There are plenty of industries with which government intervention plays a necessary role. Unarguably, they provide for national defense, a platform for international relations and foreign policy, and they ensure minimum basic dignity to citizens within their borders. Then — some might say “unarguably” again — there are the sectors with which government intervention lends a less helpful hand. To get specific, today we’re talking about data security in the healthcare industry.
To learn about how and why the private sector has increased the demands for security and how HITRUST, a data security platform, is growing its privacy controls, read ahead.
A Series of Unfortunate Events by Healthcare 2015
Anybody who works in healthcare, data security, or health information technologies knows that 2015 was a monumental failure in terms of cybersecurity. For hackers, it was an all you can mine data buffet. In terms of exposed records, 2015 accounted for more than half of the last ten years’ worth, coming in at over 113 million patient records.
The five biggest breaches of the year were:
- Anthem Inc. – 78.8M exposed records due to a hacking incident
- Premera Blue Cross – 11M exposed records due to a hacking incident
- Excellus Health Plan Inc. – 10M exposed records due to a hacking incident
- UCLA Health – 4.5M exposed records due to a hacking incident
- Medical Informatics Engineering – 4.5M exposed records due to a hacking incident
What this did to the healthcare industry was not just expose records but expose the entire underpinning of patient data security. This sparked an outcry from both citizens and organizations alike. While the Health Insurance Portability and Accountability Act (HIPAA) mandated guidelines for data security, it became clear this was not enough.
NIST CSF: Government Security Framework
Two years prior to this 2015 debauchery, President Obama signed executive order 13636 which allowed the National Institute of Standards and Technology (NIST) to create a cybersecurity framework (CSF). By 2014 it was ready to be rolled out for all sectors to use.
This was desperately needed at the time. Outside of the healthcare industry, companies were succumbing to cyberattacks left and right. The number of records exposed cross-industry increased by the year:
- 2005 – 157 million exposed records
- 2007 – 446 million exposed records
- 2009 – 498 million exposed records
- 2011 – 419 million exposed records
- 2013 – 613 million exposed records
- 2015 – 781 million exposed records
- 2017 – 1632 million exposed records
Problems with NIST CSF
The idea underpinning NIST CSF was that a comprehensive framework was needed. But the cybersecurity framework didn’t solve this issue. Organizations’ major complaints about the NIST framework were threefold.
- Difficult to assure security – When adopting the NIST CSF model, organizations have to trust that the security systems are more developed and secure for patient privacy. There isn’t a certification or assessment that can be run to assure security levels. And as it’s been demonstrated, just being HIPAA compliant doesn’t mean that your system is secure.
- HIPAA compliance – Continuing on, the framework also doesn’t guarantee HIPAA compliance, even though it is a government-made security framework.
- Implementation – Third-party cybersecurity professionals must be brought in for most healthcare organizations to implement the NIST framework. This comes with expensive costs and a small pool of resources to choose from.
These problems were enough for healthcare organizations to shrug their shoulders and hope for a better solution. Even currently in 2019, a report found that only 47% of organizations have adopted and conformed to the NIST security method. Which means another solution was needed, perhaps one not created by the government.
The Private Sector of Healthcare
Back in 2015, in the wake of these massive phishing and hacking scandals, a working group of health information systems users, health IT vendors, and medical tech manufacturers came together to share security vulnerabilities and recognize higher standards of security. What followed was the Health Information Technology and Medical Device Integrity and Security Program.
The idea was that the private sector needed to fill in the gap where the government couldn’t — cybersecurity. One of the private organizations involved was the Health Information Trust Alliance (HITRUST) who created the community security framework (CSF) catered toward the healthcare industry.
HITRUST Long Before NIST
HITRUST began in 2007 as an early response to the inevitable adoption of electronic health records (EHRs). It’s an organization that collaborates with security experts, technologists, and information system experts in the private and public sectors to develop a comprehensive security framework.
