Many successful small businesses have one thing in common — the ability to see the big picture, envision what their success will look like tomorrow, and invest in it today.
At MXOtech, a boutique, women-owned IT solutions firm specializing in custom healthcare development solutions, this is definitely the case. But like every small business, it comes with its own set of challenges.
We don't have the expendable revenue big corporations have in spades. So, when given the opportunity to make an investment in our business — especially an opportunity with consequences that could have a significant impact on the future of our company — making a decision is serious business.
This scenario recently became a reality when, as a company, we faced the decision of earning our HITRUST CSF certification — a third-party accreditation designed to safeguard sensitive information and manage risk for healthcare organizations across all industries and throughout the third-party supply chain.
After industry leaders realized there wasn't a common security framework that was able to demonstrate adherence and compliance to general HIPAA objectives, they established a certifying body to create one. They also wanted to protect companies, hospitals, and patients from information breaches — a threat that has become increasingly common in the healthcare industry. Enter the HITRUST CSF (Common Security Framework) certification. Created by HITRUST (Health Information Trust Alliance), this certification focuses primarily on healthcare data.
The Certification Process
For us, the potential benefits of this elite certification were clear. While most software development firms can build applications, many do not have the security safe guards in place to manage PHI data within complex, multi-field systems that can all communicate with one another. This is, however, MXOtech's sweet spot — building your custom software and managing your complex data. These combined services allow healthcare providers and patients to use the application, view the information they need, and collaborate on clinical projects, no matter their location.
Because of our unique place in the industry, MXOtech manages millions of patient records at any given time, and our customers know their information is properly handled and guarded. By taking the steps to become HITRUST certified, we can give our clients the highest level of assurance provided in the healthcare industry.
Still, this was a costly endeavor for a minority-owned small business. During the lengthy application process, we learned the certification is intended for larger systems, like major hospital systems and health insurance companies — a fact that ultimately put us on the same level as much bigger entities, but also added to the initial challenge of earning accreditation.
We collaborated with one of our largest customers to complete the certification. As the smaller company in the partnership, we took on the bulk of the risk as the expenses were more of a gamble for our growing business.
For MXOtech, this financial investment included, but was not limited to:
- A full-time security officer to document the HITRUST controls
- A project manager to be fully involved in the strategy to achieve the certification
- An auditing firm to prepare us for the certification
- Multiple software tools to protect our clients’ assets
In addition to the financial expenses, we needed to re-configure our business during the year-long process. We had several employees dedicated solely to acquiring the certification, going through the control items one by one and making alterations until we got it right. It was a big initiative for a small company, and it had a major impact on how we functioned as an organization during that time.
This was a critical decision for our company to make — we could embrace the effort of earning our HITRUST CSF certification and be able to provide our customers with the highest standards of service, or we could take the easier route toward a lower level of service. The benefits for both our company and our clients were just too important for us to pass up.
Achieving HITRUST certification raised our credibility in the healthcare application development industry. But more than that, it fell in line with what our customers in all fields, both current and future, are looking for. In fact, an added benefit that resulted from our certification is that MXOtech now meets the standards set out for NIST Cybersecurity Framework — a set of standards, guidelines, and best practices to manage cybersecurity-related risk. This offers yet another level of protection to our clients.
For the last 13 years, we've been providing these services to our customers and we've invested a lot into our projects and relationships. For us, the decision wasn't just about the potential growth of our business. If we didn't do it, we ran the risk of losing everything we'd worked so hard to accomplish.
The hard work we put in to earning our certification reflects the highest standards that we place on ourselves. We don't cut corners with federally protected healthcare data — and that's what sets us apart from our competitors.
At MXOtech, we understand how to build a web app that accomplishes your business goals. We’ve helped companies across different industries to reduce costs, streamline processes and achieve better efficiency with custom business applications while maintaining the highest security standard.