Since announcing Socure’s HITRUST certification, we’ve received several inquiries regarding the reasons we pursued it, the difficulty we had obtaining it, and what we’re going to do with it. All good questions. We’ll do our best to address the top inquiries below.
When we received our first SOC 2 report, we had 20 employees. Our Type 2 report came at just over 25 employees. When we achieved our ISO certification (27001, 27017 and 27018), we had about 40 employees.
We then looked around and said, "Now what?" Given our experience of achieving other certifications, it was only natural for us to want to keep reaching higher. That, and the fact that the healthcare industry is in dire need of effective identity verification solutions made obtaining HITRUST a logical next step.
And as our company grew to just over 60 employees, we've achieved HITRUST CSF Certification and the HITRUST Certification of the NIST Cybersecurity Framework for our ID+ online identification verification service.
"But you're a FinTech company! What are you doing with HITRUST?"
That's a good question, but also a misleading one. Although we've primarily catered to the financial services industry, our company is focused on creating and operating online identification verification services. ID+ can be used in any online transaction or similar function where a user's identity must be confirmed.
Ultimately we are geared to keeping our customer's data private and secure in a demonstrable, verifiable, and repeatable manner. And as we already operate at high levels for confidentiality, integrity, and availability, the source and purpose of that data — from a financial institution, a medical organization, an online retailer — doesn't matter to us. We treat all customer data with the utmost care and respect it deserves.
"What can healthcare do with Socure?"
Think about all of the times you may have scheduled a doctor's appointment online, or managed your prescriptions from a website, or viewed your medical results on your computer or smartphone. Each time — and probably multiple times — you needed to verify who you were. This may include extra knowledge-based authentication (KBA) questions that often seem more invasive than a majority of medical exams.
While there are other methods for identity verification already in place, systems that incorporate Socure's ID+ can reduce the frustration and friction when trying to prove you are who you say you are to a healthcare provider. Organizations can better identify legitimate users faster and with greater accuracy, ensuring their life-critical services and offerings are delivered to the right person.
"Do you have ICD F41.1?”
Of course, achieving HITRUST CSF certification doesn't mean we can sit back and relax and rest on our laurels. Socure must continue to demonstrate its capability in meeting the HITRUST CSF framework as we continue to develop new modules, features, and services. We are reviewed annually and run the risk of losing the certification if there is any material deviation from the Common Security Framework — the "CSF" of "HITRUST CSF".
Far from resting, we are up late and ensuring the data in our system is safe, secure, and private. This is probably why our healthcare colleagues asked if we were diagnosed with ICD F41.1, the billing code for generalized anxiety disorder. (Should you know how we can get "data privacy anxiety" accounted for in ICD-11, please let us know. We will certainly have more details and demonstrable symptoms by 2022.)
"What does HITRUST even cover?
The HITRUST certification covers more than just healthcare-based regulations such as HIPPA, specifications such as CAQH CORE, and standards from the NIH. The controls are based on and match up to a number of specifications, frameworks, and guidelines from a variety of organizations and institutions. These include ISO and AICPA as well as NIST, COBIT, the CSA, and the FDA, among others. Data privacy components of key regulations — GDPR, HIPPA, and various related state laws — are also accounted for within the framework.
Although HITRUST CSF Certification and the HITRUST Certification of the NIST Cybersecurity Framework for ID+ is not a one-to-one substitute for any other certification, it does demonstrate we are adherent to a broad variety of similar tenets concerning data privacy and security.
"Are you ready to tackle the healthcare market?
So as our company grows (we're over 70 now!), we see our new and exciting opportunities for us, for the healthcare information management industry, and for all of the users who can benefit from our services. Not only are we ready, willing and able to help the healthcare industry with their identity verification needs, all indicators are that the healthcare industry is ready (and in need of) Socure!
We look forward to this new frontier!