How HITRUST is Adapting For Greater Security
The idea behind HITRUST CSF was to create a framework that could be adapted to whatever healthcare mandate, law, regulation, or technology that came into existence. It’s part of the reason why more healthcare organizations are requiring their business associates to be HITRUST certified. With HITECH’s passage in 2009, HIPAA compliance applies to all HIPAA-covered entities and their associates.
To be HITRUST CSF certified (more on this later) means to be HIPAA compliant because the regulations are built into the framework. However, it’s important to note that cybersecurity is an ever-widening net that must catch an ever-growing collection of security threats. And with a larger net comes more holes to plug.
Thus, HITRUST had to be a flexible system — and that’s exactly what it was made to be. HITRUST updates its framework to adopt more developed privacy controls and to expand its scope for greater security. This has been proven time and again, with adaptations made for:
Running through each of these different systems of implementation will show the versatility of the HITRUST security framework.
HIPAA and HITECH Compliance
Beginning with the most fundamental of the securit y guidelines: HIPAA and HITECH compliance. One of the major goals of HIPAA and HITECH was the adoption of EHRs to make the process of sharing and disclosing protected health information (PHI) more secure and efficient. To be compliant meant to follow the HIPAA Privacy Rule, Security Rule, and the Breach Notification Rule:
- Data security – HIPAA established guidelines for how a patient’s health information could be exchanged, altered, and disposed of. The main philosophical argument was that it was a person’s right to have their data secured.
- Safeguards – Also established was how HIPAA compliance would come with administrative, technical, and physical safeguards to ensure e-PHI would be protected. This documented everything from physical security to cybersecurity. What HITRUST does for organizations is to break apart each of the safeguards and regulations into specific security guidelines. As long as each of these guidelines is secure, HIPAA compliance is guaranteed.
- Risk management – HIPAA-covered entities are also required to update their security platforms continually and to run risk analyses. HITRUST allows for this with their self-assessment report and MyCSF software.
General Data Protection Regulation
HITRUST understands that many US-based healthcare organizations have operations and business subsidiaries overseas. Because of this, HITRUST has adopted European data regulations known as the General Data Protection Regulation (GDPR) into its own system.
For global healthcare organizations, having this type of data regulation built into the security framework helps to avoid massive penalties. Whereas in the US, HIPAA fines max out at $1.5 million per year for worst-case scenarios, EU violations can attract fines of €20 million (or 4% turnover, whichever is greater).
In 2017, HITRUST announced enhancements to their CSF to help smaller organizations improve their risk management and added nine security controls to its certification process to comply with NIST’s cybersecurity framework — ultimately making the government’s framework redundant.
Singapore’s Personal Data Protection Act of 2012
Continuing its expansion of global data security regulations, HITRUST adapted its security regulations to match Asia’s growing demand for secure health information. As global data security regulations arise, healthcare organizations are going to find it increasingly difficult to operate cross-border. However, with HITRUST CSF creating a singular framework that operates across multiple countries, companies can seamlessly continue operations and expand.
California Consumer Privacy Act (CCPA)
California made headlines when the California Consumer Privacy Act of 2018 was announced. The bill is meant to further the privacy protections for California residents. It applies to both businesses operating in California as well as businesses operating outside of California who are collecting or using data of California residents. The latter of which has presented the most pushback.
The intent of the act was to inform consumers about:
- What data is collected
- How that data is sold or disclosed
- The right to say no to the collection or sale of personal data
- Requesting for a business to delete their personal data
- Accessing their personal data
HITRUST, knowing this applies to the healthcare industry, was quick to adapt their current framework to the new data security mandates.
HITRUST Version 10: In The Works
Announced to release by the fourth quarter of 2019 is the latest version — version 10 — of HITRUST CSF. According to HITRUST, the two major changes to the framework will be:
- Leading practices – HITRUST CSF will now offer the core leading practices for healthcare entities to ensure that they are following data security protocols.
