Cracking the Code, Ep. 9: Making HITRUST Work for You

0:07: Hi everybody.
0:07: My name is Chris Bowen.
0:08: I am Clear Data’s CISO as well as the founder of the company, which really to most people means I came with the furniture, if you will.
0:16: I am honored today to be speaking with one of our longtime customers, David Levenger, who is the senior vice president of operations at Mainify.
0:27: David is, leads the the DevOps organization, including the IT, information security.
0:34: Compliance, he wears all kinds of hats and it looks like you drew the short straw, David, on on all those duties.
0:41: I’m sorry to, sorry to have to tell you that.
0:45: Yeah.
0:46: Yeah, David brings a lot of expertise in cloud transformations, by the way, he is a an expert at big data and distributed computing.
0:55: He has 20 plus years of experience running operations teams within startups as well as public companies.
1:01: He’s designed and he’s managed scalable and secure infrastructures at Epiphany, guide where software, pardon me, Guidewire software, Pasada and David is a an alumni of Western Governors University with a BS and cloud and Systems administration.
1:23: So David, welcome to the to the show, if you will, and it’s it’s lovely to have you here.
1:29: , appreciate it.
1:32: Can you tell us a little bit more about your company, David?
1:35: Yeah, absolutely.
1:36: Thank you so much for having me today.
1:39: Machinifi is a healthcare technology company.
1:42: we develop cloud-based artificial intelligence powered software to solve primarily payers, businesses, challenges.
1:49: Our software products are, are customized to replace rules-based technology with machine learning, and all that lives in the cloud.
1:57: , at scale, a lot of big data, a lot of distributed compute, and, whenever you’re doing any of that type of technology, it means you also have access to a lot of healthcare data.
2:07: So, working, working with the security and compliance stuff, like you said, I, I drew the short straw.
2:13: It’s very true.
2:14: It’s, it’s complicated and challenging, but it’s also essential to running any business in, in the healthcare space.
2:21: Yeah, I mean it, it’s it’s one of those where you used to have a lot more hair.
2:25: It’s thinning out, it continues to thin out because if you think about all of the the challenges in healthcare technology, it’s, it’s under attack and and so.
2:34: Yeah, I had much less white hair before I started in the beard, but I I try, I just look ridiculous with a beard, but, tell us, David, how did your company come to meet Clear Da?
2:44: I’m I’m curious about that story.
2:46: I I I remember it.
2:47: I just don’t remember all the details of it, so help us, help us remember that.
2:51: Yeah, so we were actually introduced, pretty early on when we were starting into the, the healthcare journey as a potential partner to help us accelerate, into that space in a way that, would make our customers feel, feel comfortable.
3:06: So I was introduced to you from, from our chief operations officer who I believe was introduced to you by one of the healthcare companies we’re talking with or someone on our board.
3:15: I it’s one of those two things.
3:17: , it was very early on in my tenure here at Machiniify.
3:21: It was like, welcome to Machiify.
3:23: Hey, by the way, we’re looking going into healthcare, and here’s a company you should talk with to change everything that we’re doing here to make, to make that happen.
3:30: So it’s kind of a whirlwind introduction, but it’s turned into a very fruitful, relationship over the last, gosh, I guess it’s been almost.
3:38: Almost 4 years, I think we’ve been working together at this point.
3:41: And in and in cloud world, that’s a long time, right?
3:45: It’s like 7 years, yeah, very long time.
3:49: Things change so, so much in a public cloud.
3:51: It’s hard to stay in front of it, hard to stay on top of all the changes and all the new services that come out, let alone the, the shift in, you know, going from virtual machines to serverless to, you know, low code, no code kinds of situations.
4:06: Now we’re, you know, fully involved in artificial intelligence as you, as you know so well.
4:14: A lot of what we’ve done at Clear Data is is work to make sure that controls are in place for those services, so that you can operate successfully and quickly and and not have to to wait inordinate amounts of time for something to actually work.
4:31: we’ve gone through the process of high trust, and we just finished our high trust 9.5.1 certification, which is now our fifth.
4:39: , 5th certification and which spans a 10 year period of time.
4:46: And we’re excited that you have been able to take advantage of that.
4:51: Help us understand how you took advantage of what we did on on the high trust certification front.
