Healthcare organizations not only have to be HIPAA and HITECH compliant, but they also have to ensure that their business associates are compliant as well. Which makes sense; if electronic health records (EHRs) are being passed from one healthcare organization to another company, the information is still private and needs to be secured. To ensure this is the case, many organizations are requiring business associates to adopt HITRUST’s data and data security framework, while implementing it internally themselves.
To what degree these business associates are mandated to adopt the HITRUST security framework depends on the healthcare organization. Although leveraging the framework to some degree will significantly protect both the healthcare organization and the associate in the case of an audit.
To understand why organizations are leveraging the HITRUST framework and how it can help, read ahead.
HITRUST CSF: What is It?
Before diving into specifics, it’s important to fully grasp what the HITRUST community security framework (CSF) is. HITRUST CSF is a comprehensive framework that adopts the broadest security measures of health information systems and exchanges. It tries to make security a core pillar of the organization, not an obstacle to it.
Why HITRUST CSF Started?
Its creation was spurred by the increasing demand placed on healthcare organizations for better data security measures (from the government). Below is a quick timeline to understand where HITRUST fits into the healthcare landscape:
- 1996 – In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA). Its main design was to restructure the healthcare system so that workers would still be covered by their health insurance between jobs. Part of its implementation pushed healthcare organizations to adopt the use of electronic health records, though by 2008, it’s clear this was not a top priority. The insignificant penalties and fines reflected that.
- 2007 – HITRUST was founded as a response to the inevitable adoption of sensitive electronic information in the healthcare industry. Since its inception, it has been shaped by security and information technology experts to assist organizations in data security, risk management, and compliance with all federal regulations.
- 2009 – As a part of the American Recovery and Reinvestment Act, the Health Information Technology for Economic and Clinical Health Act (HITECH) increased penalties and fines for not adopting EHRs. Within five years, by 2014, over 82% of healthcare organizations had adopted electronic health records (74% of which were considered “Certified EHRs”).
- 2015 – A notable report on data breaches in the healthcare sector showed that in 2015, there were more security breaches than in the previous six years combined. 2016 and 2017 reported even high numbers of data security breaches.
It’s clear that as the reports of cybersecurity incidences increases, there’s an ever-demanding need for a solution. Enter data security frameworks.
Why Data Frameworks Are Necessary
There exist multiple data and data security frameworks. Along with the HITRUST framework, there’s NIST cybersecurity framework (CSF) as documented in their special publication SP 800-53 and ISO’s International Electrotechnical Commission (ICE 27000). The question is not only “which one is most appropriate to use,” but even simpler: Why are data frameworks necessary?
To answer this, let’s look at:
- Problems with data security in general
- What data security frameworks offer
- How HITRUST CSF solves the data security problem in healthcare
Problem with Data Security Systems
The problem with data security laws and security systems, in general, is that as soon as a standard is set in place, someone is going to figure out how best to crack that system. Security can be thought of as a living entity. Think of viruses (biological viruses); the idea is that as humans discover an antivirus or a vaccine, newer, stronger versions of the virus are borne out of natural selection.
Similarly, once you create a modern security system — that’s it. It’s a structure that’s impervious to 99.99% of data breaches, with that 0.01% being whatever new cyberattack method will inevitably be concocted to break it. See where the problem lies?
Data security systems are rigid. Instead, you need something flexible and dynamic. Hence where frameworks come in.
What Frameworks Provide
Frameworks are comprehensive skeletons that allow for the dynamic shifts of data security within them. Let’s take, for example, something like cloud computing. Cloud computing has been in commercial use since 2000 but has only entered mainstream lexicon and use in the last ten years. It has tremendous benefits for organizations with large amounts of data and whose data storage needs increase daily.
Healthcare organizations fall under that “heavy use of data” category. Just think about any time you’ve gone in for a checkup. Before you see the doctor, nurses probably fill out between 5-10 forms that are all processed electronically and included in your already-massive health file. And this is just what we see from the patient’s side. There’s also the research side of healthcare organizations, legal side, and the business side.
As healthcare organizations adopt this useful technology — cloud computing — suddenly, there are two new security threats to the system.
- The data that is being stored inside the cloud has to be secured and put under the same restrictions and regulations as if it were stored within the healthcare organization’s network.
- The link between the healthcare organization and the cloud computing network has to be secured to avoid leaving a hole in cybersecurity.
Using a standard security system that doesn’t constantly refresh and update means that both of these areas leave room for a cyber attack. Whereas with a framework, this new technology can be evaluated and positioned within a subset of security regulations. While the organization has never dealt with cloud security before, it has dealt with 1) an open communication channel between networks and 2) the security of data once it has left the organization.
Data Security Laws
The same set of problems arises from data security laws. Laws are stagnant. They’re great for setting standards, detailing how those standards are regulated, and what the penalties are for not maintaining the standard. They’re not great for new technology, unforeseen cyber attacks, and the fact that security can be perceived as an evolving “living” entity.
Returning to the cloud technology example: How would one create a law of security standards in 1999 that applies to cloud computing, a technology not used until 2000?
Apply this to all data security laws: Should laws prevent the use of new communication and information technologies in healthcare? The risk then becomes slowing progress and putting American healthcare systems a step behind the rest of the world.