- Threat catalogue – They are also going to map the threats to HITRUST CSF with a threat catalogue. This will help to address threats that are specific to a particular organization by tailoring the CSF controls. The threat catalogue will address three particular situations:
- Address unique threats that aren’t addressed in the standard control baselines of HITRUST CSF
- Support these alternatives or compensating controls within the framework
- Allow the removal of control requirements to adapt to cost-effective frameworks of the particular organization’s environment
How Healthcare Organizations Can Utilize HITRUST
Because HITRUST is constantly adopting new security guidelines and upgrading its own framework, when healthcare organizations use HITRUST CSF, they gain all these benefits. Companies can run through three forms of assessments to ensure they have implemented HITRUST properly:
- HITRUST CSF Self-Assessment
- HITRUST CSF Validation
- HITRUST CSF Certification
HITRUST CSF Self-Assessment
The first step is self-assessment. This can be done with a self-assessment report through HITRUST. Or it can be done using MyCSF, HITRUST’s software designed for companies to track their own security system.
Self-assessment pros and cons include:
- Great for identifying large gaps in security that can be fixed cost-effectively
- Can be done by the organization without external support, although it is time-consuming
- Does not ensure that the organization is HIPAA compliant (or compliant with any other regulating body)
HITRUST CSF Validation
Once an organization has performed a self-assessment, the next step is to authorize a CSF assessor (either through HITRUST or a third-party organization) to review the assessment and perform an onsite visit. CSF validation offers:
- An in-depth look at the security controls of the organization
- Insights into any glaring security errors missed during the self-assessment.
Again, this does not ensure that the organization would survive an audit by the Office of Civil Rights (the organization in charge of enforcing HIPAA compliance and penalties). The only way to truly be audit-secure is to obtain a HITRUST CSF certification.
HITRUST CSF Certification
Becoming CSF Certified means to be compliant with all regulating bodies. To do this, the certification process runs through each security measure and scores the compliance on a five-tiered scale from Non-Compliant to Fully Compliant. It scores each one based on five different criteria:
- Are there policies in place to meet security provisions?
- Are there procedures stemming from the policies?
- How are the procedures implemented?
- How are the procedures measured?
- How are they managed?
Proper Implementation: CSF Assessors
For organizations to properly implement the HITRUST framework, running through a certified HITRUST assessor is necessary. The experts at RSI Security are certified in HITRUST and HIPAA compliance, offering the full range of security needs for healthcare organizations. RSI Security offers:
- Gap assessment for glaring security risks
- Guided self-assessment
- Methods of CSF validation and certification
- Risk analysis and management programs
- Continuous security monitoring
If your organization needs a security framework upgrade, or if you are a business associate of a HIPAA-compliant entity, implementing HITRUST CSF is the easiest way to secure your e-PHI.
HITRUST CSF and Growing Privacy Controls
As more organizations operate globally, the need for a communal set of data security regulations is necessary. HITRUST is standardizing this process by growing its privacy controls and offering greater security to organizations inside and outside the US. By becoming CSF certified, you ensure that your cybersecurity is up to date and compliant with all government mandates.
Talk to the experts at RSI Security about becoming CSF certified and how to leverage these privacy controls for your organization.
HIPAA Journal. Analysis of 2018 Healthcare Data Breaches. https://www.hipaajournal.com/analysis-of-healthcare-data-breaches/
NIST. History and Creation of the Framework. https://www.nist.gov/cyberframework/online-learning/history-and-creation-framework
Statista. Annual number of data breaches and exposed records in the United States from 2005 to 2018 (in millions). https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/
Healthcare IT News. Healthcare organizations lagging behind NIST Cybersecurity Framework, HIPAA guidance. https://www.healthcareitnews.com/news/healthcare-organizations-lagging-behind-nist-cybersecurity-framework-hipaa-guidance
HITRUST. HITRUST Announces HITRUST CSF Roadmap Including a New Simplified Program for Small Healthcare Organizations and NIST Cybersecurity Framework Certification. https://hitrustalliance.net/hitrust-announces-hitrust-csf-roadmap-including-new-simplified-program-small-healthcare-organizations-nist-cybersecurity-framework-certification/