4:58: Yeah, absolutely.
4:59: So we, we just achieved our high trust certification as well, as of like hot, hot off the presses as of a couple of weeks ago, and that was, more than a year-long journey of working with, you know, countless folks in Germany, but also you guys a lot on, on how do we do this.
5:17: but even before the high trust certification, working with you was able to unlock a lot of doors for us in talking with healthcare companies and, and breed a lot of confidence.
5:28: In, in a couple of different facets.
5:29: One, that we were taking, the security of this data very seriously, which is really, really important.
5:35: so even before being hightrust certified, being able to talk about being in a high trust certified environment, having certain controls, run by Clear Data helped significantly.
5:45: And then as we started into the high trust journey, right, we got obviously a lot of guidance from you.
5:49: , and then the inheritance, which, if I’m remembering was just over half of our controls were actually inheritable either partially or completely from clear data, which means that, that year of effort we spent would have been much longer if we were trying to do it without, without any of that help.
6:06: so I’d say all of that together, like, It was deal acceleration before we had a high trust certification, acceleration of becoming high trust certified, and then that overall customer confidence along the whole journey that we’re doing it right, we’re taking it seriously, and we’re working with, you know, unknown entity out in the healthcare space that, that these companies recognize as, as taking all this seriously as well.
6:29: Any fun examples of how a deal was was able to be kind of greased if you will, to, to make that happen in a shorter way.
6:38: I know a deal cycle, it’s important to a startup and it’s important to young companies as well.
6:45: love to hear your story.
6:47: Oh yeah, oh jeez, let’s see.
6:50: I mean, the, the worst, so first off, the first question they always ask is, do you, do you have, are you certified?
6:56: Do you have high trust certification?
6:57: And you’re like, no, and they’re like, excellent.
7:00: Here’s a 350 question survey to fill out, and you’re like, That’s 350.
7:08: That’s a lot.
7:09: That’s a lot.
7:11: That’s a lot of questions.
7:13: since you’re going through and you’re answering these questions and, and the goal in that, of course, is, is to breed confidence, right?
7:18: It’s not just to, you know, obviously you’re going to be answering them honestly, but you, you want them to read those answers and think, aha, this is a company I can trust because you’re trying to, to move that deal forward.
7:30: so I’d say, you know, we, we use the phrase that we operate in a clear trust.
7:35: , sorry, that we operate in an environment which is high trust certified, run by Clear Data.
7:43: That phrase, I mean, I must have said it thousands and thousands of times.
7:48: And if, if I was talking with a company that wasn’t familiar with you, there were times where they’re like, I don’t understand.
7:54: I turned your website, show you the certifications, and then they’re like, oh, got it.
7:58: So you’re not high trust certified yet.
8:00: But you’re operating in that environment, and there’s aspects of the controls that you don’t even have control over.
8:05: And I’m like, absolutely, I don’t even want control over them, right?
8:08: Like you can trust us, because you can trust them.
8:10: And then they would have follow-up questions.
8:13: So it, it became kind of a mantra that, that we would say over and over and over again.
8:18: But then it also, like when we talked with the security and compliance folks, once they started to understand what that meant, things went from like Questioning to instantly like, oh I get it.
8:31: Yeah, no, this is the real deal.
8:32: Cool, let’s move forward, to the POC and and that sort of thing.
8:37: Yeah, we’ve had those kinds of exciting times as well.
8:41: One of the things I still try to help our prospects with.
8:46: Is the understanding and the actual meaning of what third party assurance means, because they’ll throw you that 300, 400.
8:55: Recently we got one is what was a 900 question survey.
8:58: Oh my God.
8:59: It was crazy and and we had to say, well, you know, we could write down the answers to that, but wouldn’t you rather have somebody who’s audited this thing twice, not only from the assessor, but also the high Trust Alliance, and made sure that it was legit.
9:15: , we actually had a prospect, this is funny, take our high trust report and then write answers in their spreadsheet so that they could complete their their questionnaire according to their own policies rather than just use the the the the report itself as as that assurance.
9:36: To each his own, I suppose, but for for most customers, for most pros prospects, they’re like, give me that high trust report and let’s call it a day.
9:45: It’s it’s it’s as simple as that.
