Was the Gap Analysis Worth It?

by Sarah Harvey / December 18th, 2018

What is a Gap Analysis?

When an organization pursues an audit for the first time, we strongly recommend starting with a gap analysis. Why? The truth is: we don’t want you to fail the audit. We want to help you prepare for the audit so that you can meet your challenging compliance goals, and we want to educate you on what you’re getting into when you pursue an information security audit. A gap analysis at KirkpatrickPrice means working with an Audit Support Professional and an Information Security Specialist to identify any operational, reporting, and compliance gaps in your organization and advise you on strategies for remediation. Gap analyses ask and answer, “How are we doing compared to what regulations require?”

Instead of jumping into an audit without knowing what your organization should expect, a gap analysis can prepare your organization to remediate any identified gaps. Let’s take a look at Paubox, a HIPAA compliant email solution platform, to see what benefits they found from a HITRUST CSF™ gap analysis.

Lessons Learned from Gap Analysis

Many organizations do consider undergoing a gap analysis before an audit but are unsure it’s worth the cost or effort. Well, there’s a reason that our clients tell us that a gap analysis was the best decision they made. We always recommend a gap analysis to first-timers is because you will have actionable items to remediate as a result of a gap. You won’t be playing a guessing game of what might be tested in an audit or unsure of what the audit process will entail.

Paubox recently underwent a three-day onsite gap analysis in pursuit of HITRUST™ compliance. According to Hoala Greevy, the founder and CEO of Paubox, they came away each day with several takeaways.

Day One

  • There are approximately 320 control statements to be addressed in the assessment.
  • Document everything.
  • Paubox was introduced to the CIS 20 Critical Controls.
  • How do Paubox’s vendors demonstrate HIPAA compliance?
  • What is the definition of “scope” for a HITRUST assessment? Anything that affects the security of the system is in-scope.
  • What is in-scope for Paubox’s assessment?
  • You must know where the data lives, where it’s stored, where it’s processed, and which systems transmit it.
  • What kinds of risk assessments have been done so far? Have they been scored?
  • “Formal” is another way of saying “documented.”
  • What change management processes are in place? How are changes managed?

Day Two

  • A passing score of 3+ in every domain is needed to pass HITRUST, or 3 with Correction Action Plans (CAPs).
  • Corrective Action Plans must show progress at the one-year mark or be resolved.
  • Google only recently attained HITRUST certification.
  • Web Application Firewalls are a necessary component of HITRUST.
  • According to HITRUST, “The organization does not send PII/PHI over facsimile (FAX), unless it cannot be sent over other, more secure, channels e.g., delivery by hand, secure email.”

Day Three

  • HITRUST has a unique definition of the “contractor”and it’s important to know their meaning.
  • Two-factor authentication for all critical services is vitally important.
  • A customer identification process for incoming phone calls and emails must be formally documented.
  • User access controls must be well-defined.
  • A documented hierarchy of PHI access levels must be established.

Paubox’s Compliance Journey

Paubox has already passed two independent HIPAA compliance certifications, but HITRUST compliance will help take their security efforts to the next level. Paubox is part of HITRUST’s new program specifically created for start-ups – the RightStart Program™. Compliance efforts require a time, personnel, and financial investment that can be straining on start-ups, and HITRUST recognized this need that it could fill for start-ups pursuing HITRUST compliance.

“The RightStart Program gives us the ability to adopt a security framework that will scale with our organization and provide brand name peace of mind to our customers, partners and investors,” said Greevy. “HITRUST provides us with the tools for secure, compliant growth needed to increase our bottom line. Our customer focus demands we have security, compliance, and risk management in place by design and not as an afterthought.”

Paubox has positioned itself as the only secure HIPAA compliant email solution with zero-step encryption on all sent emails. As a start-up whose business relies on information security certifications and compliance, gaining HITRUST compliance will be a game changer for Paubox. Even with HIPAA compliance certifications, they still made the decision to undergo a HITRUST gap analysis. This, as well as taking part in HITRUST RightStart program, is evidence of their commitment to providing a secure service.

To learn more about Paubox and their HITRUST journey, keep reading:

Paubox Gets on RightStart With New HITRUST Program

HITRUST CSF Gap Analysis for a Silicon Valley Startup

HITRUST CSF Gap Analysis (Day 2) for a Silicon Valley Startup

HITRUST CSF Gap Analysis (Day 3) for a Silicon Valley Startup

Is your organization considering a gap analysis but unsure if it’s worth it? Contact us today to discuss your compliance objectives and how we can help.

More Resources

What is a Gap Analysis?

Will I Fail the Audit? Reasonable Assurance Explained

Preparing for a HITRUST CSF Assessment