HealthSnap upgrades to latest HITRUST certification while increasing efficiency and automation

CHALLENGE

Manual HITRUST compliance becomes unsustainable amidst rapid growth

Chase Preston, Co-Founder and COO of HealthSnap, knew from the early days of the business that a robust security posture would be necessary to move upmarket. As they began selling to larger health systems, Chase and his team decided to go straight for the complex HITRUST certification, a globally-recognized framework especially trusted in the healthcare sector.

The first two times they got certified, the HealthSnap team worked with a traditional assessor and implemented controls on their own. The manual process required constant upkeep: storing documents in Confluence, using Jira ticketing, managing user access logs, and setting up reminders. With only 15 employees, the process was tedious but manageable.

However, as the company grew to more than 200 employees, the manual approach became more time-consuming to maintain. When it came time to re-certify, Chase decided to look for a tool to streamline the process and automate ongoing compliance.

SOLUTION

With an automation platform and assessors in-house, Thoropass was the only true end-to-end solution

With Thoropass, Chase found more than a tool: He found a fully comprehensive compliance solution.

“We picked Thoropass because it provides an assessor and a platform. A lot of other companies have only a platform and bring in a third-party assessor. Thoropass is a one-stop shop, which makes things much easier.” –Chase Preston

In addition to the easy-to-use platform, Chase found the Thoropass support team responsive and knowledgeable. As part of the implementation, the Thoropass team helped HealthSnap map their requirements from HITRUST v9.5 to v11.2.

Thoropass’ industry experts also shared valuable insight on future HITRUST requirements, helping HealthSnap to plan for the future.

One-stop security validation with in-house penetration testing

Previously, Nicola Onassis, CTO of HealthSnap, had to contract a separate vendor for penetration testing, a HITRUST requirement. This time, Nicola was able to simplify the process using Thoropass’ in-house pentesting service.

The pentesters followed a recognized testing methodology, OWASP, and tailored the pentest to meet HealthSnap’s unique features. The testing included their web application, APIs, and mobile apps.

“The communication was good. The main pentest manager kept us updated on the progress of the tests and also coordinated with the team on setting things up.” -Nicola Onassis

Nicola found the pentesters’ report and remediation guidelines clear, and he resolved the high-priority issues quickly.

RESULTS

HealthSnap successfully upgrades their HITRUST certification with Thoropass expertise

The HealthSnap team successfully renewed their HITRUST certification and moved to version 11 while saving time and effort.

For Chase, the most significant benefit came from Thoropass’s HITRUST expertise, specifically the detailed guidance on version mapping.

“Since we are not new to HITRUST, our main goal was to go from version 9.5 to version 11.2. The biggest thing that Thoropass helped us with was making sure we understood the controls between versions. Doing that manually would have taken our team a lot longer.” –Chase Preston

LOOKING AHEAD

Increased automation and risk management

Moving forward, Chase and his team plan to get even more value out of Thoropass with increased automation. They are migrating evidence into Thoropass, setting up automated tasks for regular reviews, and saving time on security questionnaires with automated response tools.

“Our mindset is to use tools to their fullest capability. We’re trying to minimize using other tools like Confluence or Jira for security, and have everything in one spot with Thoropass.” –Chase Preston

In addition, they plan to use Thoropass’ risk assessment tool, Risk Register, for continuous risk management.

Chase’s advice to other companies considering HITRUST: Start early.