flavors of NIST, whether it's 08/1953, 08/1971, what have you, even ISO, even the CIS, they're all funded either through nonprofits or through government. And because HITRUST is a private entity, we don't receive that funding. But what we've done is we've built a program that provides a value add to organizations in achieving a certification level while, receiving additional benefit, if you will. So I'll break it down kind of in pieces. So if you think about, you know, going through some kind of vendor onboarding, there's probably gonna be a questionnaire. They may ask you for a SOC two or HITRUST or ISO or something else, but they're still gonna run you through that questionnaire. And you're looking at the questionnaire and you're like, man, these questions don't even make sense. They don't matter. This is antiquated because they haven't updated the question set probably in five, eight years. Whereas, as I mentioned already, HITRUST is doing this quarterly threat analysis to make sure that our controls are relevant. Well, that doesn't come free. We've gotta pay for that threat feed. We've got to pay the people to do the analysis. We've gotta pay the people to update the framework and update the tool, and we also have a shared responsibilities program. So if you're either in the cloud or hybrid cloud or some kind of variation of that, you probably, at some point, have gone to your cloud provider and said, hey, can I get your SOC two or can I get your HITRUST? Can I get your ISO? And it may have been difficult. Well, with HITRUST, all of the major cloud providers are already HITRUST certified, and we've built this program where you don't have to go knocking on the door of AWS and and asking either for some other kind of report out of their trust center or asking to actually touch with test, which will never happen. What you do is you send a request through our tool, myCSF, for the controls that they manage on your behalf. They review that request. They approve it. All of the information that they have already provided, which was tested, validated, and certified prior to, is now put into your assessments, and you don't have to do all of that work. You don't have to provide a diff additional evidence because they are managing those controls on your behalf. Well, that also costs money. We work with the cloud providers to, you know, obviously, build the program, maintain the program, but we're also looking to improve the program. So for those of you who are familiar with our shared responsibilities model, we are actually gonna release something, I think, sometime next year to make the process even more efficient and less painful for all parties involved. Because as you can imagine, you know, the one person at AWS who's fielding thousands of requests a week probably is a bit overwhelmed. So I those are a couple of examples of why we cost money. Because if you look at let's take 853 or even the NIST CSF. Right? The NIST CSF is not a it's not a controls framework. It's a reporting framework. Right? Whereas 853 is a controls framework or controls library. Well, nobody is telling you how to interpret those controls. Nobody is checking the work of your auditor or your your professional service firm's work to make sure that they actually are evaluating the controls appropriately. Whereas with HITRUST, every single HITRUST assessment comes to HITRUST, and we run arguably six levels of quality assurance on every single assessment. Well, as you can imagine, having folks touch every single assessment for every HITRUST certified environment also costs money. So it's it it takes money to to do this type type of work, and, what we're trying to do is figure out ways to, I don't wanna say lower the cost, but normalize the cost as much as possible. And that's why we're working with folks like Drata and IS Partners to utilize the capabilities of their toolset to make the assessment process that much easier. Hey, Ryan. I just wanna jump in here and say that the threat adaptiveness on IFRS is personally one of my favorite things and it's one of my favorite conversations to have with our clients. Because they might be used to doing a SOC two report, and having the same controls over ten years. Where in I trust, they have these version changes and control updates and they say, well, I just did the audit last year. Why are these there are these changes? And we could talk about how, you know, does anyone think that the controls that protected you ten years ago protect your environment today? So HITRUST really does provide, you know, that that level of cutting edge assurance and protection that we wanna see from all our clients. So we're always looking at those updates. We're looking at, you know, HITRUST is looking at the breaches and they're they're putting controls in place to actively prevent it. Yeah. And just to add to that too, I think the whole audit the auditor or audit the assessor model, like, HITRUST is one of the early adopters of that. And for especially an industry that's built on trust, when a prospect or a vendor is reviewing that asset that certification, they wanna make sure and whenever they're