Locking Down Your Data: Censis Technologies Pioneers with HITRUST Cybersecurity Certification

Welcome to Consensus, a podcast from Census Technologies. Hey, everybody. Welcome back to another episode of Consensus Podcast brought to you by Census Technologies. Today, we have a really exciting topic to discuss. Recently, Census was working towards a high trust cybersecurity certification, and we can proudly say that the process is complete. Here to tell us all about it, how it affects your sterile processing department are Brandy Guest, security operations engineer at Census Technologies, and Miles Templin, HITRUST CCSFP at Align. Welcome to the podcast, guys. Thank you. Hi. Thank you. So to start off, we'll begin with you, Brandi. Would you give us a brief introduction and talk a little bit about your role? Of course. So hi, everybody. If you don't already know me, my name is Brandi Guest. I am the security operations engineer here at Census. And basically what that's meant for the last year is HITRUST, HITRUST, HITRUST. So we have been full speed ahead deep into HITRUST. And that has been refortifying all of our policies, our procedures, strengthening our security posture as a whole from their corporate level all the way down to network architecture. And that's been my main role, is working with my team and making sure that we have the strongest security posture possible during this process. Awesome. Great. Miles, can you tell us a little bit about what you do with Align? Am I saying it right, Align? Yeah. You are. Yeah. Miles Semplin. I'm a managing consultant at Align for the HITRUST practice. My day to day job is to basically help clients at the Census get through the HITRUST assessment from start to finish, and that could be Census' journey was starting with the readiness a while ago and then finally getting validated this last past this last week. So, yeah, other than that, I help also develop the program internally, but this is typically my day to day. Great. Awesome. Welcome. And I'm super excited for our conversation today. What exactly is a HITRUST certification? So a HITRUST certification is a company goes through a HITRUST audit, which is the framework, and it is audited by HITRUST, every single assessment is. They are the governing body. Basically, what it says is that we believe that this client, such as Sensus, has a very secure security posture. So every all the information they're protecting for their clients, customers, anyone like that, we believe it is secure and, safe. So that's essentially what a HITRUST audit is. Great. Why do companies get HITRUST certified? What are some of the benefits? So a lot of times, the clients our clients will get certified because they're required to from their customers. It is because they are safeguarding their customers' data. The benefits at that time is to make sure that you have a mature process in place. In that way, their clients can be reasonably assured that they won't be breached. And if they are breached, there are controls in place to actually help mitigate those breaches. HITRUST is a risk based assessment. So we like to try because you can never fully eliminate risk, we like to mitigate it to an acceptable standard. Sounds pretty cool. And in the current day and age of cybersecurity threats all over the place, sounds really important. So, Brandy, this question's for you. As a software company, why is cybersecurity so important to us at Census? Why did we seek out the HITRUST certification? Yeah, so there's two different ways to approach that question. And the first one is just talking about cybersecurity. The main word you wanna talk about is trust. When you bring on a vendor and you are bringing in data and you're bringing in patient information, granted Census doesn't do PHI, but any type of, Hey, we're trusting you with this information. You wanna make sure that the vendor you're trusting is doing exactly that, is trustworthy. When a company follows industry standard frameworks like HITRUST, it's saying, we follow these set amount of rules and standards and procedures that have been already voted on and decided by people way higher than me, and this company is trustworthy to their standards. So when we talk about cybersecurity for Census, it's all about customer trust. We want to make sure that you know when you bring us on as a vendor that your information is going to be safe now in the future in the midst of the ever changing cybersecurity world that we are proactive in making sure that it stays safe. That sounds pretty serious, pretty dedicated. And yeah, no, it's, that's very cool. So how does this impact the Census customers in relation to their data security? So I will say as far as Census customers go, one of the biggest reasons that we went towards HITRUST is to be a lead competitor in this market. Our competitors do not have the certification. So we don't actually have PHI. We do not hold PHI, which is patient health information in layman's terms. So we don't actually have to get HITRA certified is the point I'm trying to make. If you are talking about patient information, you get into HIPAA and you get into all of the legalities with that. We didn't actually have to get the certification. We wanted it so that we could say to customers, Look, we went the extra mile. We got even more certified than what we even have to be. So for our customers, we're going to be the industry leading software in this field. Well, it sounds like, we we looked at the bar and we said, that's a challenge. We're gonna go over it. Absolutely. Well, Brandy, since I have you talking already, you had to go through quite an extensive process submitting for the certification. Can you give us a breakdown of what that was like and what you had to do? Of course. So with the help of Miles, who made this process extremely seamless, we went through nineteen different domains in the world of cybersecurity. So what that means is we went through things like network architecture, we went through governance and compliance, we went through policies, just as an example, securing removable media, making sure people couldn't just plug things into the computer. We went through pretty much every angle you could approach securing a network, and that was separated in nineteen different highly technical domains. So it took us, I would say we really started the fieldwork, well, not fieldwork, but we really started diving in this year. So it took most of twenty twenty three to really prepare and get ready for the grading portion. And what that meant was restructuring our entire standing. We redid everything. We redid all of our policies, all of our, excuse me, our encryption methods, our standards when it comes to people transferring or new hires or terminations. We went through literally everything you can think of, honestly. And it was really actually quite a fun experience being a new