9:47: , tell me about your market opportunities as it relates to high trust, including some of your investors, are they, are they thinking about high trust with you at this point in your journey?
10:01: Are they mentioning it in your board meetings at all?
10:03: Ever?
10:04: What, what’s, what’s the temperature like there not to have you expose anything in behind the board meetings, but sure, sure, yeah, I mean, I would say on the, on the customer front.
10:15: You know, you have the customers that won’t talk to you until you have it.
10:20: They’re like, you’re not high trust certified.
10:22: Come back when you are.
10:24: You have the customers that are willing to entertain it, right, the ones that are looking like a little bit ahead of the game, they’re like, hey, I wanna get, I want to get ahead of the curve, and more strategic thinking.
10:33: I’m willing to take a little bit of, a little bit more risk, but I would say largely.
10:39: It’s, it’s the amount of people you have to keep having those conversations with that diminishes once you have the certification.
10:46: So beforehand, it’s like, I talked to a prospect, they’re like, you sound, this company sounds amazing.
10:52: I think you can revolutionize our business.
10:53: This is wonderful.
10:55: but you’re gonna have to talk to security person X.
10:57: And I talked to security person X and they go, You’ve really put my mind at ease, but you have to talk to compliance person why.
11:02: And then I talked to compliance person why, and they go, you really sound like you got your stuff together.
11:06: This is great, but unfortunately, we have to escalate this up to the VP level or this, and you’re just like, OK, and you’re having all these conversations, and, you know, it’s, it’s tiring personally, but that’s not, that’s, that’s fine.
11:19: The part that’s frustrating is You know, the first person you talk to is like, how many more of these conversations do you need to have to get, to get over the, over the line, right?
11:29: And so I would say at the, at the board level, at the investor level, it really comes down to that same thing, right?
11:34: When you enter into healthcare, you really need to have a good story around HIPAA, and then pretty quickly around high trust.
11:42: And if you don’t, things just move slowly.
11:45: And no investor likes to hear, Well, give me another year, and then I’ll be where I thought we could be because there’s all this compliance and security stuff.
11:53: And the good news is that, that, you know, on our side, everybody’s very supportive.
11:57: They’re like, no, security first, compliance, absolutely, like, you cannot take any risks in those, in those arenas.
12:05: But we still want that sale to close, and we still want that customer to expand.
12:09: And, and I guess that’s the last part I would, I would touch on is expansions.
12:13: Because you think, like, I did it.
12:14: I filled the questionnaire out, I got through all the hurdles, they signed with us.
12:18: We’re live.
12:19: We have some stuff in the future to, to come back and, and figure this out, but, but we did it.
12:24: And then you go to try to do your first expansion.
12:27: And you realize that this is a large enterprise and every department or wing or person you’re talking to, they have a different set of people you need to speak to.
12:36: They have a different set of questionnaires you need to fill out.
12:38: We had customers where we were reporting on our journey for high trust, and we had to report to 4 different organizations in the company on the status of high trust because there were 4 different ways that they looked at it based on which business unit were you interacting with, right?
12:55: So like, It just truly cannot be understated how now it’s just like, here is the certification, and they go, oh cool, I’ll forward it to the other 3 units, like we’re good, we’re good, move on.
13:05: So.
13:06: You know, that’s I, I feel you, man, because I’ve, I’ve been there and I’ve had those conversations over and over and over.
13:14: we know that high trust is a snapshot though.
13:17: So going forward after the high trust certification, you got your letter, you’re operating, you’re you’re in production.
13:24: You know, have you found any value from the, the reporting from the cyber health platform to show you where you’re at from a compliance drift perspective?
13:33: Has that been helpful in your, in your journey at all?
13:36: Yeah, I mean, I’d say reporting just in general, anything that helps you get a view of where you are, where you’ve been, where you’re going, makes everything easier, right?
13:46: Like, And especially when you got into that operational mode, you don’t want to be like, you know, 34 months and then go, 0000, I made a mistake.
13:56: I would say even more than the reporting, it’s the automated safeguards, right?
14:00: It’s knowing that we can’t do certain things, like it is not possible for them to happen.
14:05: And if it does happen, we’re, you know, they’re auto remediated, we’re notified, and it’s cleaned up, right?