seeing the HITRUST logo on that, they know for a fact it's coming with a quality brand because each assessor goes through a very robust evaluation process. And on top of that, like Ryan said, each of their audits go through, the HITRUST myCSF platform where HITRUST themselves are reviewing it on top of that. So certainly why they're considered the gold standard when it comes to health care, and I, for one, very much appreciate that model. Cool. So another question, and I'm gonna bundle these two, to IaaS partners. So two steps question, but, again, they have the same overall theme. The first one is, does having SOC two pretty much get me to e one or a HITRUST e one? And then the second question is, is there significant overlap between HITRUST and this s eight hundred one seven one r two? Obviously, in this landscape where many different firms are coming across many different frameworks, they've already completed some of these or in active progress. There's a lot of overlap with one each other. So, Ian or Phil, did did you wanna take that to answer the overlap between both SOC two and e one and then NIST and HITRUST as a whole? Yeah. Absolutely. And I'll I'll start with Nick, Harrison's question, about the NIST eight hundred one seventy one r two and overlap with with HITRUST. And and I'm I'm really excited to answer this one because it is very, topical, in the in the context of the cybersecurity maturity model certification or CMMC that obviously is is is a kind of hot topic right now. And and and in my response here, I'm I'm speaking as the authorizing official for IS Partners, c three PAO assessor program, in fact. The, so in short, you know, there is overlap between HITRUST, even I think as early as an e e one for eight hundred one seventy one compliant entity, especially around some of the kind of more basic cybersecurity hygiene controls, things like, you know, risk and vulnerability management and mitigation, access control authorizations. Right? Kind of those those those, those concepts that we know are critical elements of of 08/1971. I'll also add, beyond just the actual controls themselves, a familiarity with the dynamic of eight hundred one seventy one r two where you are submitting your, your your your report materials, your your your score, your status on compliance with respect to those eight hundred one seventy one controls on the Spurs platform, for example, is is very much comparable, is very comparable to how you interface with the HITRUST portal when you're submitting, your own evidence and and elements of your HITRUST assessment into the QA and and ultimately to receive your your HITRUST certification there. So, in short, absolutely, there is there is overlap for a company that already has eight hundred one seventy one r two or, you know, CMMC, adding in HITRUST, if there's overlap in scope there, you'd be well positioned to be successful in your HITRUST endeavors. Can I can I just add before you get on to the SOC two side of that, I just wanna add that eight hundred one seventy one is mapped into the HITRUST framework? One of the things that I didn't mention is we've we've harmonized, so to speak, 65 other standards, regulations, and or frameworks into the CSF itself. Eight hundred one seventy one is that. So you can actually add eight hundred one seventy one to a HITRUST e one or I one or the r two and kinda satisfy both at the same time. But if you're looking to leverage the work you've done against one seventy one to prepare you for HITRUST, there's definitely a decent amount of overlap. It would just depend on which assessment for HITRUST you decided to pursue. Sorry, Dean. I stole your thunder on the SOC two thing. No. No. Absolutely. Appreciate appreciate the addition there. Yeah. I would say the only real, potential limitation to consider, you know, just just just speaking pragmatically is is specifically around the CMMC certification assessment. You have to work with a a special type of entity called a c three PAO to actually receive that certification. But, again, even in that context, aspiring to the HITRUST adopting those controls to that same scope that applies to your CMMC will definitely get you, pretty far along the path. Awesome. Phil, did you wanna take the, SOC two e one overlap, question that came through? Absolutely. Thank you, Brian. And this is definitely one of our most common questions, here for for our clients. In general, obviously, everything depends. But but in general, there's a 75 to 80% overlap between SOC two and HITRUST, e one. What is important to understand is that SOC two is an examination, you know, by a CPA firm to see if you are in compliance with the framework. These controls are not prescriptive, as I trust is. And what I mean by that is normally, our clients will work with the CBA firms such as IS Partners to put controls in place, to have a system that's compliant with SOC two. So those controls can vary greatly between firms. You cannot hold up two separate SOC two reports and compare them. Whereas in HITRUST, which is a certification, the controls are prescriptive. So every firm that goes through an e one certification, you