security operations engineer for Senses because it was like a, I don't want to use the words throw into the fire because it wasn't a bad thing, but it was a, here you go, I want you to learn everything about this network right now. And it was good, it was really good. My team was awesome, very supportive. Miles and Align were extremely supportive. They answered every question. They guided us completely along the way. So it was good time. It was a very extensive time. A fun trial by fire. I'm personally a fan of that happening, like with So I can, you know, there's no downtime. You you jump right in and everything's excitement and adrenaline. Absolutely, right. I'm not sure how many of our customers know this, but Census is actually owned by a company called Fortive. How does this certification reflect on Census at Fortive and with the other operational companies that Fortive owns? Yep, So Fortive is known for their strong security posture. We work with our Fortive team every day to make sure that our vulnerabilities are tightened, that all of our tools are being scanned and monitored. Fortive is very involved in cybersecurity. So when we went forward with HITRUST, we became one of the first opcos that they have to actually gain certification. If not the first, I would have to double check that. But the biggest part of that is every month Fortive rates and ranks all of the opcos that they own as far as their overall security posture. And that's graded on six different things that I won't get too deep into. But during this HITRUST certification process and the things that we had to implement, we actually became the highest rated opco out of all of them. So we scored a ninety five out of one hundred, which is the top score of all opcos. That's awesome. That's that's and considering some of the companies owned by Fortive are they're big. They're international. They're you know, they've got, like, huge teams working on this. So that's really great that, yeah, that's great that Census has all of that down pretty solid. I definitely think it really speaks to our dedication to keeping customer data secure. And that's not to say the other opcos don't because obviously they do as well. But it's just a different facet and from a different angle. Yep, exactly. All right, Miles, can you tell us about the level of certification that Census has earned? There are different levels that have different implications for the company. Yeah. So Census, they achieved the I one assessment. That was actually new as of last year, twenty twenty two. They reinvented it in twenty twenty three, made it more streamlined and fit with the other ones. They introduced this year the e one assessment. The e one assessment is a base control saying this is baseline security. There's only forty four controls out of it. You only test the implementation maturity. The I one assessment with Census just achieved is, kind of the mid tier. It is a hundred and eighty two controls. Once again, we are only testing implementation maturity. And then finally, the one that's been around the entire time is the R2 assessment. It's a two year certification. It has five different maturities. There's policy process implementation measured and managed. Most of the time, clients only do policy process implementation. So it's ranked from E1 being the easiest to R2 being the most difficult and stringent and dynamic. Now the I1 assessment is tailored to companies such as Census where you're not dealing with EPHI and stuff like that. And you have the ability, like, you wanna go out and say, yes, we are HITRUST certified. So it's a perfect cert for you. And it's implementation based, but there's also policy process involved, which Brandi got to experience during that as well. So that's kind of the different layers of the HITRO certification and how they all work together. Nice. Thank you. Thanks for breaking that down in layman's terms because this is not my forte like you guys. So I'm hoping that helps our listeners understand what's going on too. With this certification, what does that tell Census' customers about the level of safety that their data has within our software? So partnering with the security that already comes with our partner AWS, which is Amazon Web Services, this says to our customers that we are safeguarding your information at the top level that we can. It's more than just fixing previous issues and patching up previous problems. This certification aims us and prepares us for potential future problems. So the changes that we've made and the safeguards that we've implemented make us proactive in protecting your information. So it all goes back to trust, confidentiality, and integrity of the information. And that's what we're heavily focused on. Now that Census has earned this, tell me what it looks like moving forward. Is this a one time thing, or do we need to recertify on a recurring basis? Census will need to certify every year. It's an annual certification for the I-one assessment. During the rapid recertification, which will be next year's process, it is sixty controls randomly selected. All the NA, controls that Census and Align work together to determine were not applicable, and then all the corrective actions that were identified. During the rapid recertification process, if one to two controls have been deficient, then census should be alright. If there's more deficiencies found, we'd have to open it up. But after that, the following year, it'd be a full certification. So it'll go a cadence of all one hundred and eighty two controls one year and then sixty controls the next year. And it'll be a continual process from there. That sounds labor intensive, but I I guess this is not my forte, so I don't know what all goes into it. Yeah. I will say the HITRUST process is very labor intensive compared to other attestations or frameworks. So and I think Brandy can attest to that too. It is not a process that companies jump into lightly. If they do, they usually end up spiraling out of control and failing. So, yeah, it can be very, very daunting. Now, follow-up question to that answer, and I'm not sure which one of you would be better suited to, answer. This is a surprise question. With that recertification, is this something that, like, every month, Brandy, for example, you would be working every month to start building whatever material or information needed for the next year, or do we just come in a year from now and jump into Census software and look around? Yeah. So actually, I've already talked with Miles about this. And Align, this is just a little bragging point on their company and specifically with Miles. They are so well organized and so well prepared, and I have all nothing but praise for their customer portal that we get to use. So I can. I can start a year from now, and it can be another trial by fire, which I'm not going to do. Or through this portal, I