In January this year, MRIoA was notified that we had earned our HITRUST certification. This came after yearlong effort to update and implement policies that are HITRUST compliant. Fortunately, MRIoA’s security culture made adapting to the necessary changes required only slightly painful. But as a result, our program is stronger than ever. To further demonstrate our commitment to the HITRUST certification, MRIoA will be undergoing a Service Organization Control Trust Service Principles (SOC 2 Type 2) audit at the end of this year. The American Institute of CPAs (AICPA), who audits and delivers the SOC report has worked with HITRUST to extend their report to include the HITRUST controls. This will be a great document to share with our clients looking to better understand the maturity of our program.
As part of a HITRUST certified security program, or any good security program, entities should always be investigating ways to improve their security controls and overall security awareness. With Phishing attacks still being one of the most successful attacks against organizations, we partnered with the leading firm in phishing awareness to continually test, monitor and report our staff’s ability to identify phishing attempts. Email links clicked, or documents downloaded from these test phishing emails, will help us identify weakness and provide more specific training to our more vulnerable employees.
One additional security feature we will be releasing on our ClientTools portal will be the ability for clients to opt their users into requiring dual factor authentication in order to connect with our website. The implementation will requiring a randomly generated code be sent during the log in process to the email address on file for that user. The login process will only complete by successfully entering the code in a limited time window. This process will require the user to not only know the username and password, but have access to the email account of record. Combining this with our client’s ability to restrict access to our site from specific IP addresses for their users will greatly reduce unauthorized access due to compromised credentials. More information about this feature will be forthcoming.
Again, we always look forward to your feedback about anything we can do to improve our service and security. Please feel free to contact me at any time with your thoughts and ideas at firstname.lastname@example.org.
Donald Murphy Jr. MS, CISSP
Vice President, Information Technology