can be sure that they have these 44, you know, controls in place and it's very transparent. So for the most part, there is a lot of overlap. But, again, those controls in SOC two are custom created, whereas HITRUST, they're prescribed to you. Awesome. Thanks for that, Billy. Yeah. We certainly get that question a lot, especially since many of our customers use or are working towards SOC way SOC two. I consider SOC two the gateway framework and to many other frameworks, so I'm sure most folks on the call have SOC two certainly. So, another question that we have is, for the most positive outcome, what do timeline and preparation look like? And what's a realistic expectation people should be preparing for? And understanding there's variances between an e one, I one, and r two, and we talked about them at a high level in terms of timelines and such. But, yeah, what is the general preparation? Can someone start today, or what do you generally like to set expectations with internal stakeholders, external stakeholders, and level of effort across the board? Again, I'm I'm happy to answer, but I think Ian and Phil probably are fielding this every single day. Yep. This is definitely one of the most difficult questions. And, again, as an auditor, I love it depends. Right? I know my clients don't want it, but but it really is the truth. It depends on your the maturity of your existing information security program, and it depends on the resources that you have available to implement these frameworks. So like we said before, there are three HITRUST, you know, certifications, the e one, the I one, the r two, and they're nested. So if you do not have much of an inspiration security program in place, you know, the e one, it's probably reasonable, that, you know, and if you have the resources that you can spend three months implementing, and then as part of HITRUST, there is a there's, like, a a bake in period. So you have to have your controls operating for ninety days before you can begin the assessment. So I would say for, a small firm to begin the e one, probably in the six month to one year time frame. Whereas if a firm were going to jump right into, like, you know, two for instance, you're you're more talking about a two to three year process. But again, these numbers have a lot of variables, and it's definitely a discussion on, you know, motivation, and pressure, you know, from clients or internal, to have these, controls put in place. Awesome. Thanks for that, Phil. Cool. Keep the questions coming. Very active in the q and a here. So, let's go to this one. So we are federal government contractors who will be conducting a pilot involving sensitive health care data. Our SaaS software processes or our SaaS our SaaS software processes, sensitive health care data. Our SaaS software is embedded within a much larger solution that has authority to operate ATO high impact authorization. How beneficial is HITRA certification for us? It's very beneficial. If you if you look at if you look at the controls that they're gonna be managing on behalf of your solution, depending on the significance of that. And when I say significance, I probably mean quantity. It it's less work that you have to do. And the fact that they have an an ATO for high impact, In most cases, it's either gonna be equal to, and in some cases above, what HITRUST is gonna look for. So you're going you've reached a high watermark at least for the solution that you're embedded in. Now your piece of the pie, that would be kind of the the variable at this point on, are you guys as mature as the larger solution? Do you have the controls in place? Are you ready are you able and ready to produce the evidence? So on and so forth. So there are some some nuances there, but the fact that someone who is managing controls for your solution already has a high ATO, it'll help you. Awesome. Thanks for that, Ryan. So another question that we have here is, what would cause an assessment to be rejected by an end user? By an end user or by HITRUST? I guess we can do both. We can have So I'll start with I'll I'll start with the HITRUST side, and then I'll nuance my way through the the end user side. So I mentioned we have six layers of quality assurance that are are leveled against every single HITRUST assessment. Well, one of those checks, one of those levels is we have this tool called called the, automated intelligence engine or AIE, which has about 250 checks that we run upon submission of the assessment to HITRUST. And this is looking for everything from, you know, common quality issues that we see to, you know, things discrepancies in the scope versus the way that this the assessment was built and the controls that were included, so on and so forth. We actually grade those submissions. And if we find that based on that engine that it's a low quality submission, we kick it back. And if you compare that to SOC two, ISO, or NIST, there is not there is no mechanism. Right? The auditor or the CPA or the consultant who's doing that work, they write the report. Nobody's kinda checking what they're doing. And we have had, at its height, a 21.5% rejection