can work on it throughout the year and I can be prepared. Align in Miles is not like a, hey, you're certified. We're not talking to you ever again. So it's team integration and it's definitely a professional relationship. So coming from both angles, Census and my team and Align and their team, we can work on it throughout the year and make sure that we're good. That's really cool. I'm glad that that relationship will continue and that it's so proactive. Yeah. We do like to maintain that type of relationship with our clients just because, like Brandi said, if we could very much just say, Yep, you're certified. Good luck next year, but that doesn't help anyone. It's an expensive certification and it's a difficult one, so we try to make it as easy as possible. So we're gonna work on wrapping up, but there's also a funny story tucked within this whole process and how long it has taken. Brandi, do you wanna tell us a little about that? Yeah, so my lovely boss, Steven Boyce, he has been the one that has been just the guiding hand through this whole process. And he has been going through it because the first time we went through this process, the assessment, they were pregnant with their first child. So they brought their little baby boy into the world and he had to navigate parenthood, a certification, being an IT manager, all of the things at once. And then about seven months ago, they announced baby number two was on the way. So during this process, start to finish, Steven and his wife had two babies and completed a certification on top of it, which is awesome for them, awesome for us. It's been really inspiring watching them handle that. That's pretty cool. Yeah, that Census has been working towards this goal for so long that someone has managed to have two children. Yeah. But that just shows the dedication of our company and of him and his wife to just keep going with life and and to succeed. Yes, absolutely. So question to both of you, you can each answer. If you were in the shoes of an IT director at a hospital, why would you look for a company with a certification like this? Like, how does it make it easier for them to implement our software? So we're looking at from that point of view, the HITRUST certification shows that client or that person that they know they're actually stepping into a client with a mature security posture. It's not some startup where they're just like, well, we don't know if our data is going to be protected or not. They have assurance that it's going to be. So doing due diligence and validating all that stuff makes the process a lot easier because it's a reputable source. So, yeah, it just makes it cleaner all it just makes it cleaner just to do the entire process and to validate your third parties. Yeah. And then to piggyback off of what he just said, it goes into credibility, which is really the major point of it. And when you compare it to a startup, for example, we're a very mature company when it comes to cybersecurity now. So we have the liability insurance. We have the cybersecurity insurance. We have every aspect covered to prepare and to let you know that your information is going to be safe with us and that we can back up our word. Alright. Well, those sound like pretty strong arguments from my point of view. I know I I just read an an article of that that cloud based software in hospitals is is considered a high risk for cybersecurity. So the fact that Census has been working on this for two ish years and, like, has earned it, feel like feel like Sensus is almost ahead of the curve. I would agree with that for sure. All right. So final question to you both. What would you say to hospitals who are really concerned about cybersecurity and what they should look for when choosing a partner? I think it kind of goes down to the same thing as if you were hiring a new employee. You're going look at their resume and you're going to see credentials. A degree is always something that's nice to see, but certifications are the nitty gritty hands on information. So like I myself, I have a master's degree in cybersecurity. The graduate certificate that I'm trying to pursue through SANS is years beyond a degree. So I think it really goes into the same field of certifications, make you really get in knees deep into the information and say, yep, I can do this. I've proved that I can do it, and I'm going to keep up with it. Yeah, I'll agree with that sentiment. It's very much you have the certification, especially Census having it and other people with it. Census is one of the first ones in your, field right now. So it is just that much stronger to a covered entity such as a hospital. So definitely kudos to Sensus for going through this process and getting it when they didn't need to. That's more than I'd say ninety five percent of our clients there. Well, we couldn't have done it without you and your team. I just want to make sure that that's very clear. Thank you for all of your assistance and help. You're welcome. Oh, that's fantastic. Well, kudos to Brandi and everyone on your team and kudos to Miles, everyone on your team for putting this awesomeness together and getting Census the certification to really just prove how dedicated we are to our customers. You know, bottom line, that's what it is. Thank you. Thank you very much. Thank you both for joining me on this episode of consensus podcast. If anyone listening would like to learn more about the HITRUST certification, whether it's the process or what census went through, how could they reach out to you, Miles? So I will say the easiest way is to just Google HITRUST. I believe Align comes up as one of the top searches, so you can reach out to us that way. Yeah. And just engage with the line through that. Most people will search for us. Otherwise, that's the easiest way is just to contact the line. I'm not really a direct front runner in being that contract process. Once you're engaged with us and you follow the actual HITRUST practice and you're trying to get it, that's when I actually start talking to people. Gotcha. Gotcha. Alright. Well, so folks listening, look up HITRUST. Brandi, if anybody's curious about the trial by fire process that you went through, is there an easy way they could reach out with any further questions? For sure. You could follow the normal pathway through Census. If you contact Census, they would redirect you to me or I am on LinkedIn, I'm a brand new guest. So either one is fine. I don't mind talking about it. Awesome, cool beans. Well, thank you both again for joining me. This was a really cool discussion. I feel like I learned a lot and I hope our listeners also learned a few things. For our listeners specifically, thank you for being here. And if you would like to hear more from the consensus podcast, make sure you subscribe at census dot com or YouTube. Follow us on social media, and we will see you next time.