If you’re a business owner who operates within the healthcare industry, you know that patients are your top priority. Whether it’s protecting their health or their data, you want to meet a high standard of excellence. Read below for more information on the HITRUST Alliance and how they help protect the healthcare industry.
The Rapidly Evolving Healthcare Industry
Healthcare is a service that everyone at some point or another will inevitably use. Maintaining the privacy of client data is not only comprised of shielding research and lab results but also Personal Identifiable Information (PII) including addresses, birthdates, phone numbers, or insurance information. New technologies collect more patient data of both existing and new patients which can potentially put them at risk.
For example, labs now have the capability of sequencing the human genome both quickly and cheaply. More and more people are giving companies access to their genetic data in exchange for information on their ancestry, propensity for certain diseases, and diet or exercise recommendations. While this data is extremely useful, it doesn’t come without risks.
Also Read : HITRUST VS. HIPAA: What’s the difference?
When first drafted in 1996, the Health Insurance Portability and Accountability Act (HIPAA) did not foresee the genetic boom that America is experiencing today. Companies are allowed to share and sell patient data to other businesses as long as that information is kept completely anonymous. In Privacy Delusions of Genetic Testing it is clear that client data is not kept safe, “23andMe has sold access to its database to at least 13 outside pharmaceutical firms.” Another company paid 10 million dollars for information on patients suffering from Parkinson’s disease.
These companies argue that the genetic data is completely anonymous, but researchers and scientists are proving that it’s relatively easy to de-anonymize genetic data. You can change your address, phone number, or name, but your genes are completely unique to you and cannot be changed.
This free exchange of data makes it difficult to protect throughout the supply chain. Only one weakened partner’s security is enough for hackers to gain access to your private information.
The fact of the matter is that more healthcare centers are gathering robust data and employing the cloud. In the Healthcare Cloud Computing Market Report report published by MarketsandMarkets “the global market is expected to reach USD 44.93 billion by 2023 from USD 19.46 billion in 2018, at a CAGR of 18.2%.”
Naturally, customers assume that their data is safe when they visit a hospital or health clinic, however, because some third-party vendors do not maintain the highest standards of security, their data is actually at great risk.
Patient Records Breach
In early June of this year, Quest Diagnostics reported that they had discovered a security breach which led to the loss of millions of patient’s data. The culprit? A third-party collections vendor the American Medical Collection Agency (AMCA).
Tech journal Engadget reports, “AMCA’s payment system was compromised on August 1, 2018 and remained vulnerable through March 30. Exposed information includes patient names, dates of birth, addresses, phone numbers, dates of service, providers and balance information. LabCorp disclosed that about 200,000 people also had their credit card or bank account information stolen.” Quest Diagnostics disclosed that 11.9 million patient’s records were stolen in the data breach and Lab Corp indicated that 7.7 million patients were also affected by this breach.
Due to the nature of cloud service, patient data is only as strong as the weakest defense. Therefore it is crucial to implement security best practices internally as well as with third-party vendors. Take a look at RSI Security’s 12 Cloud Computing Best Practices to get a better idea of how to protect your company.
One of the reasons that contributes to a security breach is that companies are held to different compliance standards and thereby may not have strong enough defenses to protect client data. Loopholes and bare-bones defenses may seem to save resources or initial effort, but ultimately poor security and data management all too often results in a data breach.
What is HITRUST?
The Health Information Trust Alliance (HITRUST) championed the cause of protecting sensitive data. As stated on the HITRUST about page, “Since it was founded in 2007, HITRUST has championed programs that safeguard sensitive information and manage information risk for global organizations across all industries and throughout the third-party supply chain.”
They created a “comprehensive information risk management and compliance program to provide an integrated approach that ensures all programs are aligned, maintained and comprehensive to support an organization’s information risk management and compliance objectives.”
To best meets the needs of industries at any business scale, the HITRUST Alliance created a comprehensive security certification that meets government and other industry standards into a single overarching security framework. The HITRUST Certified Security Framework certification marks a vendor’s dedication to top tier and up-to-date security policies.
Also Read: What Is The HITRUST Certification Process?
The Certified Security Framework
The HITRUST Certified Security Framework certification (CSF) is a thorough and rigorous audit tailored to each individual vendor. It is composed of 13 security controls broken down into 42 control objectives which are further broken down into 135 control specifications. Each element of the audit determines vulnerabilities, strengths, and potential risks.
Due to the rigors of the audit, the process can take 3-4 months to complete; it may take more time if the company is not adequately prepared for an audit. The HITRUST Alliance recommends that all companies perform an in-depth self-assessment to determine their readiness level.
The certification lasts two years before a vendor is required to again go through a full-spectrum audit. This tactic guarantees that a vendor maintains the highest security standards and meets any changes made to compliance requirements issued by third-party entities or the government.
The HITRUST Alliance works closely with companies ensuring that HITRUST compliance befits their needs. The CSF certification process usually follows a specific set of rigorous controls, but the Alliance does recognize that it can be extremely difficult to match all the security protocols. HITRUST certification allows for a vendor to collaborate with an auditor to propose alternate controls that will be good, albeit not security best practices.
Why Choose HITRUST Certification
Choosing to become HITRUST certified would be a great benefit to your company. HITRUST lays out why a vendor would choose to become HITRUST certified by indicating, “the CSF integrates and harmonizes requirements from many authoritative sources such as ISO, NIST, PCI, HIPAA, and others, and tailors the requirements to a healthcare organization based on specific organizational, system and regulatory risk factors. The level of integration and prescription in the framework along with the quality and rigor of the CSF Assurance Program and supporting HITRUST products and services makes the CSF the easy choice for healthcare.”