14:11: Like, In my mind, I love reporting as a form of, of showing that we are doing what we say that we’re doing.
14:18: But I dislike it as a way to say catching the problem, right?
14:22: Like, I don’t like catching a problem through reporting.
14:25: I mean, it’s great because sometimes you’ll catch a problem you didn’t know you had, right?
14:28: And that’s really very, very valuable.
14:29: But the automated safeguards, the ability to say, like, no, this is a thing that cannot happen, or this is a thing that must happen.
14:35: , and you guys have worked with us on actually creating some that even are more specific to us, like policies that we have that are then implemented and enforced by clear data.
14:45: So again, they’re out of our, our control like we had control in the creation of them, but now they’re out of our control from an implementation perspective, which means that when we go to create a new thing, we know that these downstream effects are gonna happen and the automated safeguards are kind of, you know, keep us safe, right?
15:00: And that resonates with the auditors, that resonates with customers, You know, not all high trust certifications are created equal, right?
15:08: They still want to have faith that, the narrative matters, right?
15:12: They still want to hear like, well, how did you solve that problem?
15:15: And the automated aspects of it and the way that that, that works, is like the best answer, right?
15:20: It’s like, I can’t do it.
15:22: It’s done by a machine, it’s automed by a machine, and it’s reported on, like, it’s the whole gamut, you know.
15:29: You know, it’s, when I go bowling, David.
15:33: I prefer the bumpers in the lanes, so I don’t toss one down the alley there.
15:39: It’s kind of the same way when you’re working with PHI, you know, you probably don’t, you probably want those safeguards, keeping a door.
15:46: You don’t want the, it’s just any risk you can remove is is risk you want to remove, right?
15:51: Like, and, and clear data makes it very easy to do that without making it untenable to use the environment.
15:57: And it is a balance, right?
15:59: Like, sure, I can make the environment 100% secure by allowing no one to use it, but obviously, you, you’re not gonna run a business that way.
16:06: So it’s that balance between that, And also having, having another entity that is also high trust certified that’s been doing it for such a long time, watching our back, certainly helps me sleep at night.
16:18: Like, I makes me feel a lot better because as much as I trust my team, the policies and procedures, everything that we have in place, it’s so great that, like you were talking earlier about a third party assessor validating that you are doing what you’re saying, right?
16:32: I like that’s how I feel about clear data in some ways.
16:34: It’s like, you You guys kind of are like looking at us going, OK.
16:38: Yeah, that’s OK.
16:40: which is really good.
16:41: Fun fact, David, we actually do talk about our customers.
16:44: When, when they come up with requests, we have this meeting twice a week with like 30 of us, and we sit around and we contemplate, is this safe?
16:53: Should we advise them a different way?
16:55: Here’s a, here’s a solution that we could do that, you know, because sometimes it’s not just the safeguard, the automation.
17:00: Sometimes it’s configuration, it’s it’s architecture, and that takes discussions.
17:05: Yeah, it’s, it’s definitely not a one size fits all, and you have to understand that nuance to really craft the right solution.
17:12: Like you don’t want to implement something that works for, you know, 90% of your customers and then 10% are offline, right?
17:18: Like that doesn’t work.
17:19: And, and like you’re saying, it’s not always.
17:21: The same answer, right?
17:22: Different people have different risk thresholds, different technologies they’re using different ways that they want to do certain things.
17:28: So something that works really great, for, for one type of company may not work for another, right?
17:33: Like my team is, is pretty highly technical.
17:36: We like to do a lot of things ourselves.
17:38: So I know that that has very interesting interactions between our two companies because we want different things than a company that might have less in-house techno technologists that are working towards some of those same solutions.
17:51: Well, I appreciate the dialogue today, David, and thank you sincerely for being a customer for so long.
17:57: We’re we’re excited to continue to work with you and and excited that you have your high trust certification over with.
18:05: I know that’s a lot of fun.
18:07: And now you got some weekends back, hopefully.
18:10: Yeah, it’s a slight, it’s slightly calmer, right?
18:13: It moves in a different, in a different tenure.
18:15: It’s been great being a clear data customer.
18:17: You guys have always been very, very supportive over our many years of working together and yeah, I’m happy to talk to you this one.
18:25: All right, thank you, David.