The healthcare industry is understandably concerned with compliance and certification — there are lives on the line! The people operating various medical machinery should be fully certified to do so, and patients should see fully qualified doctors for the best outcomes. It’s just how they get the care they need.
But beyond ensuring these requirements are met (and that everyone’s hands are clean in the process), robust healthcare organizations need to be considering their approach to cybersecurity and data protection as well. Data stored by businesses in this category is especially appealing to cybercriminals for its dual nature — not only is it highly sensitive, but it’s highly identifiable as well.
Healthcare organizations are home to troves of data that spell value to hackers. Those specifically seeking to do damage might compromise medical records, sell them, or hold them for ransom. It happens rather often.
While many businesses are set up to serve the intersection of cybersecurity and healthcare, there are unfortunately a confusing number of vendors out there, each offering its unique approach to different cybersecurity problems. There aren’t many well-known standards here beyond HIPAA, and it’s easy to feel like a new plan or approach in technology might threaten that compliance.
But those paying attention to this niche know there’s a security standard worth looking for: HITRUST is a framework of cybersecurity best practices that help business organizations protect their data. It’s essentially a roadmap for tightening up a business’ cybersecurity operations, making them more bulletproof and resistant to threats.
This certification is available to any organization that puts effort into achieving it. It not only ensures that your business data is stored securely, but it will signal to informed consumers that you’ve taken the necessary. Here’s how to gain HITRUST certification for your business.
Learn the process.
There are different ways to conduct an audit, but the first step is always for a company to work with its auditor to determine which kind of audit to do. HITRUST CSF is en emergent standard here, but many auditors have their proprietary auditing processes that might also make suitable options.
But it’s going to take some education at the outset. Suppose your company is moving from HIPAA to HITRUST CSF certification — your executives and employees will want to spend considerable time researching HITRUST and how it pertains to their job descriptions. When everyone is educated on what’s going on, your organization will get a better result.
Define the scope of your project.
The scope is about estimating the time and cost necessary to successfully achieve your certification. To put it a single question, it’s “how much skin do you have in the game?” Are you going to be able to let employees put some of the usual day-to-day off to one side while they come together to improve overall? Because that’s what the best HITRUST-certified organizations are demonstrating: its people are uniquely aligned with its technology.
This effort necessary for achieving your HITRUST certification will vary depending on how well you want to do, and in which niche you’re focused on. There are a total of 19 different HITRUST domains, dozens of controls, and more than 700 potential requirements that might apply to a given company. Controls will vary depending on which sector the company serves, and whether its products might be HITRUST-certified or not. This is an essential consideration as you calculate scope.
Consider that a cloud platform might be on the hook for several hundred more applicable requirements than a company that doesn’t touch the cloud. Different HITRUST certifications apply to companies in adjacent industries, so make sure you’re fully prepared to scope them out for the one most applicable to you.
Then decide how serious you are about upholding its standards.
Complete the cybersecurity framework.
This is where the paperwork comes in. Your HITRUST certification will require considerable documentation of policies, risk assessments, and technical documentation, and any special configurations you might be using. It’s a hefty undertaking at first, but it gets easier each time. The first year may require three to six months to prepare for an audit, but this tightens to approximately two months per audit in subsequent years.
The amount of time it takes to complete the paperwork is especially dependent on the full scope of a company’s audit, which was determined in the previous step.
Validate the CSF with an assessor.
In other words, get a professional to check your work. Assessors aren’t exactly pushovers, and they will want to see evidence for anything you provided in your CSF. They’ll stick to the facts, and their validation will be a big piece of completing the overall HITRUST journey.
This validation can take four to five weeks.
Certify the CSF with the HITRUST Alliance.
This is the lengthiest part of the process, but it’s one of the most important. It will take up to 18 months for HITRUST Alliance lawyers to examine the audit in detail, even involving some back-and-forth on specific line items that they want more information on.
There are more audit examination requests now than ever before because the HITRUST CSF is warming up as a standard vehicle for conducting HIPAA compliance audits. The request volume changed from hundreds to thousands between 2016 and 2017.
This proof of compliance is valid for two years on the expectation that the organization will take steps to uphold it. This precludes them from making significant changes to their security policies or practices, and it means they have to follow rules about reporting security breaches to the relevant federal or state authorities. They’re also expected to be making annual progress on any corrective action that compliance calls for.
But HITRUST certification is a symbol of protected data under secure management. Just as you wouldn’t forget to wash your hands, don’t forget to run a secure system.