Focus on the Data, Not the Security
What many healthcare security provisions do instead is regulate the data, instead of the data technologies. In the provisions to HIPAA in 2009, increasing protections were placed on electronic personal health information (e-PHI). By placing emphasis on the data, not the data technologies, you allow organizations to use any technology they want, so long as they protect the data.
Returning one last time to the cloud technology example.
- Healthcare organizations will be fully responsible for the data that is breached in the cloud because it falls under the protection of e-PHI.
- Similarly, opening a link to a cloud network provides an opening to other information in the organization’s system. This means they’re fully responsible for the data that is exposed due to a link breach.
How HITRUST Fits Into This Problem
HITRUST, NIST, ISO — these are all frameworks that try to be the dynamic skeleton that allows for flexibility with new technology and new regulations. HITRUST CSF fits comfortably into the healthcare industry because it was made specifically for healthcare.
HITRUST vs NIST and ISO: What Sets it Apart?
The primary aspect that separates HITRUST from NIST and ISO is that it’s a privately-owned company. NIST is a part of the US Department of Commerce; ISO is an international set of standards headquartered in Switzerland. But what does this mean for the users of its framework?
HITRUST runs a profit when they can offer a useful, successful framework that is adaptable to the current set of security regulations. In other words, they are incentivized to provide a quality framework, because if they don’t, they’ll fail.
That’s just one benefit of HITRUST:
- Adaptability – Because the framework is flexible by design, HITRUST can include regulations and mandates from NIST, ISO, HIPAA, HITECH, and others to create as secure a network as required.
- Scalability – HITRUST operates in the same function for large-scale operations as they do for smaller organizations. The same processes are in place which makes implementation scalable.
You might be thinking that NIST CSF is capable of adapting and scaling to include large organizations as well. And while that’s true, the final benefit of HITRUST is unparalleled.
- Certifiability – Being granted a HITRUST CSF certification comes with a HIPAA and HITECH compliance guarantee. This means you don’t have to wait for an audit to know whether or not your company is missing any security gaps.
Comparing this with NIST CSF, wherein their special publication SP 800-66 under the applicability section, they state: Organizations who are not required to use the NIST framework and choose to do so are not guaranteed to be HIPAA compliant.
Unless you are a brand-new organization, chances are you already have an in-depth security framework in place. Whether it aligns with HIPAA compliance and is flexible enough to adapt to any new mandate is the tough question. When implementing HITRUST CSF, there are three stages:
- Performing a self-assessment of current security system
- Becoming HITRUST CSF validated
- Becoming HITRUST CSF certified
The first step is self-assessment. This is to find large security gaps within your current network. This assessment, although called a “self”-assessment, is most effectively done through a third-party organization that is an authorized HITRUST CSF assessor.
The other option is to use MyCSF, a software program developed by HITRUST Alliance. In this way, you can regulate your security measures by hand to find easy-to-fix security gaps. MyCSF is considered:
- The cheaper option but is time-consuming
- As having a steep learning curve with regards to the UI platform
- Provides a non-validated, non-certified accreditation
- Does not ensure an organization is audit-proof
HITRUST CSF Validation
The second level of accreditation is to use the self-assessment report as evidence of proper security measures — much in the same way the organization would need to prove this to an auditor. To receive CSF validation, a CSF assessor would perform an on-site visit to ensure proper security codes and measures.
- Guarantees that there are no major holes in security that will result in excessive HIPAA fines and fees
- Does not ensure audit-proof
HITRUST CSF Certification
As the most comprehensive coverage, a HITRUST CSF certification ensures that the organization is HIPAA and HITECH compliant. It does this by assessing each security measure and scoring them by:
- Non-Compliant (NC)
- Somewhat Compliant (SC)
- Partially Compliant (PC)
- Mostly Compliant (MC)
- Fully Compliant (FC)
Fully compliant means that there are security policies in place, the policies have procedural practices, and that these practices are implemented, measured, and managed.
How Organizations Can Leverage RSI Security for HITRUST Certification
As an authorized third-party HITRUST CSF assessor, RSI Security experts understand the security framework forward and backward. As they are also trained in HIPAA and HITECH compliance, they are apt to implement the security framework for any healthcare organization.
For business associates of healthcare organizations — more companies are requiring their associates to become HITRUST certified to confirm HIPAA compliance. To remain a step ahead, becoming HITRUST certified through RSI Security takes that problem off your plate.
Forget Audit Anxiety with HITRUST Certification
Healthcare organizations that have been audited to their detriment have found that there is no uniform auditor process. Where some auditors will gloss over areas, others will be incredibly picky. Thus, to be certain you’re safe from a HIPAA audit, the best way is to adopt a security framework that includes each HIPAA and HITECH mandate.
Enter HITRUST security framework, a comprehensive system that updates with each new law or provision. Its proven effectiveness is why healthcare organizations are leveraging the framework for their business associates as well.
HITRUST Alliance. Introduction to the HITRUST Common Security Framework. https://hitrustalliance.net/content/uploads/2014/05/HITRUSTCSF-2014-v6_0-Executive-Summary-and-Introduction-FINAL.pdf
Health IT. Office-based Physician Electronic Health Record Adoption. https://dashboard.healthit.gov/quickstats/pages/physician-ehr-adoption-trends.php
HIPAA Journal. Healthcare Cybersecurity. https://www.hipaajournal.com/category/healthcare-cybersecurity/
NIST. Special Publication 800-53. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
NIST. Special Publication 800-66. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-66r1.pdf