rate upon submission. It's come down. And going back to Brian's earlier comment before, we have a feedback loop, and I'm sure Ian and Phil can attest to this, directly to the assessors saying, hey. This was good, but you missed, you know, the audit here or you didn't follow the methodology there. So the audit teams are actually improving over time. But we also are QA ing ourselves. So we have several layers of quality assurance above the quality analysts who are doing the manual checks of each assessment to make sure our quality analysts are doing their job. So primarily, there it falls into a couple of different buckets. One, it just the assessment wasn't done well, and we will kick it back because the, you know, the entity being assessed or the assessor needs to change something. We don't actually kick it back if they don't meet the certification bar. If you fall below the certification bar, you just get what's called a validated report. So you still get something, you just didn't achieve the bar for certification. Now end users, we we really don't see end users rejecting our reports, at least not from us. The way it works is once you get through our quality process, we draft of the report, You as the entity being assessed and hopefully certified get to review that report. You do have the ability to push back on HITRUST there to have things tweaked or, you know, what have you. Not with the testing results and not with the certification results, but just with the the nuance of the way the report is written, so to speak, primarily around scope and, you know, maybe you don't want specific facility names listed in the report or what have you. So there is that, but just saying no, I don't want this report, it it doesn't paint me in a good light like you can do with SOC two doesn't exist in HITRUST world. Awesome. Thank you for that, Ryan. So, this is a two part question. Came in from Ryan Young, and I'll take this one. First one being, does Drata have any customers who have fully automated their HITRUST certification pipeline? This includes matching controls evidence, evidence collection, etcetera. So for that question, just to be clear, we actually do not say we fully automate any framework. Based off of the framework itself, along with what folks folks that are not familiar with Drata, we use a controls framework called DCF or Drata's control framework. It's all based off of the number of connections that the customer has established across their infrastructure, IDP, so on and so forth, got to be anywhere from 40 to 70% of any given framework. And, again, that's the level of automation that the customer has leveraged. If they've developed any custom connections, a number of different things contribute to the level of percentage of automation. As far as this draw to have any customers on HITRUST, absolutely. We've actually had customers on HITRUST for a number of years here, but more recently, we released the native offering into our platform, just about a month and a half ago. What the native offering provides to our customers is it gives them the access to the DCF controls mapped to the framework. So that way, if you guys are working towards other frameworks like SOC two and ISO, you can work towards that control being compliant once, and it'll apply accordingly to HITRUST and any other, relevant frameworks. So, unfortunately, I can't give you a fully automated answer, but, again, it's based off of 40 to 70% from what we've seen. As far as question number two, does Drata offer a custom white glove service, which allows customers to fully automate, their HIPAA certification? Again, it's a nuanced question around the fully, But, absolutely, we do have a number of, partners on the VC so and it's, side that do certainly help our customers. And they have a robust offering with, depth and experience with Drata, as well as depth and experience with increasing the level of automation. So, Ryan, if that's something you're interested in, we'll certainly put you in touch, and we'll reach out to you directly. And I'm sure other customers on the call would be certainly interested as that. But, yeah. Cool. So, going to this next question here, what about HITRUST and NIST 853 controls? I have customers that insist that NIST is better. Is that Yeah. I I I can take that one. I I like that. That's, you know, it's a it's a it's a good one. I'll say that. So, first, I'll say that, NIST 853 and and and Ryan, correct me if I'm wrong on this, but in fact, the NIST 853 control catalog, HITRUST, when it was really originally architected and as it continues to progress and mature, many of those requirements and and the associated language and and the parameters are actually taken nearly directly from 08/1953. And to reinforce Ryan's earlier point, there's a direct mapping to to a a large amount of those NIST 853 controls available within the HITRUST, framework. So, you know, on on one hand, there's actually a lot of overlap, you know, if not, they're they're almost directly by inspired by or HITRUST directly inspired by NIST 853. But now as far as, you know, insisting that NIST is better, you know, obviously, that