Please ensure Javascript is enabled for purposes of website accessibility

Thought Leadership

Back to All
By ontrak
November 11, 2020

Ontrak’s Ongoing Commitment to Customer Data Security

By: Jeremiah Stone, Ontrak, Inc. Chief Technology Officer

Disruptive and destructive threats continue to be a major problem in the healthcare industry. The healthcare sector saw a whopping 41.4 million patient records breached in 2019, fueled by a 49 percent increase in hacking, according to the Protenus Breach Barometer. At Ontrak™, a leading AI and technology-enabled behavioral healthcare company, we take our customers’ data security very seriously and view it as a foundation of our business. While we realize that our work is never done, we have a comprehensive approach to building and refining our technology platform, processes, and partnerships to provide the highest level of security possible for our health plan customers and their members.

Recently, Ontrak announced it had received HITRUST CHF® certification to further mitigate risk in third-party privacy, security, and compliance. Additionally, the company has partnered with Involta, an award-winning infrastructure provider with deep expertise in healthcare, to support its private cloud and data center services. Both announcements underscore Ontrak’s ongoing commitment to our customers’ data security.


HITRUST is a certifiable Common Security Framework (CSF) that provides a comprehensive, flexible, and efficient approach to regulatory compliance and risk management. HITRUST was developed in partnership with both healthcare and information security experts and has become the gold standard for healthcare companies. HITRUST CSF® is built on International Organization of Standards (ISO) and International Electrotechnical Commission (IEC) standards 27001:2005 and 27002:2005 and incorporates other healthcare information security-related regulations, standards, and frameworks such as ISO, NIST, PCI and HIPAA. HITRUST CSF® ensures a comprehensive set of baseline security controls are in place and provides prescriptive coverage of these standards. Independent verification is critical for healthcare companies. Many companies that comply with the HIPAA rules may still not exhibit secure practices. HITRUST forces and reinforces the most secure practices.

Obtaining HITRUST certification 

Achieving HITRUST certification takes on average 24-30 months and requires a sustained focus and commitment. Because we made it a corporate priority to verify protection of client data and tightly managed the certification process, Ontrak obtained certification in only 18 months. The Ontrak team approached the certification process with the mission of securing our infrastructure and data without affecting productivity and workflow. We dedicated business, technology, and security experts to ensure controls were implemented correctly. The team included a security engineer, network/systems engineer, engineering management, CTO, and legal counsel. Securing buy-in and executive support was critical. We implemented the framework after we wrote policies and created processes to support the policies. We found it important to write the policies first, then create the processes and finally implement with an eye to ensuring ongoing validation of policy integrity. Organizations that try to do policies and processes at the same time run the risk of the network and infrastructure being incorrectly documented and difficult to maintain.

Key takeaways from our HITRUST certification process 


  1. Define goals clearly – Ensure that your goals and scope are well defined to remove ambiguity and help the team focus on outcomes which will deliver tangible value
  2. Staff properly – Staff your team with the right talent and allow them cross-functional access to the organization
  3. Communicate often – Communicate throughout the process to ensure changes don’t impact workflow and productivity
  4. Sustain momentum – Plan, stay on task, and demand accountability or risk significant project overruns or never achieving certification
  5. Secure support – Get and sustain senior executive and organizational support
  6. Document first – Document policies and processes upfront before jumping in.


Partnering for infrastructure security and compliance 

Another important element that underscores Ontrak’s commitment to our customers are the partnerships we put in place to complement our technology infrastructure and strategy. Each partner is measured against the aforementioned HIPAA rules and HITRUST security frameworks. In addition, we are limiting our partnerships to companies who leverage cloud architecture and technologies, allowing for flexible configurations to meet the dynamic needs of our clients and the industry with the ever-changing security landscape. As we continue to grow, our partners need to be technology thought leaders. The healthcare industry is seeing an unprecedented rate of disruption. At Ontrak, we are aligning with partners who are regularly investing in their technology and innovation. In summary, Ontrak recognizes the ongoing and rising security challenges of our customers, and we stand committed to protecting their data and that of their valued members. We will continue to stay at the forefront of security practices, including organizing our operations to support and maintain all existing and new certifications, technologies, and partnerships. Ensuring secure and compliant operations is the entire organization’s job and an effort which must be continually renewed and supported to ensure ongoing operational integrity.

If you would like to learn more about how Ontrak, Inc. can help your organization securely identify, engage, and treat the behavioral health of your most vulnerable populations, we’d love to talk to you.