Lessons from our recent HITRUST Community Extension Program.

On August 27, 2019, Accorian, facilitated a successful HITRUST Community Extension Program in New York city. Security and Technology professionals from organizations in healthcare, finance and technology attended the town hall. Michael Parisi, VP of Assurance Strategy & Community Development was the main speaker and he did a great job informing the attendees about HITRUST.

Lively discussions about the HITRUST process kept the event energetic. Real world examples and case studies helped attendees to see the benefits of becoming HITRUST certified.

John Langhauser, the co-founder of AdhereTech

John Langhauser, the co-founder of AdhereTech, explained how pursuing a HITRUST certification differentiated them from competitors.  AdhereTech provides software that uses smart pill bottles to provide patient support. They have found that being a HITRUST certified company in the healthcare industry has simplified their security conversations with potential customers.

Live demo of MyCSF® scoping exercise

Pete Niner, one of our HITRUST CSF Practitioners, conducted a live scoping exercise using the My CSF tool. He also provided a case study of a client benefited from the scoping exercise despite challenges.  

Pete recommended that the scope of the HITRUST Assessment be made very clear and as minimal as possible. Companies should ensure that legal and compliance obligations should be precisely scoped and only included if required.

Key Points from Michael Parisi

The main objective of the CEP event was to promote awareness of the HITRUST process while promoting the benefits of the certification.

Michael Parisi spoke about the journey to certification, the types of assessments and products such as the HITRUST Threat Catalogue, Assurance Program and the Shared Responsibility program.

In addition to answering questions from the audience, Michael Parisi stressed the importance of performing a risk analysis before starting the HITRUST framework. A few people had concerns about the procedures used by assessors during the process. Michael assured them that every audit is reviewed by HITRUST and that all assessors are held to the strict guidelines of the process.

HITRUST has seen an increase in adoption of the HITRUST CSF outside of the healthcare and public health sector – and internationally.​Future plans for the HITRUST Alliance include:

  1. Launching HITRUST CSF v10 in 2020
  2. They plan on providing services for GDPR certifications.
  3. HITRUST VC Council will be launched later this year.
  4. HITRUST is working with the FAIR Institute to create a threat catalogue to help with risk management.

Simplifying the Readiness Assessment

Premal Parikh, Managing Director of Accorian, shared the HITRUST certification methodology that his team uses to assist their clients to achieve certification. He focused on the pros and cons of doing a readiness assessment without the aid of a HITRUST Practitioner. He explained how guidance from an experienced assessor during the self-assessment increases the quality of the validated assessment.

“Participating in this HITRUST CEP was a great experience. It was an opportunity to share lessons learned with people in our industry to help them understand the complexities of HITRUST and risk management. We plan on partnering with HITRUST again in 2020 to produce more of these events throughout the United States.”
– Premal Parikh

We encourage people who are interested in this certification to take advantage of this free opportunity. It’s a great way to learn all you can about HITRUST to simplify the process and effectively implement the procedures in your programs.

As authorized HITRUST CSF experts, Accorian has experienced practitioners that are prepared to answer any questions you have about HITRUST. Contact us if you would like to see the presentations from this event or if you have any questions.

Are we forgetting to “lock the front door” when we invest in Cybersecurity? Lessons from the Capital One and Equifax data breach.

Like my high school coach always said, “Stick to your basics”.

The Equifax and CapitalOne breaches reminds us that cyber-attacks don’t always come from sophisticated hacking groups. I’m sure these companies were using the best cybersecurity software that money could buy. They probably had good internal and external IT support. 

However, the data breaches they suffered could have been easily prevented by applying the most basic cybersecurity functions.

What went wrong at Equifax & CapitalOne?

In September 2017, Equifax disclosed that the personal information of up to 147 million people had been compromised as well as 147 million US consumers’ names and dates of birth, 145.5 million social security numbers, and 209,000 payment card numbers and expiration dates. This data breach is in the news again because they agreed to a settlement that will compensate those affected by the breach.

On July 29, 2019, CapitalOne reported that the personal data of over 106 million customers in the US and Canada were compromised. This data was stolen by Paige Thompson, an ex-Amazon employee who accessed the data between March and July this year.

How did these breaches happen?

The data at CapitalOne was stored on Amazon Web Services cloud. Investigators found that Thompson found a misconfigured firewall on a web application and used it to gain access to data stored on the cloud.

A few months before Equifax was hacked, US-CERT issued a warning that companies should apply the Apache Software Foundation’s patch for the flaw 2017-CVE-5638. The FTC alleges that Equifax failed to patch this flaw and to “undertake numerous basic security measures.” Hackers used the flaw in Apache Struts & default credentials on one of their apps (Admin:Admin) to gain access to customer’s personal data.

How could they prevent the breaches?

If these organizations had applied the appropriate security patches or had measures in place that notified them when a breach occurred, these events could have been prevented.

I see companies making the fundamental mistake every day. They spend thousands of dollars on top of the line security products that promise “instant security.” But these AI and ML programs that guard their data are pointless if their IT staff aren’t applying patches or making sure their firewall is secure.

While security compliance standards are a great benchmark for organizations to adhere to, it’s important that we remember that cybersecurity is an ongoing process that always needs to be upgraded in this dynamic threat landscape.

How to “Lock your front door”

As a company managing risk, you should ask yourself these 5 basic cybersecurity questions  

  1. Are you applying patches to your security firewall regularly?
  2. Are regular penetration tests and vulnerability scans being conducted by a qualified, compliant third party?
  3. Are you reviewing permissions of your users & revoking excessive privileges?
  4. Are you applying two factor authentication and encryption of your primary & secondary data storage?
  5. Do you have an Incident Response Workflow that you would follow in case of a breach?

So, before you think about your next big cybersecurity spend, please make sure that you, your IT team and third party company are following the basic cybersecurity actions.

It’s critical to speak to an expert organization that understands your business & security needs. They should be concerned with your company’s protection instead all the time instead of occasionally.

The security experts at Accorian have helped several companies discover critical vulnerabilities by performing simple Penetration Tests. Contact us today if you would like us to help you improve your cybersecurity.

Stay safe!

    Ready to Start?

      Download Case study

        Download Guide

        Human Resources Director

        Posted On: 09 May, 2022

        Drop your CVs to joinourteam@accorian.com

          Interested Position

          First Name

          Last Name


          Total Experience

          Mobile Number

          Upload Resume