that that's kind of suggested, but I will offer this is that if an entity is adopting this 853 and they are being assessed by an independent entity and that and that organization does not have any, ATO requirements, if they do not have any agency sponsorship or participation in a federal program that mandates certain audit and assessment standards for their NIST 853 program, I would actually argue that a HITRUST assessment has a higher degree of assurance and inquiry applied to the assessment process than a third party NIST assessment, may offer you as a result of the QA, as a result of the very explicit adherence to the the policy, the interview, the artifact collection, which are those three kind of pillars are themselves defined in this 853 alpha guide to assessing information systems against the NIST 853 framework. Right? You're getting a a very, a higher level of assurance there doing your NIST 853 through HITRUST. Again, specifically, if you do not have, agency requirements that are mandated to you, associated with your program. And and usually that would be in the form of ATO, for example. Awesome. Well said, Ian. And the one thing I can say is clearly better is Ian has a better tie than all four of us. So certainly, there. Cool. Well, as far as the next question goes, I think this one falls right up your alley here, Phil. So, I'm preparing for HITRUST R2 and had a question about ninety day incubation period. Does the auditor begin testing right at the start of those ninety days or later in the window? If findings are identified during that period, do they need to be fully remediated before the assessment is submitted to HITRUST QA, or how does that work? This is a great question, and I would be lying to you if I told you that I didn't spend a great amount of and explaining, this to them because sometimes it is confusing. So, essentially, when you're going for your r two, we talk about this ninety day implementation baking period. So let's say that you say you're gonna get your r two and in your r two, let's use round numbers. You have 250 controls that you have to put in place and be assessed against. Well, let's say that 200 of those controls are in place and operating, and we identified 50 in our gap assessment that you need to put into place. So your firm will have to put these controls in place and operate those controls for a period of ninety days, which we like to call the baking period, before we can begin our assessment. So there's another ninety day period. It's the ninety day validation, that's, period. So the ninety day validation period is when IS partners or your external assessor starts gathering evidence for the audit. So ninety days where you operate those controls, and then we do our ninety day validation assessment, which which is like an audit. But if during that audit, you know, our validation period, it comes to light that one of those controls were not operating, that will be scored appropriately in our audit, and HITRUST has robust scoring mechanisms. It doesn't mean that you fail just because one control is not, you know, operating. But then as part of the report, you will have, caps, basically, control that you have to remediate as part of the assessment. So, no, it's not you know, we we look at it in our validation window and say that's not working. Hurry up and fix it. That's essentially, the audit period. Awesome. Awesome. Echo. Cool. We got a few more questions. I know we are running up on time here, nine minutes, so maybe we have time for two or three more questions. I think this is a good one given the dynamic nature of the HITRUST assessment, especially as you're working towards r two. Understanding that e one and I one are locked, 44 controls, I believe, and a 182 when it comes to e one and I one. But when a customer is going through r two, they do have to go through the assessment within myCSF and curate the requirements based off of their environments of how many health records are they value or, storing in any given period of time. So this question, I think, is off of that. So do HITRUST controls change based on data flow or software architecture? We have isolated processes when dealing with sensitive data, which then pass de identified information to other services. Would the HITRUST certification process be the same across for all services regardless of risk or attack surface area? Yeah. I think I think this one is closely coupled with another question that came in around, factor selections and how the controls are built. So I'll I'll try to answer kinda both at the same time and then fill in, Ian, please fill in any of of the gaps. So for the r two specifically, in order to build the assessments in myCSF, you have to go through a series of questions arguably. And if these questions span how many records are you holding, how many transactions are in the system on a daily basis, how many users, what type of organization are you, and you have to go through that. And based on those responses, the questions will be populated for you based on how HITRUST has mapped the answer to those questions to risk factors and then ultimately the controls