Companies that broadly occupy the security space might consider a new service they could offer at the intersection of healthcare and cybersecurity: becoming a HITRUST assessor.
All kinds of personal data already lives online, but now we’re faced with medical categories of data being usefully stored there as well. And the cynics and realists alike know that anything stored online is fundamentally vulnerable to cyber attacks
Organizations in the healthcare space are especially hot targets here. From computers in hospitals to the systems at the pharmacies to the one at the doctor’s office, our sensitive medical information moves around online all the time, and we just generally trust people to take care of it.
But cybersecurity is like a war that plays out daily, it’s best not to approach it casually. Too many internet users think about this worldwide data network in more peaceful terms, and they end up getting hacked.
The bad guys break cybersecurity laws to steal people’s information, and the more they can snag, the more damage they do. The innocent-but-aware might use password generators and virtual private networks to keep themselves covered, but the only way to keep something truly immune from internet violation is to never put it online in the first place.
But this doesn’t work for the organizations in the healthcare space, which may be located a significant physical distance apart from each other despite performing complementary functions. It should be easy to move data obtained from a hospital visit to a personal physician’s office across town. Entities like these need to shrink that distance as close to zero as possible in order to maintain a quality data exchange, and the conveniences of the internet are too many to ignore in that pursuit.
So medical data has to live online with the bad guys — how do we protect it and what can we do to keep it safe from them once it’s out of our hands?
Simple: work with an organization that got help from a HITRUST assessor to validate and maximize its cybersecurity profile.
What is a HITRUST assessor?
HITRUST cybersecurity framework (CSF) assessors are uniquely qualified to respond needs pertaining to evaluating an organization’s cybersecurity standards. A number of CSF assessors are approved by HITRUST to carry out high-level assessments associated with the CSF, the de-facto framework for security and compliance. This particular framework bridges the gap in requirements between existing standards and regulations, including federal (HIPAA, HITECH), third-party (PCI, COBIT) and government (NIST, FTC).
CSF assessors are on the front lines of assessments, running tests on an organization’s system in pursuit of a HITRUST certification. Their job description revolves around knowing HITRUST standards and being able to validate them in the field. To whatever extent they are your Ghostbusters, they’re busting ghosts related to cybersecurity.
If you’re already especially minded toward cybersecurity, you may find it an easy job to pivot into. The job will see you diagnose and guide corrections on other people’s IT infrastructure. You’ll be collecting a fee while defending information from bad guys at the same time!
How do you become a CSF assessor?
HITRUST requires that an organization in pursuit of CSF assessor status meets certain criteria in order to make it. Prospective CSF assessors must complete the CSF assessor application and sign the HITRUST CSF assessor agreement. They have to have policies and procedures in place that uphold a sense of employee ethics and integrity. They have to commit to supporting HITRUST services, then must become a trained HITRUST practitioner.
After that, the best CSF assessors maintain their expertise with further HITRUST participation or other healthcare or security teams. They don’t just sit on their hands after becoming a certified assessor, but continue to develop the skills that will let them maintain that job far into the future.
CSF assessors provide value to healthcare organizations.
Your new customer base is going to lean heavily toward healthcare. This industry has intense standards on how medical data is allowed to be shared and transmitted, so the best healthcare organizations have their standards up to snuff. It’s always in their interest to be compliant because it shows that they’re taking cybersecurity seriously.
HITRUST is a cybersecurity certification that these companies can point to as a confidence in being free from a certain number of problems for a long time. This compliance isn’t especially easy to get because it requires such a thorough examination. From payment details on a procedure to a medical workup or other diagnosis, the healthcare space is uniquely dependent on transmitting sensitive data online, so there’s clear value in externally signalling that their data is well-protected.
It’s like homeowners advertising the company they use to watch their house. “This home protected by Brinks.”
Before worrying about the question of “should my company become a HITRUST assessor?”, you should take an honest stab at a HITRUST self-assessment to see where your organization lands on the scale. A strong self-assessment (that is also an honest one) means you’d probably do well at upholding and confirming this standard for others. If you’re less than compliant, use it as an opportunity to gain insight into how HITRUST processes work and where you potentially see yourself fitting in with them.
But any company with good cybersecurity fundamentals could potentially succeed in offering CSF assessment services. With such a strong relevant base of working knowledge, it would only require a willingness to learn a little bit more subject matter, as well as the desire to push back against the efforts of cybercriminals working to breach any data they can.
It might be an interesting side hustle or the beginning of a major business, but there is real work in conducting HITRUST assessments.