Our HITRUST Certification is worth bragging about—and here’s why

Rahul Valsan
December 13, 2018

We recently announced that that the Talix Coding InSight platform has again earned the HITRUST Certified status for information security. (That’s right—for the second year in a row.)

At face value, HITRUST CSF Certified status indicates that our platform meets key industry regulations and requirements for protecting sensitive, private healthcare data. That’s a pretty big deal in and of itself, as anyone familiar with the numerous standards at play in the healthcare world—such as HIPAA, ISO, NIST and COBIT, to name a few—can attest.

But here at Talix, we believe earning a HITRUST certification indicates a deeper level of commitment to security than many companies realize.  And Talix was the first NLP-enabled risk adjustment company to achieve this coveted security certification for the second year in a row.

What is the HITRUST certification anyway, and why did Talix pursue it?

I won’t go into the nitty-gritty details of how HITRUST started and what exactly the framework encompasses. You can read much of that on the organization’s own website, including this synopsis:

“Developed in collaboration with information security professionals, the HITRUST CSF rationalizes relevant regulations and standards into a single overarching security framework. Because the HITRUST CSF is both risk- and compliance-based, organizations can tailor the security control baselines based on a variety of factors including organization type, size, systems, and regulatory requirements. By continuing to improve and update the framework, the HITRUST CSF has become the most widely-adopted security framework in the U.S. healthcare industry. This commitment and expertise demonstrated by HITRUST ensures that organizations leveraging the framework are prepared when new regulations and security risks are introduced.”

Boiled down, this means that the HITRUST CSF neatly packages the healthcare industry’s copious and complex compliance standards into a single framework. This is a win-win scenario for solution providers and healthcare companies alike.

  • For companies like Talix that provide technology solutions within the healthcare space, this “single overarching” approach greatly simplifies our ability to develop technology that meets regulations and protects our customers’ valuable data. Rather than laboriously engineering applications to disparate standards and company requirements, we have a more holistic, uniform view of what is necessary to reduce risk. This also makes other aspects of our business easier—including sales, where we often see RFPs requesting an outline of our compliance certifications.
  • Likewise, our customers and prospects appreciate the HITRUST CSF certification because they have a baseline by which to measure vendor security. Not surprisingly, HITRUST is now the most widely adopted security framework in the healthcare industry. When our customers see it, they can immediately determine that we’ve covered every base.


How exactly did Talix earn this certification?

First of all, it’s important to note that there are actually two levels of HITRUST CSF assurance: self-assessment and validation.

  • Self-assessment is what it sounds like; companies gauge their own products’ scores on a risk assessment questionnaire. Bottom line: It’s not exactly comprehensive or unbiased.
  • Validation, on the other hand, requires the use of a third-party, independent HITRUST CSF assessor and is the more difficult and rigorous level. Certification is only granted if you meet or exceed the scoring requirements for validation—and for third-party assessors, those requirements entail far more than a questionnaire.

Naturally, Talix has opted for the more difficult certification path for the past two years. And I’m going to be honest—it’s an arduous six-month testing process that many companies struggle to pass. That’s because, over this period of time, the assessor scrutinizes your technology inch by inch to determine maturity across five different question areas:

  • What policies or standards are in place?
  •  Are there processes or procedures to support those policies?
  • Have they been implemented?
  • Are they being measured and tested by management to ensure effective operation?
  • Are the measured results being managed to ensure corrective actions are taken as needed?

Ultimately, HITRUST Certification requires a minimum score of 3 in each of these five areas, and I’m pleased to report that Talix scored the maximum 5 in almost every case. The maturity of our application security isclearly baked in at the deepest level.

But here’s why earning the HITRUST certification is a really big deal that sets Talix apart

First, as mentioned previously, becoming HITRUST Certified is a rigorous and comprehensive process that not every company or application can manage. That’s why displaying this designation does more than show that we“meet standards.” Rather, it demonstrates our company’s unwavering commitment to delivering a secure product and protecting our customers. You can tell that Talix places a huge priority on security by the time and effort we expend in succeeding at this task.

Secondly, this certification is a big deal because it’s not just about technology. When we undertake a full validation assessment, it’s avast, multi-department effort. Over the course of the testing process, we must provide input not only from Engineering, but also from IT (with respect to the security of our own internal office equipment across all locations); Sales(with respect to meeting customer needs); HR (with respect to ensuring background checks on all our employees). It’s truly all-encompassing, covering every single policy, procedure, and element of our physical and operational efficiency and security.

Finally—and here’s where I’m really going to brag for a moment—Talix stands apart from many tech vendors in this space because we’ve done this certification process twice now. Earning the certification in back-to-back years is tougher than you might imagine, too, because we not only had to ensure that what we did the first time around is still functional and in place, but we also had to show how we’ve improved on our initial work. Why? Because security and compliance requirements are constantly shifting, so technology like ours cannot remain stagnant. We must continue to adapt and get better, year after year, to keep up with our customers’ changing needs.

In summary, we hope our customers—and indeed every company in the healthcare space—take the HITRUST Certification status seriously. We certainly do. Make no mistake: Talix has placed the utmost importance on security from day one. We incorporate a multi-pronged approach across the board, from monitoring and dataloss protection to logging and regular auditing. It’s truly part of our DNA asa company. We encourage you to learn more about HITRUST CSF, and connect with us if you have questions regarding your data protection. We’re here to help.

Rahul Valsan is the Chief Information Security Officer, CPO and Senior Program Manager at Talix
View all Blog Posts