Chris Lippi | VP, Products
September 24, 2013

Mashery’s New HITRUST Certification


As a provider of a SaaS product, our customers and their partners entrust us to handle their valuable data.  We take that very seriously.  We’d be out of business if we didn’t.   We started an effort during our early start-up days to build API security into our product development and support processes.  In 2011, we invested in becoming the first API management provider to be PCI-DSS certified, allowing us to have credit card data run through our service on behalf of our customers.  This standard requires annual audits to ensure our security practices have not lapsed.  We just completed our 2013 audit and I’m pleased to report that we are still a level 1 PCI-DSS service provider.

This year, after another rigorous third-party audit, we’ve also added a new certification, HITRUST.  As our business has continued to expand with healthcare organizations, we decided to expand our audit coverage to include HITRUST.  HITRUST is the most widely adopted security framework within the U.S. healthcare industry.  It is designed to provide organizations that must maintain HIPAA compliance with a common set of standards they can use to assess one another’s security maturity. We’re very pleased that we’ve added HITRUST and can use a common language when working with our healthcare customers and their partners to ensure appropriate security controls.

We are the only API Management vendor that has HITRUST and PCI-DSS certifications.  As I’ve written before, other vendors may say that they are “PCI ready,” but  “ready” and “certified” are quite different.  With Mashery, your information security personnel will receive statements of compliance or certification from us and typically be done with their audit.  With vendors that say their products are “ready,” the scope of your audit expands to ensure those components are included, and that requires your info sec team to approve your architecture in detail prior to launch – which lengthens or can even prevent you from launching your API program.  On the HIPAA front, almost any technology can be considered "HIPAA ready" - as with PCI, it just means you have to expand the scope of your audit to include it.  Mashery's HITRUST certification gets you one very big step closer to HIPAA compliance by proving that our support of the HITRUST framework has been audited and certified.  Choosing a solution that is certified already gives you big gains in time to market and lowers risk and costs. 

For more information, please see our website or contact us.