LuxSci Achieves HITRUST CSF Certification

LuxSci announces today that it has achieved the HITRUST CSF Certification, the gold standard and most widely adopted security framework in the healthcare industry.

What is HITRUST CSF Certification and why should it matter?

Today, we are very proud to announce that LuxSci has achieved the HITRUST CSF Certification, the gold standard and most widely adopted security framework in the healthcare industry. The full fleet of LuxSci services, including Secure High Volume Email Sending, Secure Marketing, Secure Email Hosting, Secure Connector for Microsoft 365 and Google Workspace, Secure Forms, Secure Texting, and Secure Web Hosting, were audited by our third-party assessor, Security Compliance Associates, and have earned Certified status for HIPAA and GDPR under HITRUST.

Well, “what does this mean” you might ask.

Practically, it means that our security team spent a lot of time over the past year working with the assessors to provide evidence that LuxSci is really following all of the security best practices required by HITRUT for us.  I.e., HITRUST certification goes far beyond any self-attestation compliance.  The assessors check every single one of the requirements and obtain proof that they are being properly met.  They write up a detailed report on every single one and submit that report to the HITRUST alliance where it is reviewed again.  In this way, HITRUST really certifies that we are “doing all of the right things” across all relevant security domains.

Who needs a HITRUST certification?

A HITRUST certification is not federally mandated for HIPAA compliance; indeed, there is no one certification that is federally mandated for compliance.  However, HITRUST is considered to be the most thorough and comprehensive compliance framework available for HIPAA and it has been adopted by over 80% of hospitals and health plans as of 2015.  Any organization that wants to demonstrate compliance and a commitment to continued compliance in a way that is understood, accepted, and applauded by the health care industry needs HITRUST.

Why should LuxSci’s customers care?

Well, achieving HITRUST CSF certification validates the security-first positioning which has been and will continue to be the very reason our customers trust us. Our customers require assurance that we meet their security needs and requirements; they do not want to just take our word for it.  Now, we can hand them our HITRUST attestation and they can feel at ease.

Our customers also know that security is a process: you are never “done being secure.” The HITRUST CSF model evolves with the security landscape and our customers know that it is a great benchmark for providing an assurance that LuxSci is evolving in parallel.

Finally, this certification is a serious commitment.  It takes an ongoing investment to achieve and maintain.  It is exactly the kind of investment that one should look for in a vendor/partner that will grow with you for the long term and protect your security interests.

What does HITRUST require?

Applying for HITRUST is not for the feint of heart.  There are myriad detailed requirements applying to businesses of all sizes without any of the particularities of LuxSci in mind.  Getting through HITRUST needs not only a high level of security expertise, but the mind of a lawyer and the sleuthing ability of Sherlock Holmes at times to convert some of its general requirements into concrete meanings specific to the context of LuxSci.  In the end it was like putting the last piece into a 10,000 piece-puzzle: we knew we could do it–it would just take time.

HITRUST requires proven adherence to hundreds of different controls across 19 different areas, including:

1. Information security and protection program
2. End point protection (laptops, servers, and devices)
3. Portable media controls (thumb drives and the like)
4. Mobile device security (laptops, cell phones, etc.)
5. Wireless access (WiFi security)
6. Configuration and change management
7. Vulnerability detection and management
8. Network security protection
9. Data transmission protection
10. Password strength and management
11. Access control to servers and software
12. Audit logging and monitoring
13. Employee education, training, and awareness
14. Third-party contracts and management
15. Incident response and management
16. Business continuity and disaster recovery
17. Risk assessment and management
18. Data center physical security
19. Data protection and privacy

What doesn’t HITRUST cover?

HITRUST is simply a security compliance framework by which one can evaluate if a company’s devices, services, and practices are in line with HIPAA and other legal requirements (like GDPR – General Data Protection Regulation).

It does not evaluate the level of security of a service beyond these baselines.  There are many, many ways to comply with HITRUST.  Some are more secure and less risky than others.  At LuxSci, we provide a framework in which everything you do can be HIPAA compliant, but where you have a great deal of flexibility in choosing where your services with LuxSci land on the scale from, in a general sense, “compliant and secure” to “compliant and extremely secure” based on your particular business needs.

As one simple example, a cloud service can be setup using a common “shared service” infrastructure, where everyone’s data flows through and is stored on the same machines, a “dedicated server” infrastructure, where individual organizations are separated on to separate servers and those are isolated from each other, or a “dedicated footprint” where a customer’s services run on physically separated dedicated hardware.  Each of these scenarios can meet HITRUST if done properly; however, they have vastly different security profiles.  LuxSci has customers at each of these levels, where the choice is based on these customers’ own budgets, business practices, risk levels, capacity/scale requirements, and the nature of the LuxSci services involved.

As LuxSci follows best practices for security and privacy, we will continuously maintain our HITRUST CSF Certification status. I would be remiss in not thanking our loyal customers for their support over the years. We are committed to helping them maintain the highest standard of security and compliance in the context of solving their particular business problems. It gives me joy ever day to serve you. Thank you.

• Erik Kangas, CEO