that would protect against those risk factors. So I'll give you an example. The the the how many records are you processing? The lowest answer is less than 10,000,000. The median answer is 10 to 60,000,000, and then the high answer is over 60,000,000. HITRUST believes that if you have less than 10,000,000 records, you were less risky at least in that one factor than an organization that processes over 60,000,000 records. So there'll be controls if you are over 60,000,000 that will either get added to your assessments or they'll become more stringent, meaning the the configuration of the control itself becomes I don't wanna say more difficult, but kind of an extra layer. So to answer the, you know, the way the data flow works, HITRUST is not an organizational certification. HITRUST is a certification of implemented systems. So depending on what systems you put in scope of the assessment, it'll follow the same certification process. Now you'll have to answer those factor questions through the lens of all the systems that you put in scope. So if you put 10 systems in scope of the assessment and they all do very, very different things, you could balloon that assessment up pretty quickly. So this is where I always encourage folks to get with the Ians and the Phils of the world to to kind of warning what's the best approach, especially if you're a first time certifier. Right? I'm not saying make the assessment as small as possible, but it should be right size because I've seen a lot of organizations, especially with the r two, who either over scope or under scope. And under scoping means they scope the assessment. It doesn't meet the intent of re the original reason why they wanted to pursue it. Over scope is they threw everything but the kitchen sink in and it's a 900 control assessment and it takes them years if ever to get through it. So work with folks like IS partners to get those questions answered upfront, but it's not up to the assessors to determine the control selection. Like SOC two and even NIST, it's you have that ability to determine that HITRUST is predetermined these predetermined these controls, and a lot of it is built off not only the risk that you present based on the answering of those questions, but also the threat intelligence that we're seeing based on that risk profile. Ian, Phil, anything you think I missed? No. I I I think you nailed it and I I really appreciate that you added in there. You know, there's so many different, frameworks and and and and, compliance objectives and requirements out there. It is very easy to kind of get stuck into that situation where you wanna check every box that's available to you. Right? And and, realistically, I think that starting, when answering the, the the factor, the factors, you know, start with, like, what is your, you know, what is the the the core focus of your business or where is the greatest risk? Where is your biggest, most mature obligations lie, right, as kind of your core competency and your core focus for your r two, then you consider, maybe the the nice to add on or the nice to has, maybe industries or areas that you wanna grow and develop and pursue opportunities in. You know, maybe sprinkle those in or even consider, you know, once your your certification cycle is up for for the full r two reassessment, maybe then you scope in those additional, factors because you've already know that you've established a successful outcome with the ones you selected for the first cycle. So, you know, really appreciate that Ryan kinda highlighted that to to navigate that carefully because, again, you don't want a a 3,000 control assessment for for the things that you don't even, you know, know is if you really wanna do, in your first r two go around. And I just wanna add in that that is one of, you know, the magic things about HITRUST is that you can start just, you know, with the HITRUST with no factors, but then you get to the, you know, assess once and report many days. So I have clients who I start, and they're performing three separate audits at three different times during the year. It's probably not best to add those factors right away. Start with just the core the first year, and then you can add those factors like HIPAA. And you can make sure year over year, all of a sudden, you're doing your HITRUST and you're testing all your controls at one time, and you don't get body fatigue four times throughout the year. Awesome. Cool. Well, I think that wraps things up. I know we have two minutes left here. I believe there's one question we were unable to get to, but, as far as, Abna Abnaab, we'll make sure that we reach out to you after this to get your response to your question. Again, appreciate everyone on this call for joining us. Ryan, Ian, Phil, very much appreciate your time in educating the folks on the call here on HITRUST. Ian, if you wanna drop your affiliate link for that tie so anyone else can grab that whenever they can, feel free to drop that in the chat. But other than that, again, very much appreciate everyone. Thanks for joining us, and, yeah, look out for the next pod auditor series. Bye. Thanks so much, all.