In other words, instead of having to individually audit or assess your security practices for each compliance entity, seeking HITRUST compliance covers industry requirements under an expansive umbrella. It’s like if you went to a superstore to buy everything you need in one place instead of shopping around at multiple stores that may or may not have what you’re looking for.
The University of Pennsylvania Medical Center (UPMC) is a large medical center with over 85,000 employees. They partner with many third-party vendors who manage UPMC’s data. In a Certification Brief about UPMC, HITRUST detailed, “by requiring vendors to become HITRUST CSF certified, UPMC can more effectively manage information risk and trust the security and compliance levels of third-party vendors and know that all organizational and patient data will remain protected.”
It was a logical move for a company worth $19 billion dealing with sensitive patient data gathered from renowned doctors, researchers, and healthcare administrators. Some of the reasons they listed a CSF certification as being so useful include:
- Harmonizes and cross-references globally-recognized standards, regulations and business requirements— including ISO, NIST, PCI, HIPAA and state laws.
- Scales controls according to organizational type, size and complexity.
- Provides prescriptive requirements to ensure clarity.
- Offers multiple implementation requirement levels as determined by specific risk thresholds.
- Allows for alternate control adoption when necessary.
- Evolves according to user input as well as changing industry and regulatory conditions
UPMC is confident that because each vendor was required to complete a CSF certification that patient data is better protected, any security confusion is eradicated, the vendor exchange of information process is streamlined, and supply-chain risks are reduced.
HITRUST compliance continues to expand and evolve with a changing security landscape. Recently, a new version of HITRUST CSF incorporated the California Consumer Privacy Act, NIST Cybersecurity Framework and additional legislation and standards.
With frequent updates to the CSF certification process and the recertification requirement every two years, HITRUST compliance is arguably one of the best methods in protecting the healthcare industry so we created a HITRUST compliance guide for you to fully understand how it works.
It’s no wonder that many healthcare industries are both becoming CSF certified and requiring their third-party vendors do the same. In fact, 81 percent of hospitals and 80 percent of health plans have adopted the certified security framework in some manner.
Small vendors may feel worried that their organization does not have the resources to afford an audit by the HITRUST Alliance. Fortunately, the HITRUST helps start-ups with their dedication to protecting the healthcare industry leading them to bundle and price it’s programs “to align with rapidly-growing small businesses ensuring management and customers that effective information privacy and security programs are a core tenet of the start-up firm’s operations.”
Start-ups are an integral part of not only growing the economy but also bringing new ideas to the table. Take patient data start-up company Embleema for example.
There are many healthcare startups to watch that are revolutionizing the industry such as Embleema who, “recently launched a HIPAA compliant healthcare blockchain network which allows patients to access and share their medical records with researchers and physicians. In addition, the new solution helps patients consolidate their data and even profit from sharing it with different entities such as drug researchers, marketing agencies etc.”
A data-heavy start-up company like Embleema would greatly profit from advanced cybersecurity. Therefore, the HITRUST Alliance created a program geared towards helping start-ups implement gold standard security practices.
The RightStart program was developed to let start-ups focus on their contributions to the market rather than attempt to put in place temporary or cobbled-together security defenses. HITRUST’s vice president of Assurance Strategy & Community Development, Mike Parisi, adds, “The RightStart Program will ensure dedicated programs managing risk, compliance, security and privacy are foundational practices within a start-up by embedding these security standards into their evolving business models.”
An email encryption company, Paubox led by Hoala Greevy made this comment about the program. “The RightStart Program gives us the ability to adopt a security framework that will scale with our organization and provide brand name peace of mind to our customers, partners and investors. HITRUST provides us with the tools for secure, compliant growth needed to increase our bottom line. Our customer focus demands we have security, compliance, and risk management in place by design and not as an afterthought.”
The RightStart Program is designed for businesses that meet the following criteria:
- A start-up that has been in business for less than three years
- Have fewer than 50 employees
- Have less than $10 million in annual revenue
The program streamlines HITRUST’s services ensuring that the start-up can meet CSF certification. The HITRUST Alliance continues to develop and add other programs that expand its ability to safeguard the healthcare industry. On the opposite end of small start-ups are large entities that will enlist third-party vendors to manage or protect their data.
Shared Responsibility Program
The HITRUST Alliance created the Shared Responsibility Program to, “remove the guesswork, ambiguity and confusion in understanding the roles and responsibilities between customer and their service provider relating to shared and inherited controls by outlining data governance, information risk management and regulatory compliance requirements in clear, concise language.”
Customers should know who is responsible for their data and how that data is being stored. “There are numerous scenarios when organizations are inheriting or sharing control responsibility, the service provider is responsible for the entire operation of the control; the customer retains responsibility for a portion of the control, while the remaining implementation requirements are inherited by their service provider; or the customer retains all responsibility for the operation of the control.”
So, whether you’re a big business or just starting out, the HITRUST Alliance is dedicated to ensuring the security of your client’s data. As the healthcare industry continues to evolve, you can meet any standards by working with trusted partners.
Reach out to RSI Security today with your HITRUST certification questions about securing your data and meeting compliance standards.
Download Our HITRUST Compliance Checklist
Assess where your organization currently stands with being HITRUST compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.