Count On Coffey

By Mike Glencross, Chief Information Security Officer

You take seriously your organization's responsibility to protect consumers' private and sensitive data—including information stored on your website and in a vendor's systems. Your website and marketing partner should bring the same level of rigor.

Before you hire anyone to build, host, maintain or support your digital marketing, ask one direct question: Are you HITRUST-certified?

What HITRUST certification means

HITRUST certification is issued by the HITRUST Alliance, a respected third-party organization that evaluates information security programs. Earning certification signals that an organization can follow strict, validated requirements to help protect sensitive data.

In practical terms, a HITRUST-certified organization must be able to demonstrate that it:

• Follows rigorous security policies and operational processes aligned to recognized industry standards.
• Maintains secure systems for services like web hosting and data handling (including platforms used for communications).
• Documents controls and completes a formal assessment process designed to support compliance expectations, including HIPAA-related requirements.

Security isn't one control—it's layers

HITRUST is a strong indicator, but it should not be the only indicator. A serious partner will also use layered protections, such as:

• Encryption for data in transit and at rest.
• Firewalls and network monitoring.
• Bot protection to reduce automated abuse.
• Rate limits and timeouts that curb repeated automated activity.

Cybersecurity is bigger than IT

Security is not just a technology issue. It's a company-wide discipline. The right partner will have safeguards across departments—IT, software development, HR and finance—because people and process are part of security too.

Look for signs of maturity, including:

• A designated security officer and HIPAA compliance officer.
• Regular HIPAA awareness training for new and current employees.
• Active monitoring for breaches and suspicious access, including unauthorized devices, accounts or software usage.

Website partner security checklist

A strong partner should meet the following criteria and be able to provide documentation where appropriate.

Certifications and independent validation

• HITRUST CSF certification: Is it current and in good standing? (Ask for dates and scope.)
• Security assessments: Will they share a recent third-party assessment summary or attestation?
• Compliance alignment: Can they describe how their controls support HIPAA expectations for handling sensitive information?

Data handling and privacy

• Data minimization: What data do they collect, store or process—and why?
• Data retention: How long is data retained, and how is it securely disposed of?
• Access boundaries: Who can access your data and under what circumstances?
• Tracking posture: If your organization limits tracking, can they support "no tracking" configurations and governance?

Technical safeguards

• Encryption: Is data encrypted in transit (using TLS) and at rest?
• Network protections: Are firewalls, monitoring and threat detection in place and actively managed?
• Bot protection: Are there controls to reduce scraping, credential stuffing and form abuse?
• Rate limiting/timeouts: Are there protections that reduce repeated automated attempts?
• Secure hosting: Can they describe how the hosting environment is secured and monitored?

Identity and access management

• Least privilege: Do users get only the access they need to do their job?
• Multi-factor authentication (MFA): Is MFA required for systems that access client environments and data?
• Offboarding procedures: Is access removed promptly when staff or contractors depart?
• Logging: Is access to systems and sensitive data logged and reviewed?

People and processes

• Security leadership: Is there a designated security officer (and HIPAA compliance officer, where applicable)?
• Training: Is there regular security and HIPAA awareness training for all staff?
• Background checks: Are employees with elevated access appropriately screened?
• Secure development: Are there documented practices for code review, testing and patching?

Incident response and accountability

• Incident response plan: Is a documented and tested plan in place?
• Breach notifications: Do they include clear timelines and escalation paths?
• Business continuity: Are backup, recovery and continuity procedures defined?
• Contract clarity: Are security expectations, responsibilities and SLAs explicit?

Categories: Digital